{ "id": "162898", "key": "MOD-2293", "fields": { "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false }, "project": { "id": "10034", "key": "MOD", "name": "Appcelerator Modules", "projectCategory": { "id": "10100", "description": "Titanium and related SDKs used in application development", "name": "Client" } }, "fixVersions": [ { "id": "18390", "name": "https 2.0.1", "archived": false, "released": true }, { "id": "18396", "name": "https 1.1.4", "archived": false, "released": true } ], "resolution": { "id": "1", "description": "A fix for this issue is checked into the tree and tested.", "name": "Fixed" }, "resolutiondate": "2016-10-18T07:04:34.000+0000", "created": "2016-08-31T04:48:44.000+0000", "priority": { "name": "Critical", "id": "1" }, "labels": [ "HTTPS", "Module", "SSL" ], "versions": [], "issuelinks": [ { "id": "52852", "type": { "id": "10003", "name": "Relates", "inward": "relates to", "outward": "relates to" }, "inwardIssue": { "id": "162853", "key": "MOD-2295", "fields": { "summary": "Appcelerator HTTPS module not working with android device", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "priority": { "name": "Critical", "id": "1" }, "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false } } } } ], "assignee": { "name": "jvennemann", "key": "jvennemann", "displayName": "Jan Vennemann", "active": true, "timeZone": "Europe/Berlin" }, "updated": "2018-08-06T17:49:19.000+0000", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "components": [ { "id": "15019", "name": "Https" } ], "description": "I don't know who else to contact in regards of this critical issue, so I'm opening this ticket to report a problem that has a important impact on an app that uses the HTTPs module. \r\n\r\nWe've recently tested our app against MITM attacks and found out that all the packets exchanged from the app to the servers are traceable and not encrypted.\r\nThis is a serious issue because the app is breaching agreements between several data providers / parties.We believe that you can understand the gravity of this problem and that it must be resolved.\r\n\r\nAccording your Terms and Conditions for your Team Account Plan purchased last year, a VIP support was offered. Therefore we expect your team to address this issue urgently.\r\n\r\nThe code below used within our App creates a Security Manager for HTTP requests:\r\n\r\n{code:java}\r\nvar https = require('appcelerator.https');\r\n\r\nvar securityManager = https.createX509CertificatePinningSecurityManager([\r\n {\r\n url: \"https://*.server.com/\",\r\n serverCertificate: \"certificate_server1.der\"\r\n },\r\n {\r\n url: \"https://*.server2.com/\",\r\n serverCertificate: \"certificate_server2.der\"\r\n }\r\n]);\r\n{code}\r\n\r\nBoth certificates point to a *wildcard* domain because the app consume different API's (depends on the version of the app that the user has downloaded).\r\nAll the HTTPClient objects are being created like this:\r\n\r\n{code:java}\r\nvar xhr = Ti.Network.createHTTPClient({\r\n\tvalidatesSecureCertificate : true,\r\n\ttlsVersion : Titanium.Network.TLS_VERSION_1_0,\r\n\tsecurityManager: securityManager,\r\n\ttimeout: 120000,\r\n\tautoEncodeUrl: false\r\n});\r\n{code}\r\n\r\nThis code works correctly. Now if we change the URLs of the Security Manager to:\r\n\r\n{code:java}\r\nvar securityManager = https.createX509CertificatePinningSecurityManager([\r\n {\r\n url: \"https://google.com\",\r\n serverCertificate: \"certificate_server1.der\"\r\n },\r\n {\r\n url: \"https://google.com\",\r\n serverCertificate: \"certificate_server2.der\"\r\n }\r\n]);\r\n{code}\r\n\r\nEverything still works normally. Correct me if I'm wrong, but I don't think that's normal.\r\nFrom my understanding, it appears the securityManager and my HTTPClient objects are not working as they are supposed to.\r\n\r\nFind attached 2 images of requests that I've sent to the server being tracked through Fiddler (via Proxy). I should not be able to see the content of these packets. \r\nFiddler is being able to capture my packets and forward them to my server without any problem. Also, here's a link that guides you on how to configure Fiddler: \r\nhttp://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForiOS\r\n\r\n\r\n\r\n\r\n", "attachment": [ { "id": "60206", "filename": "faceboo.der", "author": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2016-09-05T02:18:55.000+0000", "size": 1875, "mimeType": "application/x-x509-ca-cert" }, { "id": "60205", "filename": "goog.der", "author": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2016-09-05T02:18:55.000+0000", "size": 8251, "mimeType": "application/x-x509-ca-cert" }, { "id": "60167", "filename": "image002 