{ "id": "138456", "key": "TIMOB-17891", "fields": { "issuetype": { "id": "4", "description": "An improvement or enhancement to an existing feature or task.", "name": "Improvement", "subtask": false }, "project": { "id": "10153", "key": "TIMOB", "name": "Titanium SDK/CLI", "projectCategory": { "id": "10100", "description": "Titanium and related SDKs used in application development", "name": "Client" } }, "fixVersions": [ { "id": "16593", "description": "Release 4.0.0", "name": "Release 4.0.0", "archived": false, "released": true, "releaseDate": "2015-05-21" } ], "resolution": { "id": "1", "description": "A fix for this issue is checked into the tree and tested.", "name": "Fixed" }, "resolutiondate": "2015-03-09T22:03:55.000+0000", "created": "2014-10-23T19:36:16.000+0000", "priority": { "name": "High", "id": "2" }, "labels": [ "qe-4.0.0" ], "versions": [], "issuelinks": [ { "id": "42350", "type": { "id": "10001", "name": "Cloners", "inward": "is cloned into", "outward": "is cloned from" }, "outwardIssue": { "id": "83099", "key": "TIMOB-6311", "fields": { "summary": "iOS: Support TLS versioning on XHR client", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "priority": { "name": "High", "id": "2" }, "issuetype": { "id": "2", "description": "A new feature of the product, which has yet to be developed.", "name": "New Feature", "subtask": false } } } }, { "id": "42351", "type": { "id": "10003", "name": "Relates", "inward": "relates to", "outward": "relates to" }, "inwardIssue": { "id": "138458", "key": "TIDOC-1941", "fields": { "summary": "APIDoc: Add additional information about TLS usage and support", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "priority": { "name": "Medium", "id": "3" }, "issuetype": { "id": "4", "description": "An improvement or enhancement to an existing feature or task.", "name": "Improvement", "subtask": false } } } } ], "assignee": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "updated": "2017-03-22T22:43:55.000+0000", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "components": [ { "id": "10202", "name": "Android", "description": "Android Platform" } ], "description": "We need to support different TLS versions in our XHR. A property ({{tlsVersion}}) will be added to {{Ti.Network.HTTPClient}} for Android. It is currently iOS-only. See https://github.com/appcelerator/titanium_mobile/blob/master/android/modules/network/src/java/ti/modules/titanium/network/TiSocketFactory.java#L25 for where it is ultimately used.\r\n\r\nhttp://developer.android.com/reference/javax/net/ssl/SSLContext.html#getInstance(java.lang.String)\r\n\r\nWhile TLS 1.0 is not vulnerable to POODLE, we may wish to make the default TLS 1.1:\r\n\r\nhttps://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2014-3566/", "attachment": [], "flagged": false, "summary": "Android: Support TLS versioning on XHR client", "creator": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "subtasks": [], "reporter": { "name": "stephentramer", "key": "stephentramer", "displayName": "Stephen Tramer", "active": true, "timeZone": "America/Los_Angeles" }, "environment": null, "closedSprints": [ { "id": 356, "state": "closed", "name": "2015 Sprint 05 SDK", "startDate": "2015-02-28T15:50:08.527Z", "endDate": "2015-03-14T00:00:00.000Z", "completeDate": "2015-03-14T13:54:50.695Z", "originBoardId": 114 }, { "id": 251, "state": "closed", "name": "2014 Sprint 23 SDK", "startDate": "2014-11-10T22:56:44.608Z", "endDate": "2014-11-22T01:00:00.000Z", "completeDate": "2014-11-22T05:03:36.553Z", "originBoardId": 114 } ], "comment": { "comments": [ { "id": "329231", "author": { "name": "rblalock", "key": "rblalock", "displayName": "Rick Blalock", "active": false, "timeZone": "America/Havana" }, "body": "I haven't had a customer bug me about this personally. Not sure on the support side where they're at with it.", "updateAuthor": { "name": "rblalock", "key": "rblalock", "displayName": "Rick Blalock", "active": false, "timeZone": "America/Havana" }, "created": "2014-10-23T20:01:14.000+0000", "updated": "2014-10-23T20:01:14.000+0000" }, { "id": "329255", "author": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "body": "I think we should have it for parity but I have not run into the same issue for Android as we had when this was a requirement for iOS. Is there a difference in how the two handle this by default? Just wondering why this wasn't a requirement when we implemented iOS.