I am using android nv-websocket-client library (both 2.0 and 1.31 versions) and I am trying to open a wss: connection; however, the connection fails with 503 Service not available error message.
Upon investigating I found that HAProxy requires the clients to use the SNI extension, otherwise such error is returned regardless of the Host: header (I am using HAProxy as a loadbalancer).
Upon investigating further (with tcpdump/wireshark) I found that the client does not send SNI, a wrong certificate is returned (for a different domain), yet the client continues with the TLS connection and actually sends the HTTP request (as if no certificate checking was performed?).
My code is basically:
ws = new WebSocketFactory().createSocket(wsurl);
ws.addHeader("Authorization", "Bearer " + Config.getToken());
ws.addListener(this);
ws.connectAsynchronously();
I didn't find an easy way to set up the SSLSocketFactory, however it seems to me that the code in nv-websocket-client just uses the SSLSocketFactory.getDefault(), which should be correct? SSLCertificateSocketFactory seems to be deprecated in favour of this approach.
Am I missing some key piece about SSL setup, is this and Android bug or is this and Android 'feature'?
Related
Having read some docs and all examples I could find, I do not see a very simple example of connecting by SSL to 8883. It was very simple to create the HiveMQ client on Android to connect to the broker at mosquito.org, port 1883. But using credentials that I generated there, when trying to connect to port 8883 fails and this log message is seen:
MacAddressUtil com.example.tryhive W Failed to find a usable hardware address from the network interfaces; using random bytes: f4:51:aa:f9:c6:c8:9d:fa
I am just following simple examples for client creation:
mqttClient = MqttClient.builder()
.useMqttVersion3()
.identifier(“MyID”)
.serverHost("test.mosquitto.org")
.serverPort(8883)
.sslConfig()
.keyManagerFactory(managers.kmf)
.trustManagerFactory(managers.tmf)
.applySslConfig()
.buildAsync()
The key manager and trust manager factories, built with the credentials created at mosquito.org work to make a TLS connection using the Paho MqttAndroidClient in a different Android app - should I post those here as well anyway?
I tried to use a similar serverHost as done with Paho client:
.serverHost("ssl://test.mosquitto.org")
.serverPort(8883)
But that results in an exception being thrown in Netty.
Also interesting to note is that when I first ran the non-secure client, I inadvertently left in the uri used with Paho Client, so this:
.serverHost(“tcp://test.mosquitto.org”)
.serverPort(1883)
And that as well caused the connection to fail with the same MacAddressUtil log above:
MacAddressUtil com.example.tryhive W Failed to find a usable hardware address from the network interfaces; using random bytes: f4:51:aa:f9:c6:c8:9d:fa
That is why I didn’t clutter this post with the code that creates the Key and Trust Manager Factories passed to the sslConfig() - it seems that the error is somewhere else.
Please share any sample code that works for you or lessons you learned wrt this using HiveMQ yourself.
Update 2022/12/05:
Suspecting an issue in Netty, I've tried using their latest release to no avail:
dependencies {
implementation 'com.hivemq:hivemq-mqtt-client:1.3.0'
implementation(platform("io.netty:netty-bom:4.1.85.Final"))
Still cannot connect with HiveMQ client to any mosquitto secure ports: 8883, 8884, or 8885.
So I tried to go in through the websocket interface with this:
implementation 'com.hivemq:hivemq-mqtt-client-websocket:1.3.0'
and of course adding to the MqttClient.builder():
.webSocketWithDefaultConfig()
Then it connects without .sslConfig() to mosquitoo port 8080
But then enabling SSL, connections fail to ports 8081, 8090 & 8091
I know that this seems to point more to an error in my implementation of the KeyManagerFactory and/or the TrustManagerFactory, but the identical code to build them is used in an app that uses the Paho client, and secure connection succeeds.
I'm trying to create a websocket connection to my Phoenix app from an Android client. I'm trying to use this library but I'm running into this issue and I'm unable to successfully join a channel.
Upon reviewing the source code of the above java phoenix client library, it looks like the initial request from the client to connect to the socket is made with http schema and not ws (the source code explicitly changes the provided url to make sure it always uses http). It's not clear to me how this would work without additional configuration in my Phoenix app: if a socket connect request is made to http://localhost:4000/socket, the request will fail because there is no route for /socket when the schema is http.
There's nothing in the library docs that says any additional config is required in my Phoenix app to make this work, but I don't see how it could work for the reason stated above.
Does a Phoenix app have built in handling for the connection upgrade, etc, required on handshake as specified here?
As a note, I have no issues making websocket connections from my javascript web client to my Phoenix backend.
Any suggestions are appreciated!
Have you tried using the default path for a channel http://localhost:4000/socket/websocket ?
I've been struggling with HTTPS requests in a Kivy app tied to an API hosted through AWS API Gateway. First, I moved from Python3 to 2 and then from the requests library to kivy's URLRequest.
The app works fine on my linux desktop. When I made the API request with the requests library I got an SSL error: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I moved to using URLRequest, which seems to be having the same SSL error as requests was. Arguments passed into the URLRequest error callback are: (, SSLError(1, '_ssl.c:503: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure'))
I found this stackoverflow question: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure [Kivy]
Which implies this has to do with outdated python versions.
Is it just a Kivy android app is incapable of communicating with an AWS API Gateway?