copy.png", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-08-31T04:53:27.000+0000", "size": 893555, "mimeType": "image/png" }, { "id": "60166", "filename": "image003 copy.png", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-08-31T04:53:27.000+0000", "size": 201091, "mimeType": "image/png" } ], "flagged": false, "summary": "iOS: SSL Pinning / HTTPS module not working for wildcard-certificates", "creator": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "subtasks": [], "reporter": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "environment": "appcelerator.https 1.1.3\r\n", "closedSprints": [ { "id": 733, "state": "closed", "name": "2016 Sprint 21 SDK", "startDate": "2016-10-08T00:53:00.000Z", "endDate": "2016-10-22T00:53:00.000Z", "completeDate": "2016-10-24T03:58:08.547Z", "originBoardId": 114 } ], "comment": { "comments": [ { "id": "394907", "author": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "body": "We have the module working in several production apps and it works there. There was a problem between 5.0.0 and 5.1.0 I think, but that was fixed in 5.2.0 and later. So in order to investigate this further, we need your full environment and validation that your certificates and connections are correctly implemented. Please also attach your logs if possible or send them directly to us.\r\n\r\nBut - I would suggest it is a valid issue that is caused by the wildcard-syntax. Is the syntax documented to be valid? Thank you!\r\n\r\nA list of possible helpful link(s):\r\n- http://stackoverflow.com/a/26494515/5537752", "updateAuthor": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "created": "2016-08-31T11:37:42.000+0000", "updated": "2016-08-31T11:49:36.000+0000" }, { "id": "394910", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "That syntax is not documented, but having wildcard certificates is pretty standard for SSL pinning. That's how we've been using the HTTPS module since we acquired it. If it doesn't work, an error should be thrown to make it easy for us to detect this.\r\nAs I've said in the description:\r\n* Our app can contact the API without any problems by using that securityManager. Why no errors are being thrown (since the packets are completely exposed as you can see in the images attached) ?\r\n* If I change the URLs in the security manager the app still works flawlessly. At least an error should be thrown in case the URL passed to the object doesn't match the one in the certificate, right ?\r\n\r\nI'll have to discuss with my team whether it's possible to give you our environment / certificates, because as said above this information is very sensitive.", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-08-31T12:58:20.000+0000", "updated": "2016-08-31T22:51:26.000+0000" }, { "id": "394911", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "Also, is the implementation mentioned in the StackOverflow link above the same one used in the HTTPS module?\r\nIf so, I can try and generate another certificate with the wildcard server address in the Subject Alternate Name section.", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-08-31T13:00:53.000+0000", "updated": "2016-08-31T13:00:53.000+0000" }, { "id": "395015", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "I've just confirmed that both of our certificates have the wildcard domains in the Subject Alternative Name section.\r\nI think this is not the root of the problem.\r\nHere's how my certificate looks like (omitting the content):\r\n\r\n\r\n{code:java}\r\nX509v3 extensions:\r\n X509v3 Authority Key Identifier: \r\n \r\n X509v3 Subject Key Identifier: \r\n \r\n X509v3 Key Usage: critical\r\n \r\n X509v3 Basic Constraints: critical\r\n \r\n X509v3 Extended Key Usage: \r\n \r\n X509v3 Certificate Policies: \r\n \r\n X509v3 CRL Distribution Points: \r\n \r\n Authority Information Access: \r\n \r\n X509v3 Subject Alternative Name: \r\n DNS:*.example.com.au, DNS:example.com.au\r\n{code}\r\n", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-09-01T06:31:01.000+0000", "updated": "2016-09-01T06:32:53.000+0000" }, { "id": "395288", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "Any answers on this? Could you guys try and run a test using a wildcard certificate in house ?", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-09-05T00:53:58.000+0000", "updated": "2016-09-05T00:53:58.000+0000" }, { "id": "395291", "author": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "body": "I am unable to reproduce your issue about\r\n{quote}\r\nIf I change the URLs in the security manager the app still works flawlessly. At least an error should be thrown in case the URL passed to the object doesn't match the one in the certificate, right ?