{ "id": "173491", "key": "TIMOB-26992", "fields": { "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false }, "project": { "id": "10153", "key": "TIMOB", "name": "Titanium SDK/CLI", "projectCategory": { "id": "10100", "description": "Titanium and related SDKs used in application development", "name": "Client" } }, "fixVersions": [], "resolution": { "id": "10100", "description": "This issue won't be actioned.", "name": "Won't Do" }, "resolutiondate": "2019-05-14T22:22:04.000+0000", "created": "2019-04-24T00:46:45.000+0000", "priority": { "name": "None", "id": "6" }, "labels": [ "HTTPClient", "android", "engTriage", "network", "security", "ssl" ], "versions": [], "issuelinks": [ { "id": "57504", "type": { "id": "10003", "name": "Relates", "inward": "relates to", "outward": "relates to" }, "inwardIssue": { "id": "162354", "key": "TIMOB-24004", "fields": { "summary": "Android: Parameter tlsVersion has no effect in version< 5.0", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "priority": { "name": "High", "id": "2" }, "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false } } } }, { "id": "57505", "type": { "id": "10003", "name": "Relates", "inward": "relates to", "outward": "relates to" }, "inwardIssue": { "id": "172727", "key": "TIMOB-26644", "fields": { "summary": "Android : After updating servers to use only TLS 1.2, HTTP requests from Android devices running <=4.4 are failing with error.", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "priority": { "name": "None", "id": "6" }, "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false } } } } ], "assignee": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "updated": "2019-05-14T22:22:04.000+0000", "status": { "description": "The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.", "name": "Closed", "id": "6", "statusCategory": { "id": 3, "key": "done", "colorName": "green", "name": "Done" } }, "components": [ { "id": "10202", "name": "Android", "description": "Android Platform" } ], "description": "*Summary:*\r\nTitanium's {{HTTPClient}} is internally coded to always disable the SSLv3 protocol and only support TLS 1.0 and higher protocols for \"https://\" communications. This is because SSLv3 is no longer considered secure as of 2014.\r\nhttps://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/\r\n\r\nUnfortunately, there is a bug on Google's end where Android 4.4 and older OS versions will ignore our TLS settings in Java and default to the SSLv3 protocol instead. This can cause communication errors since modern web servers typically respond to SSLv3 requests with an error since this protocol is not considered secure.\r\n\r\nThe Android bug report can be found here...\r\nhttps://issuetracker.google.com/issues/37008635\r\n\r\n*Steps to reproduce:*\r\n# Acquire an Android 4.4 device.\r\n# Make sure the device has Internet access.\r\n# Build and run with the below code.\r\n# Tap on the \"HTTP Get\" button.\r\n# Notice an \"SSLProtocolException\" error is displayed on screen.\r\n# Run the app on Android 5.0 or newer device.\r\n# After tapping on \"HTTP Get\", notice that a valid HTTP response is displayed onscreen.\r\n\r\n{code:javascript}\r\nvar window = Ti.UI.createWindow();\r\nvar scrollView = Ti.UI.createScrollView({\r\n\twidth: Ti.UI.FILL,\r\n\theight: Ti.UI.FILL,\r\n});\r\nvar label = Ti.UI.createLabel({\r\n\twidth: Ti.UI.FILL,\r\n\theight: Ti.UI.SIZE,\r\n});\r\nscrollView.add(label);\r\nwindow.add(scrollView);\r\nvar button = Ti.UI.createButton({\r\n\ttitle: \"HTTP Get\",\r\n\tbottom: \"10dp\",\r\n\tright: \"10dp\",\r\n});\r\nbutton.addEventListener(\"click\", function(e) {\r\n\tvar httpClient = Ti.Network.createHTTPClient({\r\n\t\tonload: function(e) {\r\n\t\t\tlabel.text = httpClient.responseText;\r\n\t\t\tbutton.enabled = true;\r\n\t\t},\r\n\t\tonerror: function(e) {\r\n\t\t\tvar message = e.error;\r\n\t\t\tif (!message) {\r\n\t\t\t\tmessage = \"Unknown error occurred.\";\r\n\t\t\t}\r\n\t\t\tlabel.text = message;\r\n\t\t\tbutton.enabled = true;\r\n\t\t},\r\n\t});\r\n\tlabel.text = \"Fetching...\";\r\n\tbutton.enabled = false;\r\n\thttpClient.open(\"GET\", \"https://www.nasa.gov\");\r\n\thttpClient.send();\r\n});\r\nwindow.add(button);\r\nwindow.open();\r\n{code}\r\n\r\n*Result:*\r\nThe following SSLv3 error gets logged when running on Android 5.1 and older OS versions.