HTTPS using SSLv3 #174
Comments
|
Hm, let me look |
|
Looking around line 157, can you let me know what SSLEngine gets instantiated? Default or TLS? static {
// following is the "trust the system" certs setup
try {
// critical extension 2.5.29.15 is implemented improperly prior to 4.0.3.
// https://code.google.com/p/android/issues/detail?id=9307
// https://groups.google.com/forum/?fromgroups=#!topic/netty/UCfqPPk5O4s
// certs that use this extension will throw in Cipher.java.
// fallback is to use a custom SSLContext, and hack around the x509 extension.
if (Build.VERSION.SDK_INT <= 15)
throw new Exception();
sslContext = SSLContext.getInstance("Default");
}
catch (Exception ex) {
try {
sslContext = SSLContext.getInstance("TLS");
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
for (X509Certificate cert : certs) {
if (cert != null && cert.getCriticalExtensionOIDs() != null)
cert.getCriticalExtensionOIDs().remove("2.5.29.15");
}
}
} };
sslContext.init(null, trustAllCerts, null);
}
catch (Exception ex2) {
ex.printStackTrace();
ex2.printStackTrace();
}
}
} |
|
The first one ( |
|
What device is this? Custom ROM or no? It's actually kind of worrisome that you need to force SSLv3. That's been deprecated in favor of TLS. |
|
Server issue maybe? Can you screenshot me the cert as shown in the browser? I want to see how a browser connects to it. Protocols etc. |
|
I have tested on a Nexus 4 (with Android 4.4.3) and on a Galaxy S3 (with Android 4.3), both using official ROMs. The cert info: I'm not sure if it's a sever issue (I don't have access to the server), but I was suspecting that it's an issue on the Android platform. For some reason when there is other protocols besides SSLv3 enabled the SSL engine is not able to decode the messages. |
|
Yikes, even the browser is using SSLv3. TLS should be backwards compatible, but it is not, for some unknown reason. May be an Android bug: http://stackoverflow.com/a/11194217/704837 Same issue w/ the normal HttpClient. Ideally, the fix is that the server uses TLS and not SSLv3. If the server is not in your control, your workaround seems to be what others use. I'll merge your patch. |
|
Hi, koush, |
|
SocketIOClient.connect(AsyncHttpClient.getDefaultInstance(), "http://192.168.1.2:3000", new ConnectCallback() { Hi, koush, |
|
how to pause the executing task |
|
is not very clear how to fix this, because im using the latest version (2.1.8) and it doesnt work on android 4.4 and 4.3 :S. |
For some reason when the server uses SSLv3 the lib is not able to decode the messages properly. To workaround this issue it's needed to set the enabled protocols to SSLv3 (only). This patch enables to explicitly set the enabled protocols. For more info: koush/AndroidAsync#174
I'm getting the following error when I try to request something to a server over HTTPS and the server uses SSLv3:
I'm testing using the following code:
I could workaround this problem applying the following patch:
The strange part is that the default enabled protocols (returned by
engine.getEnabledProtocols()) is["TLSv1", "SSLv3"]and it does not work. When I set it to be only SSLv3 it works.The text was updated successfully, but these errors were encountered: