[TIMOB-18861] SSL certificate validation fails on university.appcelerator.com on Android
| GitHub Issue | n/a |
|---|---|
| Type | Bug |
| Priority | High |
| Status | Closed |
| Resolution | Fixed |
| Resolution Date | 2015-04-29T22:49:29.000+0000 |
| Affected Version/s | n/a |
| Fix Version/s | Release 4.0.0, Release 4.1.0 |
| Components | Android |
| Labels | n/a |
| Reporter | Chris Bowley |
| Assignee | Hieu Pham |
| Created | 2015-04-10T16:43:30.000+0000 |
| Updated | 2017-03-16T22:48:37.000+0000 |
Description
The Android mobile app for Appcelerator University cannot connect to the API due to an SSL certificate validation failure. The error message suggests the server certificate is for *.cloudapp-enterprise.appcelerator.com:
HTTP Error (javax.net.ssl.SSLException): hostname in certificate didn't match: <university.appcelerator.com> != <*.cloudapp-enterprise.appcelerator.com> OR <*.cloudapp-enterprise.appcelerator.com> OR <cloudapp-enterprise.appcelerator.com>
curl -v -s -H "Authorization: Basic VGswNHhoMjdNeGlCTEdWMHU3MlVkUlBDZzNYNHd0WmI6" https://university.appcelerator.com/api/app/config 1> /dev/null
* Hostname was NOT found in DNS cache
* Trying 54.244.121.15...
* Connected to university.appcelerator.com (54.244.121.15) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* Server certificate: *.appcelerator.com
* Server certificate: Go Daddy Secure Certificate Authority - G2
* Server certificate: Go Daddy Root Certificate Authority - G2
> GET /api/app/config HTTP/1.1
> User-Agent: curl/7.37.1
> Host: university.appcelerator.com
> Accept: */*
> Authorization: Basic VGswNHhoMjdNeGlCTEdWMHU3MlVkUlBDZzNYNHd0WmI6
>
< HTTP/1.1 200 OK
< X-Powered-By: Appcelerator Node.ACS
< X-Response-time: 8ms
* Server Appcelerator Arrow/0.3.167 is not blacklisted
< server: Appcelerator Arrow/0.3.167
< request-id: fdea4777-3ec4-4552-a782-a66992bb724c
< content-type: application/json
< content-length: 129
< date: Fri, 10 Apr 2015 16:42:11 GMT
< connection: close
<
{ [data not shown]
* Closing connection 0
App name: AppU
-- Created by: rblalock@appcelerator.com
-- URL: https://0df0b36af43e31f224953e4d270bcb256b86677c.cloudapp-enterprise.appcelerator.com
-- DOMAIN: university.appcelerator.com
-- Created at: Sat Mar 21 2015 03:55:30 GMT+0000 (GMT)
-- Node Version: 0.10.22
-- Server Size: Large
-- Maximum allowed number of servers: 5
-- Desired minimum number of servers: 3
-- Current number of deployed servers: 3
-- Auto scale-up enabled: true
-- Maximum queued requests per server: 50
-- Auto scale-down enabled: true
-- Active version: 1.0.11
-- Published at: Thu Apr 09 2015 02:41:16 GMT+0100 (BST)
-- Status: Active
-- Servers:
No. 1 ID: 551c756413a34aafa5f90281 Status: Deployed
No. 2 ID: 551c757813a34aafa5f90285 Status: Deployed
No. 3 ID: 551c75c713a34aafa5f90295 Status: Deployed
[~cbowley] is this running on an Android simulator or phone? Which Android version and phone model? We occasionally see issues with older Android versions when handling SSL certificates.
[~mgoff] this is on device. I have the same error on: Nexus 5, Android 5.0 Galaxy Tab 10.1 2. Android 4.2.2 Built using Ti 3.5.1. Do we even serve a *.cloudapp-enterprise.appcelerator.com certificate?
I get the same error if I try to access the Studio dashboard Arrow app API from Android: Equivalent cURL command:
Error when requested from Android:I've had these kind of errors on Android apps before. I then learned that Android is very picky about the right order of the SSL certificate chain. You can find a lot about that on Google: https://www.google.nl/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=order+of+certificates+chain+android
Thanks [~fokkezb]. Here's the results I get for university.appcelerator.com: https://www.ssllabs.com/ssltest/analyze.html?d=university.appcelerator.com&s=54.244.121.14&hideResults=on. No reference to *.cloudapp-enterprise.appcelerator.com.
If I make the request using the original URL, I get the *.cloudapp-enterprise.appcelerator.com certificate. Which means Android is resolving the CNAME URL?