\r\n{code}\r\n[ERROR] : TiHTTPClient: (TiHttpClient-1) [8913,9013] HTTP Error (javax.net.ssl.SSLHandshakeException): javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x76d92718: Failure in SSL library, usually a protocol error\r\n[ERROR] : TiHTTPClient: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x733bdd74:0x00000000)\r\n[ERROR] : TiHTTPClient: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x76d92718: Failure in SSL library, usually a protocol error\r\n[ERROR] : TiHTTPClient: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x733bdd74:0x00000000)\r\n[ERROR] : TiHTTPClient: \tat com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:448)\r\n[ERROR] : TiHTTPClient: \tat com.android.okhttp.Connection.upgradeToTls(Connection.java:146)\r\n[ERROR] : TiHTTPClient: \tat com.android.okhttp.Connection.connect(Connection.java:107)\r\n[ERROR] : TiHTTPClient: \tat com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:294)\r\n[ERROR] : TiHTTPClient: \tat com.android.okhttp.internal.http.HttpEngine.sendSocketRequest(HttpEngine.java:255)\r\n[ERROR] : TiHTTPClient: \tat com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:206)\r\n[ERROR] : TiHTTPClient: \tat com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:345)\r\n[ERROR] : TiHTTPClient: \tat com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:296)\r\n[ERROR] : TiHTTPClient: \tat com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:503)\r\n[ERROR] : TiHTTPClient: \tat com.android.okhttp.internal.http.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:136)\r\n[ERROR] : TiHTTPClient: \tat ti.modules.titanium.network.TiHTTPClient$ClientRunnable.run(TiHTTPClient.java:1319)\r\n[ERROR] : TiHTTPClient: \tat java.lang.Thread.run(Thread.java:841)\r\n[ERROR] : TiHTTPClient: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x76d92718: Failure in SSL library, usually a protocol error\r\n[ERROR] : TiHTTPClient: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x733bdd74:0x00000000)\r\n[ERROR] : TiHTTPClient: \tat com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)\r\n[ERROR] : TiHTTPClient: \tat com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)\r\n{code}\r\n\r\n*Work-around:*\r\nSimplest solution is to change the app's min supported Android version to 5.0 (aka: API Level 21). This can be done by adding the following to the \"tiapp.xml\" file.\r\n{code:xml}\r\n\r\n\r\n\t\r\n\t\t\r\n\t\t\t\r\n\t\t\r\n\t\r\n\r\n{code}\r\n\r\nAlternatively, this can be worked-around server side by allowing the SSLv3 protocol, but this is not advised since this protocol is not considered secure.\r\n\r\nUnfortunately, setting the {{HTTPClient}} \"tlsVersion\" property will not work since Android 4.4 and older OS versions may ignore this setting and use SSLv3 instead, which is the bug on Google's end that this ticket is about.", "attachment": [], "flagged": false, "summary": "Android: HTTPClient may use SSLv3 by default on Android 4.x when it shouldn't", "creator": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "subtasks": [], "reporter": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "environment": null, "comment": { "comments": [ { "id": "448138", "author": { "name": "gmathews", "key": "gmathews", "displayName": "Gary Mathews", "active": true, "timeZone": "America/Los_Angeles" }, "body": "It looks like this is too much work to resolve our selves. This is both a Google issue and a host issue.\r\n\r\n{{https://nasa.gov/}} only supports {{SSLv3, TLSv1}}, both of which are outdated protocols. They should be using {{TLSv1.2 or TLSv1.3}}.\r\n\r\nBasically, anyone running into this issue is probably connecting to a host supporting outdated protocols.", "updateAuthor": { "name": "gmathews", "key": "gmathews", "displayName": "Gary Mathews", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2019-05-01T23:30:33.000+0000", "updated": "2019-05-01T23:30:33.000+0000" }, { "id": "448376", "author": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "body": "Yeah, I agree. The only solution appears to be to wrap an SSL socket which would be a lot of work and not very maintainable. Simplest solution would be for everyone to just change the {{minSdkVersion}} version to API Level 21 (aka: Android 5.0) as shown above.\r\n\r\nI think we should just close it as \"Won't Fix\".", "updateAuthor": { "name": "jquick", "key": "jquick", "displayName": "Joshua Quick", "active": true, "timeZone": "America/Los_Angeles" }, "created": "2019-05-14T22:21:00.000+0000", "updated": "2019-05-14T22:21:00.000+0000" } ], "maxResults": 3, "total": 3, "startAt": 0 } } }