If you add a proguard option -printconfiguration config.txt you’ll see proguard adds
-libraryjars ‘D:\tools\android\platforms\android-23\android.jar’
-libraryjars ‘D:\tools\android\platforms\android-23\optional\org.apache.http.legacy.jar’
your duplicated classes (e.g. SslError) are presented in both android.jar and org.apache.http.legacy.jar
Proguard adds second jar even if you don’t useLibrary 'org.apache.http.legacy'
Here is an open bug describing the problem.
So now we can’t do anything with the issue. Just ignore it:
-dontnote android.net.http.*
-dontnote org.apache.commons.codec.**
-dontnote org.apache.http.**
There is no need to keep the classes as long as they are located in library jar (phone’s library actually).
dontwarn doesn’t work because it’s not a warning, it’s a note.