\r\n\r\nAlso, what is our default TLS version currently?", "updateAuthor": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-10-23T22:55:20.000+0000", "updated": "2014-10-23T22:55:20.000+0000" }, { "id": "329276", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Default is 1.0 for Android, 1.2 for iOS. What was the issue you mention?", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-10-24T00:13:36.000+0000", "updated": "2014-10-24T00:13:36.000+0000" }, { "id": "330789", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "I'm currently looking into this.\r\n\r\nFor setting Default TLS 1.1 for Android, based on [^http://developer.android.com/reference/javax/net/ssl/SSLContext.html#getInstance(java.lang.String)], min API level for Android SDK is 16.", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2014-11-05T03:39:28.000+0000", "updated": "2014-11-05T03:39:28.000+0000" }, { "id": "330790", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "I think it would be okay that if you wanted to set the version higher than 1.0 you would need to up your Android SDK min version", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-11-05T04:37:11.000+0000", "updated": "2014-11-05T04:37:11.000+0000" }, { "id": "330791", "author": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Agree, but can we ensure a proper error message is displayed if they try an unsupported TLS version with an older Android SDK.", "updateAuthor": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-11-05T04:40:26.000+0000", "updated": "2014-11-05T04:40:26.000+0000" }, { "id": "330792", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "Okay! I'll look into it more and see the best way I can support this.", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2014-11-05T04:42:22.000+0000", "updated": "2014-11-05T04:42:22.000+0000" }, { "id": "330793", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "Right now, I'm able to change the TLS version based on the Android SDK version being used.\r\n\r\nSolution 1 (Alan's suggestion):\r\nSet default to TLS 1.1. If Android SDK below 16 is used, throw an error.\r\n\r\nSolution 2:\r\nSet default to TLS 1.1. If Android SDK below 16 is used, set default to TLS 1.\r\n\r\nWhich is preferred? ", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2014-11-05T05:01:53.000+0000", "updated": "2014-11-05T05:01:53.000+0000" }, { "id": "330794", "author": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Possibly Option 2 with a WARN statement [~rblalock] or [~bgrantges]?", "updateAuthor": { "name": "aleard", "key": "aleard", "displayName": "Alan Leard", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-11-05T05:05:27.000+0000", "updated": "2014-11-05T05:05:27.000+0000" }, { "id": "330811", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "I'd like our behavior to match iOS as much as possible. Note that iOS does not consider TLS 1.1 by default. This is from a blog post:\r\n\r\nhttp://www.appcelerator.com/blog/2012/11/the-titanium-sdk-and-certificate-validation/\r\n\r\n\"For security reasons, when iOS is unable to connect with the requested TLS version, it treats the attempt as a failure instead of retrying with an older version. Unfortunately, many servers do not support TLS 1.2, and while it would be ideal that these servers updated, we understand the need to fall back to TLS 1.0. In iOS Titanium, we try to connect with 1.2, and if it fails, fall back to TLS 1.0. For speed reasons, if this succeeds, we remember the server’s legacy status for the duration of the application session.