Titanium JIRA Archive
Titanium SDK/CLI (TIMOB)

[TIMOB-20061] TLS Version set in Android ignored on Publish

GitHub Issuen/a
TypeBug
PriorityCritical
StatusClosed
ResolutionFixed
Resolution Date2015-11-25T02:08:24.000+0000
Affected Version/sn/a
Fix Version/sRelease 5.2.0, Release 5.1.2
ComponentsAndroid
LabelsTLS, android
ReporterMartin Williamson
AssigneeHieu Pham
Created2015-11-18T14:59:53.000+0000
Updated2015-12-02T23:47:42.000+0000

Description

Using the latest SDK and studio, using Set TLS version on android functions as expected when built directly to the device, however once published to the store, the setting is ignored and android default behaviour kicks in. On android versions 5 and above TLS 1.2 is used correctly both locally and published. On android versions below 5 (4.4.4 and 4.1.0 confirmed) TLS 1.1 or TLS 1.2 is used correctly locally but connections are refused once published (SSL handshake fails) We have TLS 1.0 disabled on our production environment for security reasons and as a consequence of the setting not taking affect, all android devices cannot connect to the server. *Repro Steps Create a service endpoint with TLS 1.1 and TLS 1.2 only enabled. Create HTTP client initialising TLS version 
// Some comments here
// create new HTTPClient
		var httpRegister = Titanium.Network.createHTTPClient({
			tlsVersion : Ti.Network.TLS_VERSION_1_1
		});
Set target and min SDKS 
 <uses-sdk android:minSdkVersion="16"/>
 <uses-sdk android:targetSdkVersion="23"/>
Add connection to server endpoint. Compile using Latest SDK and deploy to android 4.1 or 4.4.4 device (simulator also behaves correctly) Run application and hit endpoint.-> works Publish application to play store as beta or live Run application and hit endpoint -> call fails

Comments

  1. Chris Bowley 2015-11-19

    Martin, I'm wondering if the SSL failure is not due to the TLS version but rather that the certificate does not validate. By default, the SSL certificate is only validated in production builds so if there is an issue with validation you would only see this in production: http://docs.appcelerator.com/platform/latest/#!/api/Titanium.Network.HTTPClient-property-validatesSecureCertificate. If you are not already, set validatesSecureCertificate to true and test in development.
  2. Martin Williamson 2015-11-19

    Verified issue in simulators by setting validatesSecureCertificate to true. Seeing exactly the same issue as when published. iOS 9+ - Works correctly Android 5 + - Works correctly Android 4.4.4 - Won't connect Android 4.1.0 - Won't connect SSL certificate was renewed last month so is valid, no warnings and full green logo etc in browser. https://appservices.anvilgroup.com/help for verification
  3. Martin Williamson 2015-11-19

    In case it is relevant, Server certificate is a wild card, V3, Sha256 certificate.
  4. Hieu Pham 2015-11-24

    Testing code: 
       var httpclient = Titanium.Network.createHTTPClient({
       validatesSecureCertificate: true,
   	tlsVersion : Ti.Network.TLS_VERSION_1_2,
   	onload : function(response) {
   		 Ti.API.info("Received text: " + this.responseText);
   		         
       },
       onerror : function(response) {
       	 Ti.API.debug(response.error);
       }
   
   });
   httpclient.open("GET","https://appservices.anvilgroup.com/help");
   httpclient.send();
    Run on API < 20 to reproduce.
  5. Hieu Pham 2015-11-24

    master PR: https://github.com/appcelerator/titanium_mobile/pull/7493
  6. Ashraf Abu 2015-11-25

    PR merged.
  7. Ashraf Abu 2015-11-25

    5_1_X (5.1.2) Backport PR: https://github.com/appcelerator/titanium_mobile/pull/7495
  8. Ashraf Abu 2015-11-25

    5_1_X PR merged.
  9. Lokesh Choudhary 2015-12-02

    Verified the fix with the testing code. Using TLS version 1.1 & 1.2 on Android API<20 we can reach the endpoint & get the content. Closing. Environment: Appc Studio : 4.4.0.201511241829 Ti SDK : 5.1.2.v20151202061227 Ti CLI : 5.0.5 Alloy : 1.7.26 MAC Yosemite : 10.10.5 Appc NPM : 4.2.2 Appc CLI : 5.1.0 Node: v0.12.27

JSON Source