\r\n{quote}\r\nIt's working correctly with the an error thrown {{A host name can only be pinned to one public key.}}\r\nThis is my environment and this is my code:\r\nTi SDK: 5.5.0.v20160831100821\r\nAPPC CLI: 5.5.0-5\r\nAPPC NPM: 4.2.7\r\nHTTPS module: 1.1.3\r\n\r\n{code}\r\n// Require in the module\r\nvar https = require('appcelerator.https'),\r\n securityManager,\r\n httpClient;\r\n\r\nvar securityManager = https.createX509CertificatePinningSecurityManager([\r\n {\r\n url: \"https://google.com\",\r\n serverCertificate: \"goog.der\"\r\n },\r\n {\r\n url: \"https://google.com\",\r\n serverCertificate: \"faceboo.der\"\r\n }\r\n]);\r\n\r\nvar httpClient = Ti.Network.createHTTPClient({\r\n onload: function(e) {\r\n Ti.API.info(\"Received text: \" + this.responseText);\r\n// alert(\"Received text: \" + this.responseText);\r\n },\r\n onerror: function(e) {\r\n Ti.API.error(e.error);\r\n// alert(e.error);\r\n },\r\n timeout : 5000,\r\n // You can only set this property when creating the HTTPClient\r\n securityManager: securityManager,\r\n validatesSecureCertificate : true,\r\n tlsVersion : Titanium.Network.TLS_VERSION_1_0,\r\n\tautoEncodeUrl: false\r\n});\r\n\r\nhttpClient.open(\"GET\", \"https://docs.google.com\");\r\nhttpClient.send();\r\n\r\n{code}\r\nAnd wildcards work just fine. I have attached the der files if you need them.\r\n\r\nI haven't configured fiddler but from what we understand from our iOS implementation, we based it entirely on apple's API for TLS and SSL, so the packet encryption should be equivalent to native behavior. The HTTPS module's certificate pinning is only for determining if party A is party A, and party B is party B (prevent MITM).\r\n\r\nMay I suggest you have another look at the implementation? at least to make sure that the error *is* thrown when using the same url, before we investigate the other claims? Thanks.", "updateAuthor": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2016-09-05T02:18:02.000+0000", "updated": "2016-09-05T02:18:02.000+0000" }, { "id": "395302", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "The error you're getting is being caused because you're trying to use 2 different certificates to the same URL. I can get this error too if I use the code you shared above.\r\nCan you please install Fiddler with the link I provided above and double check if the SSL Pinning is working for you ? Trusting the \"no errors showing, no problems happening\" premise was our first mistake... you shouldn't be able to see the content of packets originated by the app.\r\n\r\nThanks!", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-09-05T03:21:41.000+0000", "updated": "2016-09-05T03:21:41.000+0000" }, { "id": "395445", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "Waiting...", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-09-06T22:08:26.000+0000", "updated": "2016-09-06T22:08:26.000+0000" }, { "id": "395555", "author": { "name": "ewieber", "key": "ewieber", "displayName": "Eric Wieber", "active": false, "timeZone": "America/Los_Angeles" }, "body": "I set up Fiddler on my Windows machine, configured my iOS device to send traffic to it, then tested the above code samples as well as modified the URLs and HTTPClient properties. I was not able to reproduce this issue. All of my packets were encoded. After installing a recommended plugin, I had the option to decode them and they would then appear in plain text. A menu option also appeared (under 'Rules') to 'Remove All Encodings' and after selecting that, everything was decoded automatically. ", "updateAuthor": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2016-09-07T23:27:45.000+0000", "updated": "2016-09-15T23:07:32.000+0000" }, { "id": "395870", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "@Chee Kiat Ng", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-09-12T08:43:10.000+0000", "updated": "2016-09-12T08:43:10.000+0000" }, { "id": "395979", "author": { "name": "shossain", "key": "shossain", "displayName": "Shak Hossain", "active": false, "timeZone": "America/Los_Angeles" }, "body": "[~rdperottoni] - can you please file a support ticket with us? As of now this is not indicating any platform issue. If you file support ticket (under your enterprise org), we can prioritize this and our support team can help to troubleshoot this further.", "updateAuthor": { "name": "shossain", "key": "shossain", "displayName": "Shak Hossain", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2016-09-13T04:50:27.000+0000", "updated": "2016-09-13T04:50:27.000+0000" }, { "id": "395980", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "No, I can't until a proper testing is done according to what I've commented above:\r\n\r\nbq. The error you're getting is being caused because you're trying to use 2 different certificates to the same URL. I can get this error too if I use the code you shared above.