Titanium

[MOD-2209] Android : Appcelerator HTTPS Module throwing error

GitHub Issuen/a
TypeBug
PriorityCritical
StatusClosed
ResolutionDuplicate
Resolution Date2016-10-31T17:50:59.000+0000
Affected Version/sRelease 5.2.0, Release 5.1.2
Fix Version/sn/a
Componentsn/a
Labelsn/a
ReporterAminul Islam
AssigneeGary Mathews
Created2016-03-07T18:47:25.000+0000
Updated2018-08-06T17:41:07.000+0000

Description

Hi, when we run our app with "Appcelerator HTTPS Module" in Android (Android 5.0.2) throwing errors. Error Log : 
[ERROR] :  TiHTTPClient: (TiHttpClient-2) [11862,19699] HTTP Error (javax.net.ssl.SSLHandshakeException): Leaf certificate could not be verified with provided public key
[ERROR] :  TiHTTPClient: javax.net.ssl.SSLHandshakeException: Leaf certificate could not be verified with provided public key
[ERROR] :  TiHTTPClient: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:322)
[ERROR] :  TiHTTPClient: at com.android.okhttp.Connection.upgradeToTls(Connection.java:1257)
[ERROR] :  TiHTTPClient: at com.android.okhttp.Connection.connect(Connection.java:1188)
[ERROR] :  TiHTTPClient: at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:395)
[ERROR] :  TiHTTPClient: at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:298)
[ERROR] :  TiHTTPClient: at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:399)
[ERROR] :  TiHTTPClient: at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:349)
[ERROR] :  TiHTTPClient: at com.android.okhttp.internal.http.HttpURLConnectionImpl.getHeaderField(HttpURLConnectionImpl.java:165)
[ERROR] :  TiHTTPClient: at java.net.URLConnection.getHeaderFieldInt(URLConnection.java:543)
[ERROR] :  TiHTTPClient: at java.net.URLConnection.getContentLength(URLConnection.java:315)
[ERROR] :  TiHTTPClient: at com.android.okhttp.internal.http.DelegatingHttpsURLConnection.getContentLength(DelegatingHttpsURLConnection.java:146)
[ERROR] :  TiHTTPClient: at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getContentLength(HttpsURLConnectionImpl.java:25)
[ERROR] :  TiHTTPClient: at ti.modules.titanium.network.TiHTTPClient.handleResponse(TiHTTPClient.java:159)
[ERROR] :  TiHTTPClient: at ti.modules.titanium.network.TiHTTPClient.access$1200(TiHTTPClient.java:85)
[ERROR] :  TiHTTPClient: at ti.modules.titanium.network.TiHTTPClient$ClientRunnable.run(TiHTTPClient.java:1207)
[ERROR] :  TiHTTPClient: at java.lang.Thread.run(Thread.java:818)
[ERROR] :  TiHTTPClient: at appcelerator.https.PinningTrustManager.checkServerTrusted(PinningTrustManager.java:84)
[ERROR] :  TiHTTPClient: at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:116)
[ERROR] :  TiHTTPClient: at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:550)
[ERROR] :  TiHTTPClient: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
[ERROR] :  TiHTTPClient: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318)

Attachments

FileDateSize
downloader.js2016-05-26T04:23:37.000+00005851

Comments

  1. Chee Kiat Ng 2016-03-08 Hi is there code to reproduce this?
  2. Aminul Islam 2016-03-08 Hi, Please use example code in module folder. You can also use sample code from appcelerator documentation. Thanks
  3. Ashraf Abu 2016-03-23 [~aislam] Can you test it with another website/link that uses another certificate(der)? The error ur getting is the authentication failing. Would other links and cert work? If it's throwing an error, it could be that the certificate does not match any more. Which is how it's suppose to work and it's function.
  4. Ashraf Abu 2016-05-03 Upon further investigation, I find no issues with this ticket. First you need to check that the certificate is correct with one of the following commands:- {quote} openssl x509 -in certificatefile.cer -noout -text openssl x509 -inform pem -in certificatefile.cer -noout -text openssl x509 -inform der -in certificatefile.cer -noout -text {quote} From here, you can look into the certificate to ensure it's the correct certificate. Ensure that the validity is correct and it is for the correct website. Once that's done you can continue as mentioned in the demo code. Demo code as follows:- 
       
   // this sets the background color of the master UIView (when there are no windows/tab groups on it)
   var https = require('appcelerator.https');
   var securityManager = https.createX509CertificatePinningSecurityManager([
       {
           url: "https://www.wellsfargo.com",
           serverCertificate: "wells.cert"
       },
       {
           url: "https://www.americanexpress.com",
           serverCertificate: "wells.cert"
       }
   ]);
   
   
   var win = Titanium.UI.createWindow({  
       title: 'Pin Example',
       backgroundColor: 'white'
   });
   
   var view = Ti.UI.createView({
       backgroundColor: 'white',
       layout: 'vertical',
       width: Ti.UI.SIZE,
       height: Ti.UI.SIZE,
       top:20
   });
   
   var button1 = Titanium.UI.createButton({
       title: 'Load wellsfargo',
       color: 'green',
       top:20,
   });
   
   var button2 = Titanium.UI.createButton({
       title: 'Load americanexpress',
       color: 'red',
       top:20,
   });
   
   var button3 = Titanium.UI.createButton({
       title: 'Load appcelerator',
       color: 'blue',
       top:20,
   });
   
   
   var label1 = Titanium.UI.createLabel({
       text: 'Desc:',
       color: 'black',
       top:20,
   });
   
   var label2 = Titanium.UI.createLabel({
       text: 'Status:',
       color: 'black',
       top:20,
   });
   
   view.add(button1);
   view.add(button2);
   view.add(button3);
   view.add(label1);
   view.add(label2);
   
   win.add(view);
   win.open();
   
   
   
   function getXHR(url) {
       var xhr = Ti.Network.createHTTPClient({
           onload: function(e) {
               label2.text = 'onload called. Request succeeded';
           },
           onerror: function(e) {
               label2.text = 'onerror called. Request failed.';
           },
           timeout : 30000,
           securityManager: securityManager
       });
       
       xhr.open('GET',url);
       
       return xhr;
   }
   
   var wf = "https://www.wellsfargo.com";
   var amex = "https://www.americanexpress.com";
   var appc = "https://dashboard.appcelerator.com";
   
   button1.addEventListener('click',function(e){
       var xhr = getXHR(wf);
       label1.text = 'SecurityManager is configured correctly for this request. Request must succeed. ';
       label1.color = 'green';
       xhr.send();
   });
   button2.addEventListener('click',function(e){
       var xhr = getXHR(amex);
       label1.text = 'SecurityManager is configured incorrectly for this request. Request must fail. ';
       label1.color = 'red';
       xhr.send();
   });
   button3.addEventListener('click',function(e){
       var xhr = getXHR(appc);
       label1.text = 'SecurityManager does not participate in the validation of this request.';
       label1.color = 'blue';
       xhr.send();
   });
    Note: If the certificate is no longer valid, it WILL throw an error. Please use a valid certificate. To inspect the certificate, use the commands mentioned earlier in this comment. A GeoTrust cert will work.
  5. Ashraf Abu 2016-05-03 If there are no more issues, will be resolving this ticket.
  6. Ashraf Abu 2016-05-05 [~rmitro] Any updates on your end?
  7. Ashraf Abu 2016-05-19 I'm gonna resolve this ticket as there are no updates.
  8. Gary Mathews 2016-10-26
  9. Eric Merriman 2018-08-06 Closing as a duplicate. If this is in error, please reopen.

JSON Source