\"\r\n\r\nUsing tlsVersion\r\n* tlsVersion should be used for when you know the level of security your server has.\r\n* If you are uncertain of a server’s TLS support, leave the tlsVersion property blank.\r\n* If you know the server supports only TLS 1.0, you can set this value to TLS_VERSION_1_0 to avoid an unnecessary TLS 1.2 attempt.\r\n* If you know your server supports TLS 1.2, set the value to TLS_VERSION_1_2 for added security, as this denies any attempt to downgrade to 1.0.\r\n\r\nSummary:\r\n\r\n* All current supported versions of iOS support TLS 1.0, 1.1. and 1.2.\r\n* TLS 1.1/1.2 support came in Android 16 (4.1): http://developer.android.com/reference/javax/net/ssl/SSLSocket.html\r\n\r\nI instead suggest the following:\r\n\r\n* Add a TLS_VERSION_1_1 constant. I think we need to support 1.1 as an option for reasons like http://threatpost.com/federal-agencies-told-to-support-tls-1-2-by-2015/105906 (where 1.1 is still the ONLY supported protocol. You can't use 1.2, and you can't use 1.0)\r\n* Try 1.2 as default, then 1.1, then 1.0 unless one of the constants is set\r\n* Write out a INFO for Android if using API < 16 that indicates a less-secure version is being used assuming they have not specified a TLS version (since our current API minimum is 14). If user mandates TLS > 1.0 for Android via a constant such as TLS_VERSION_1_2, and then uses API < 16 , then I think we should fail the build.\r\n", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-11-05T13:54:43.000+0000", "updated": "2014-11-05T13:54:43.000+0000" }, { "id": "330812", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Also note that with Titanium SDK release 3.4.2, users will at least be required to build with API level 21 for Lollipop support, even though they will still be able to target earlier versions of the OS (down to 2.3.X)", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-11-05T13:55:56.000+0000", "updated": "2014-11-05T13:55:56.000+0000" }, { "id": "330816", "author": { "name": "bgrantges@appcelerator.com", "key": "bgrantges", "displayName": "Bert Grantges", "active": false, "timeZone": "America/Chicago" }, "body": "I think i am fine with the recommendation you provide [~ingo] - Much like Rick, i haven't had anyone asking for this specifically. I would lean towards parity across platform.\r\n\r\nBert", "updateAuthor": { "name": "bgrantges@appcelerator.com", "key": "bgrantges", "displayName": "Bert Grantges", "active": false, "timeZone": "America/Chicago" }, "created": "2014-11-05T14:42:24.000+0000", "updated": "2014-11-05T14:42:24.000+0000" }, { "id": "330958", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "[~ingo], [~rblalock], [~bgrantges] I'll do it as recommended by Ingo. ", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2014-11-06T01:31:19.000+0000", "updated": "2014-11-06T01:31:19.000+0000" }, { "id": "330993", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "Here's the pull request.\r\n\r\nWhen running on Android API < 16 and TLSv1.1 or TLSv1.2 is set, it will give an error:\r\n[ERROR] : TiHttpClient: (TiHttpClient-1) [780,3196] Error creating SSLSocketFactory: SSLContext TLSv1.2 implementation not found\r\n\r\nWhen running on Android API <16 and TLS is not set, default is used and it will give an info:\r\n[INFO] : TiSocketFactory: (TiHttpClient-1) [1101,2636] TLSv1 protocol is being used. It is a less-secure version.\r\n\r\nAll other cases will continue as normal.\r\n\r\nTest code for app.js as follows:\r\n{code}\r\n var url = \"http://www.appcelerator.com\";\r\n var client = Ti.Network.createHTTPClient({\r\n // function called when the response data is available\r\n onload : function(e) {\r\n Ti.API.info(\"Received text: \" + this.responseText);\r\n alert('success');\r\n },\r\n // function called when an error occurs, including a timeout\r\n onerror : function(e) {\r\n Ti.API.debug(e.error);\r\n alert('error');\r\n },\r\n //Comment this out for default case. Uncomment it to use the TLS versions\r\n //tlsVersion : Ti.Network.TLS_VERSION_1_2,\r\n timeout : 5000 // in milliseconds\r\n });\r\n // Prepare the connection.