\r\nbq. Can you please install Fiddler with the link I provided above and double check if the SSL Pinning is working for you ? Trusting the \"no errors showing, no problems happening\" premise was our first mistake... you shouldn't be able to see the content of packets originated by the app.\r\nbq. Thanks!", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-09-13T04:53:00.000+0000", "updated": "2016-09-13T04:53:38.000+0000" }, { "id": "396303", "author": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "body": "[~rdperottoni] In your description of your issue at the very beginning, you said \r\n{quote}\r\nThis code works correctly. Now if we change the URLs of the Security Manager to:\r\n{code}\r\nvar securityManager = https.createX509CertificatePinningSecurityManager([\r\n {\r\n url: \"https://google.com\",\r\n serverCertificate: \"certificate_server1.der\"\r\n },\r\n {\r\n url: \"https://google.com\",\r\n serverCertificate: \"certificate_server2.der\"\r\n }\r\n]);\r\n{code}\r\nEverything still works normally. Correct me if I'm wrong, but I don't think that's normal.\r\n{quote}\r\nI understand from this that you are saying 1 url + 2 certs = working = wrong behavior.\r\nBut when i try to reproduce, i got 1 url + 2 certs = not working = correct behavior.\r\nSo I think there's no problems here.\r\n\r\nplease also see my colleague's comments when he tried to reproduce using Fiddler.", "updateAuthor": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2016-09-15T23:06:51.000+0000", "updated": "2016-09-15T23:06:51.000+0000" }, { "id": "396305", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "Hey Kiat. I've seen Eric's answer. And yes, the problem itself is that the packets are decodable. \r\nSince day 1 of our Team plan we thought that no one would be able to see / decode our packets because of the SSL pinning. Because well.. that's the purpose of it. The app should not work if the packets being sent by it were intercepted by an authority other than the server (which has the same certificate used for creating the handshake).\r\n\r\nAny suggestions on what we should do now ?\r\n\r\n", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-09-15T23:25:16.000+0000", "updated": "2016-09-15T23:27:20.000+0000" }, { "id": "396410", "author": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "body": "We'll investigate further.", "updateAuthor": { "name": "cng", "key": "cng", "displayName": "Chee Kiat Ng", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2016-09-16T23:05:19.000+0000", "updated": "2016-09-16T23:05:19.000+0000" }, { "id": "396630", "author": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "body": "Hey [~rdperottoni], I am taking a look now. Some general questions beforehand:\r\n- Is it only happening to wildcard-certificates or certificates in general?\r\n- Did it work with earlier versions of the module and/or Titanium SDK?\r\n- -Does changing the value of {{autoEncodeUrl}} to {{true}} change something?-\r\n- I read about changing {{https://*.server.com/}} to {{*.server.com}}, please try that. If the error \"Scheme must be https for URL xxxx\" is thrown, let me know.\r\n\r\nPlease revalidate and answer those ones very closely. I will setup the environment and do some code-level tests afterwards. I am wondering especially about the answer regarding the latter one, since that might be the causing one.", "updateAuthor": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "created": "2016-09-20T10:37:06.000+0000", "updated": "2016-09-20T11:45:59.000+0000" }, { "id": "396891", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "Hey Hans.\r\n\r\n* I don't have other certificates to test this;\r\n* I don't know. We only tested the SSL pinning a couple of weeks ago and discovered that it was not working (since we can see the packets). We assumed in the first time we implemented it (Nov/2015) that it was working normally since no errors were being presented to us.