Buildozer .spec lines:
requirements = hostpython2, kivy, future, python-dateutil, openssl, pyopenssl, jmespath, botocore, boto3, requests
android.permissions = INTERNET
UPDATE: I tested a HTTPS GET request with the URL https://kivy.org/logos/kivy-logo-black-64.png. This completed successfully in the Android App. This problem seems to be specific to the SSL version used by AWS API Gateway
UPDATE2: Kivy on Android also works fine with Google Cloud Platform's cloud functions HTTPS endpoints. Even more evidence this issue is specifically tied to AWS API Gateway.
Make sure your .spec file has internet permissions. Also I believe you need 'hostpython2' in your requirements if you are using python2. Im not sure if any of the requirements you have in there are python 2 or 3 dependent but make sure they work for python 2 if that's what your using. Also I dont think you need the [security] in your requests requirement. Try just putting 'requests' also u might try installing sqlite and adding g that into your requirements as well.
I'm trying to open a secure websocket connection from a Xamarin Android application to an IIS server. It works fine and dandy on every device I've ever used except Samsung Tab E. Even other Samsung devices work fine.
I'm using the Websockets.PCL library and the regular code:
var _webSocket = WebSocketFactory.Create();
_webSocket.OnOpened += _webSocket_Opened;
_webSocket.OnError += _webSocket_Error;
_webSocket.Open("wss://server.name.here/path/also/");
In this case the error handler is called with:
[websockets] javax.net.ssl.SSLException
[websockets] javax.net.ssl.SSLException: Error occured in delegated task:javax.net.ssl.SSLException: Unexpected exception
The device has no issues with SSL connections via Chrome or other apps, not to this server or others. It also has no issues connecting via SignalR to the same IIS server from this application.
It does have an issue when another third party library is trying to check license from a separate website and an error is logged:
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x803b3b28: Failure in SSL library, usually a protocol error
I don't know which address it's trying to contact so can't check what is happening there. But this also works from other devices.
This leads me to believe the Android in the Tab E (v4.4.4, latest available) has something wrong with its SSL implementation since these two connection attempts through javax.net.ssl are failing. But the unexpected exception isn't giving much information.
How to get around this? I wouldn't mind using the websockets implementation SignalR uses (since it works), but as far as I know it's not really exposed as a general use system ready to use.
Additional info
The server does talk TLS1 nicely and sends the whole certificate path as far as I know it, so that shouldn't be the issue, unless the root isn't known (and I would expect to get the handshake failure if that was the case). Testing with openssl shows:
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=our.domain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Unfortunately openssl doesn't support the ´-ssl2` flag anymore. Online tools say that SSL2 is disabled, SSL3, TLS1, TLS1.1 and TLS1.2 are enabled.
I could try the custom SSLSocketFactory route but have to see how it would go through Xamarin and Websockets.PCL.
I found a solution for my case after searching for SSL issues in Android. Florian Krauthan has written about these things and talks about using the SSLSocketFactory on Android 4.1+ to allow use of TLS1.1 etc.
This led me to another post where he explains how Google Play Services can be used to inject a newer OpenSSL library into the whole application. This method also worked for my issue.
The only thing that needs to be done is to add the following code to the beginning of the main activity's OnCreate() method:
Android.Gms.Security.ProviderInstaller.InstallIfNeeded(this);
After this the application will use Google Play Services' OpenSSL library so all connections work without issues and possible known bugs in the built-in Android OpenSSL library get mitigated since a newer version is used.
Of course this might not be a solution for anyone not already using Google Play Services since it increases the application size tremendously.
I have two domains: foo.net and bar.com. They both have SSL certificates, and they work well in all desktop and mobile browsers. They are hosted on the same server configured with nginx.
However, when I make a request to a domain from within a native android app, it somehow gets the certificate from the wrong domain! This results in an IO Exception:
request = new HttpPost("https://foo.net/api/v1/baz");
request.setHeader("Authorization", "user:pass");
response = httpClient.execute(request);
...
javax.net.ssl.SSLException: hostname in certificate didn't match: <foo.net> != <bar.com> OR <bar.com> OR <www.bar.com>
What would cause android/java to try using the certificate from bar.com when every other measure seems to indicate that the server is correctly configured? Nothing appears in the nginx access or error log. There is no mention of bar.com anywhere in my android project.
Edit: I'm not sure why, but it appears that the server is using the certificate for bar.com for the server IP https://198.245.xx.xxx
The most likely cause for this problem is that the server uses Server Name Indication to choose which certificate to send. If the client doesn't support SNI, the server cannot choose which certificate to send during the SSL/TLS handshake (before any HTTP traffic is sent). SNI is required when you want to use multiple certificates on the same IP address and port, but not all clients support it (notoriously, IE on any version of Windows XP, and a number of mobile browsers).
You're also visibly using the Apache HTTP Client library (not HttpsURLConnection, for which there can be SNI support with some Android versions.
Support for SNI in the Apache HTTP Client library is quite recent, and certainly hasn't made it into the Android stack.
You may find the workaround described in this article useful (although it seems only to work for Android 4.2+).
Another two options would be:
to use a distinct IP address for each host (so as not to need SNI), if you're in control of server, or
to use another HTTP Client library (e.g. HttpsURLConnection).
A solution for Apache, more like a trick:
the SSL certificates are loaded based on the vhost name from /etc/apache2/sites-enabled. So, to trick that check make sure the problematic certificate is loaded first (remember that the vhosts are loaded by name).
It looks like the certificate of foo.net is misconfigured, and is using the same hostname as bar.com
Try to run an online certificate validation tool, like https://www.digicert.com/help/ on foo.net, just to be sure.
I think that you need to regenerate the certificate of foo.net with the right hostname, or reconfigure ngix to make sure that nginx serve the right certificate for the right host.