[~cbowley] [~ingo] One potential cause of the mismatch only from Android (when browsers and iOS are working fine) could be how it handles virtual hosting. From https://developer.android.com/training/articles/security-ssl.html: {quote} Fortunately, HttpsURLConnection supports SNI since Android 2.3. Unfortunately, Apache HTTP Client does not, which is one of the many reasons we discourage its use. One workaround if you need to support Android 2.2 (and older) or Apache HTTP Client is to set up an alternative virtual host on a unique port so that it's unambiguous which server certificate to return. {quote} Which one do we use? Our HAProxy load balancer in Node.ACS utilizes SNI to choose the right SSL certificate to return.
We specifically had to make a change for this WRT to building apps and the security server. Also see TIMOB-17948. It sounds like we should bump up the priority there.
SNI support is absolutely required for Ti apps to access Arrow Cloud (Node.ACS) apps.
Well, ack. [~hpham] and [~emerriman], let's discuss today.
[~hpham] this seems to be an issue for Arrow apps which add their own SSL certificates and CNAME. Try the same Android code with university.appcelerator.com as the URL. Or I could add a SSL cert and CNAME to the app you just published to try and recreate the issue.
Mike, I just tried this:
var xhr = Ti.Network.createHTTPClient({ onload: function onLoad() { alert("Loaded: " + this.status + ": " + this.responseText); }, onerror: function onError() { alert("Errored: " + this.status + ": " + this.responseText); } }); xhr.open("GET","https://university.appcelerator.com"); //var authstr = 'Basic ' + Ti.Utils.base64encode('VGswNHhoMjdNeGlCTEdWMHU3MlVkUlBDZzNYNHd0WmI6:'); //xhr.setRequestHeader("Authorization", authstr); xhr.send();[~ingo], I configured a CNAME for [~hpham]'s Arrow app which uses the same SSL cert as university.appcelerator.com, and he was not able to produce the problem with 4.0.0.RC. How do you wish to proceed? Run the same test with Ti 3.5.1 that Chris used? Or be content that it works on 4.0?
var xhr = Ti.Network.createHTTPClient({ onload: function onLoad() { alert("Loaded: " + this.status + ": " + this.responseText); }, onerror: function onError() { alert("Errored: " + this.status + ": " + this.responseText); } }); xhr.open("GET","https://devops-4514.appcelerator.com/"); //var authstr = 'Basic ' + Ti.Utils.base64encode('VGswNHhoMjdNeGlCTEdWMHU3MlVkUlBDZzNYNHd0WmI6:'); //xhr.setRequestHeader("Authorization", authstr); xhr.send();$ acs list ACS: Appcelerator Cloud Services Command-Line Interface, version 1.0.23 Copyright (c) 2012-2015, Appcelerator, Inc. All Rights Reserved. Admin Hostname: https://admin.cloudapp-enterprise.appcelerator.com Organization: ChaosMonkey (100006264) ============ Points: -- Quota: 45 -- Used: 1 App name: TestArrow -- Created by: hpham@appcelerator.com -- URL: https://586f26424b0714864876ac62d861a5fe70b83624.cloudapp-enterprise.appcelerator.com -- DOMAIN: devops-4514.appcelerator.com -- Created at: Fri Apr 24 2015 11:42:45 GMT-0700 (PDT) -- Node Version: 0.10.22 -- Server Size: Dev -- Maximum allowed number of servers: 1 -- Desired minimum number of servers: 1 -- Current number of deployed servers: 1 -- Active version: 1.0.0 -- Published at: Fri Apr 24 2015 13:03:52 GMT-0700 (PDT) -- Status: Active -- Servers: No. 1 ID: 5539092013a34aafa5fe484d Status: Deployed $ dig +short devops-4514.appcelerator.com 586f26424b0714864876ac62d861a5fe70b83624.cloudapp-enterprise.appcelerator.com. ec2-54-244-121-15.us-west-2.compute.amazonaws.com. 54.244.121.15[~cbowley] can you please take a look at [~hpham]'s code above and see what the difference might be?
[~hpham] [~mgoff] [~imuschenetz@appcelerator.com] by default the SSL certificate is not validated in development. You need to add
xhr.validatesSecureCertificate = true;Testing code
var xhr = Ti.Network.createHTTPClient({ onload: function onLoad() { alert("Loaded: " + this.status + ": " + this.responseText); }, onerror: function onError() { alert("Errored: " + this.status + ": " + this.responseText); } }); xhr.validatesSecureCertificate = true; xhr.open("GET","https://devops-4514.appcelerator.com/"); xhr.send();I was able to reproduce this on Eclipse, Appcelerator Studio works fine for some reason. I added support for SNI here: https://github.com/appcelerator/titanium_mobile/pull/6807
Closing ticket as fixed.