\r\n client.open(\"GET\", url);\r\n // Send the request.\r\n client.send();\r\n{code}\r\n\r\nPR: https://github.com/appcelerator/titanium_mobile/pull/6321", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2014-11-06T09:10:49.000+0000", "updated": "2014-11-06T09:10:49.000+0000" }, { "id": "330996", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "{code}\r\nclient.setTlsVersion(Ti.Network.TLS_VERSION_1_2);\r\nclient.getTlsVersion( ) ;\r\n{code}\r\n\r\nIs also available.", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2014-11-06T10:56:10.000+0000", "updated": "2014-11-06T10:56:10.000+0000" }, { "id": "333287", "author": { "name": "hpham", "key": "hpham", "displayName": "Hieu Pham", "active": true, "timeZone": "America/Los_Angeles" }, "body": "master PR to modify doc: https://github.com/appcelerator/titanium_mobile/pull/6372", "updateAuthor": { "name": "hpham", "key": "hpham", "displayName": "Hieu Pham", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2014-11-21T22:18:18.000+0000", "updated": "2014-11-21T22:18:18.000+0000" }, { "id": "343527", "author": { "name": "kagrawal", "key": "kagrawal", "displayName": "Khushbu Agrawal", "active": true, "timeZone": "Asia/Shanghai" }, "body": "Verified the fix on below Test Environment\r\nAppc Studio : 4.0.0.201502111039\r\nTi SDK : 4.0.0.v20150213151526 \r\nMac OSX : 10.10.1\r\nAlloy : 1.5.1 \r\nCLI - 3.6.0-dev \r\nCode Processor: 1.1.1 \r\nNexus 5 - Android 5.0\r\nAndroid SDK API 21\r\n\r\nsetTlsVersion( tlsVersion ) method doesn't handle invalid values.\r\nWith the below code, the Tls value is set to 400 which is not expected behavior.These should give error message to user. All the other cases are working as expected.\r\nReopening the ticket. \r\n\r\n{code}\r\nclient.setTlsVersion(400);\r\ntls=client.getTlsVersion( ) ;\r\nconsole.log(\"TLS version set using set Method: \"+ tls);\r\n{code}\r\nTLS version set using set Method: 400 //getting this on console", "updateAuthor": { "name": "kagrawal", "key": "kagrawal", "displayName": "Khushbu Agrawal", "active": true, "timeZone": "Asia/Shanghai" }, "created": "2015-02-17T07:20:55.000+0000", "updated": "2015-02-17T07:20:55.000+0000" }, { "id": "344703", "author": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "body": "If TLS value is not a recognized value, we should alert the user.", "updateAuthor": { "name": "ingo", "key": "ingo", "displayName": "Ingo Muschenetz", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2015-02-28T15:46:18.000+0000", "updated": "2015-02-28T15:46:18.000+0000" }, { "id": "344731", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "Noted. Will do.", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2015-03-02T02:05:05.000+0000", "updated": "2015-03-02T02:05:05.000+0000" }, { "id": "344739", "author": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "body": "PR: https://github.com/appcelerator/titanium_mobile/pull/6674\r\nError message will appear when setting unrecognized value.\r\n\r\nSubmitting to [~hpham] for review.", "updateAuthor": { "name": "msamah", "key": "msamah", "displayName": "Ashraf Abu", "active": false, "timeZone": "Asia/Singapore" }, "created": "2015-03-02T03:19:04.000+0000", "updated": "2015-03-02T03:19:55.000+0000" }, { "id": "415154", "author": { "name": "lmorris", "key": "lmorris", "displayName": "Lee Morris", "active": false, "timeZone": "America/Los_Angeles" }, "body": "Closing ticket as fixed.", "updateAuthor": { "name": "lmorris", "key": "lmorris", "displayName": "Lee Morris", "active": false, "timeZone": "America/Los_Angeles" }, "created": "2017-03-22T22:43:55.000+0000", "updated": "2017-03-22T22:43:55.000+0000" } ], "maxResults": 22, "total": 22, "startAt": 0 } } }