\r\n* Tried doing that and got this error:\r\n\r\n{code:java}\r\nError: *** setObjectForKey: key cannot be nil\r\n{code}\r\n", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-09-21T23:01:34.000+0000", "updated": "2016-09-21T23:01:34.000+0000" }, { "id": "397941", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "Following up on this ticket: \r\nHans asked me to run a test using *2.0.0* and removing the https://. \r\nI'm getting the same error as reported above:\r\n \r\n{code:java}\r\n[ERROR] Error: *** setObjectForKey: key cannot be nil \r\n[ERROR] File: od_plugins/network/http.js \r\n[ERROR] Line: 3 \r\n[ERROR] SourceId: \r\n[ERROR] Backtrace: \r\n[ERROR] undefined\r\n{code}", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-10-03T20:56:14.000+0000", "updated": "2016-10-03T22:31:28.000+0000" }, { "id": "398012", "author": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "body": "Ok, so that error is in your http-class and indicates that you want to set a key-value with a key that does not exist, did you validate that before? I just attached an example project we used to test certificates and it worked using the changes. \r\n\r\nExample-project: https://www.dropbox.com/s/g29qqngr0lwqvzo/appc-https-example.zip?dl=1", "updateAuthor": { "name": "hknoechel", "key": "hansknoechel", "displayName": "Hans Knöchel", "active": true, "timeZone": "Europe/Berlin" }, "created": "2016-10-03T22:36:05.000+0000", "updated": "2016-10-03T22:36:21.000+0000" }, { "id": "398013", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "In the project you mentioned above you're not using the **.server.com* syntax you told me.\r\nWhat's the right syntax then?\r\n\r\nThe only different thing between my project and yours is the *serverCertificate*. ", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-10-03T22:40:35.000+0000", "updated": "2016-10-03T22:56:02.000+0000" }, { "id": "398571", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "1 week without any replies.", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-10-11T04:55:32.000+0000", "updated": "2016-10-11T04:55:32.000+0000" }, { "id": "398588", "author": { "name": "jvennemann", "key": "jvennemann", "displayName": "Jan Vennemann", "active": true, "timeZone": "Europe/Berlin" }, "body": "Rodolfo, can you please use this new example project and test it together with the module version 2.0.1 which Hans will send you?\r\n\r\nhttps-test: https://www.dropbox.com/s/cjmuip8b057r4jr/https-test.zip?dl=1\r\n\r\nI tested this project with the iOS 10.0 Simulator on my Mac together with Fiddler on my Windows machine.\r\n\r\nSteps used for testing:\r\n* Start Fiddler and make sure HTTPS decryption is disabled by unchecking Tools > Fiddler Options > HTTPS > Decrypt HTTPS traffic\r\n* [Configure Fiddler for Mac|http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForMac] when using the Sim or [Configure for iOS|http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForiOS] when running on Device.\r\n* Build the attached example app with {{appc run -p ios -I 10.0 -l trace}}\r\n* Run the different test cases by tapping the buttons. The expected test result is displayed in the App and should match the actual result displayed in the undermost label and logs in the console. Also all traffic in Fiddler should be encrypted and not readable.\r\n* To emulate a Man-in-the-middle attack enable HTTPS decryption in Fiddler by checking Tools > Fiddler Options > HTTPS > Decrypt HTTPS traffic.\r\n* The first two tests will now also fail due to wrong SSL certs. The Appcelerator one will still succeed because its not configured for SSL Pinning and should be the only request where you can read decrypted HTTPS traffic.\r\n\r\nPlease let us know about any different behaviour between the URLs i used for testing and your own server URLs.", "updateAuthor": { "name": "jvennemann", "key": "jvennemann", "displayName": "Jan Vennemann", "active": true, "timeZone": "Europe/Berlin" }, "created": "2016-10-11T13:25:36.000+0000", "updated": "2016-10-11T13:26:03.000+0000" }, { "id": "399053", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "I didn't receive the 2.0.1 module. Can someone send it to me in my e-mail ?", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-10-16T22:39:11.000+0000", "updated": "2016-10-16T22:39:11.000+0000" }, { "id": "399163", "author": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "body": "Just confirmed that the 2.0.1 release is working properly.\r\nYou can close this ticket.", "updateAuthor": { "name": "rdperottoni", "key": "rdperottoni", "displayName": "Rodolfo Perottoni", "active": true, "timeZone": "Australia/Brisbane" }, "created": "2016-10-17T23:32:54.000+0000", "updated": "2016-10-17T23:32:54.000+0000" }, { "id": "440114", "author": { "name": "emerriman", "key": "emerriman", "displayName": "Eric Merriman ", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Cleaning up older fixed issues. If this issue should not have been closed as fixed, please reopen.", "updateAuthor": { "name": "emerriman", "key": "emerriman", "displayName": "Eric Merriman ", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2018-08-06T17:49:19.000+0000", "updated": "2018-08-06T17:49:19.000+0000" } ], "maxResults": 36, "total": 36, "startAt": 0 } } }