CloudFront SSL handshake errors #430
Comments
|
The direct reason for this is because the handshake message from client does not contain the "Server Name Indication" extention (could be observed through tcpdump). And the root cause for this is the // link: https://android.googlesource.com/platform/external/okhttp/+/android-5.1.1_r36/okhttp/src/main/java/com/squareup/okhttp/Connection.java#166
private void upgradeToTls(TunnelRequest tunnelRequest) throws IOException {
Platform platform = Platform.get();
... ...
// The 'route.address.sslSocketFactory' is actually a 'SSLCertificateSocketFactory'
socket = route.address.sslSocketFactory
.createSocket(socket, route.address.uriHost, route.address.uriPort, true /* autoClose */);
SSLSocket sslSocket = (SSLSocket) socket;
if (route.modernTls) {
// This line should be executed before any handshake
platform.enableTlsExtensions(sslSocket, route.address.uriHost);
}
... ...
// Here is the handshake
sslSocket.startHandshake();
}
// link: https://android.googlesource.com/platform/frameworks/base/+/android-5.0.0_r1/core/java/android/net/SSLCertificateSocketFactory.java#522
public Socket createSocket(String host, int port) throws IOException {
OpenSSLSocketImpl s = (OpenSSLSocketImpl) getDelegate().createSocket(host, port);
s.setNpnProtocols(mNpnProtocols);
s.setAlpnProtocols(mAlpnProtocols);
s.setHandshakeTimeout(mHandshakeTimeoutMillis);
s.setChannelIdPrivateKey(mChannelIdPrivateKey);
if (mSecure) {
// This function internally will call the 'handshake'
verifyHostname(s, host);
}
return s;
}On the other hand, if the default factory is not set to be The reason why Android6+ does not have this problem is because SNI is enabled by default. I'm not sure why people are using |
totrit
added a commit
to totrit/platform_frameworks_base
that referenced
this issue
Apr 4, 2016
Doing handshake without proper ssl settings will sometimes result in server's rejection of the handshake and thereby the connection. Here is an example of this kind of problem: parse-community/Parse-SDK-Android#430 Basically the clients (examples listed in the end) of the SSLSocketFactory are going to do more handhshake settings before they call the handshake function of the SSLSocket created by SSLSocketFactory. The SSLCertificateSocketFactory is doing redundant work on this, and more than that, it may lead to the socket's breaking. Some of the clients of SSLSocketFactory that set SSLSocket before handshake: https://android.googlesource.com/platform/libcore/+/09f1b0c/luni/src/main/java/libcore/net/http/HttpConnection.java#204 https://android.googlesource.com/platform/external/okhttp/+/android-5.1.1_r36/okhttp/src/main/java/com/squareup/okhttp/Connection.java#166
|
We have a same problem with CloudFlare, this is the library problem and happen randomly depends on the device. Is there any way to handle it or any update for this problem? |
|
@afterlastangel have you get any solution on this. I an getting the same exception, my Parse server is hosted on Heroku and signed by COMODO CA. |
|
Any solutions on this ? I'm having the same issue and can't fix it |
|
Can't be fixed after following the steps at the beginning of the post? It
did work, not sure what's the situation for now.
…On 14 Dec 2016 4:21 pm, "Patric Corletto" ***@***.***> wrote:
Any solutions on this ? I'm having the same issue and can't fix it
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#430 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABr5U3GI7yr0JXz5xlHDx03_XQnIS_UPks5rH2CygaJpZM4H8ltY>
.
|
|
I could fix it! When looking into the parse 1.13.1 source code I realized they are still using http2. You have to update parse to 1.13.1 from mavenCentral and make sure it uses okHttp3. There has been an error with the jCenter 1.13.1 release which isn't mentioned anywhere. The build from maven is working. this snippet in your projects gradle solved the issue for me: `allprojects { }` It pretty much tells gradle to use mavenCentral before jcenter in all your projects Hope this helps! |
|
1.13.1 should now be using okhttp3. You shouldn't have to add mavenCentral() now. Can we close this ticket? |
|
This could also be related to: square/okhttp#2372 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When connecting to a CloudFront proxied parse-server, on Android 5.0/5.1 the SSL connections will error while attempting to handshake.
I have tracked this down to using
SSLCertificateSocketFactory.getDefaultin : https://github.com/ParsePlatform/Parse-SDK-Android/blob/master/Parse/src/main/java/com/parse/ParseURLConnectionHttpClient.java#L41I have also tried using okHttp but the same problem exists with okHttp 2.7.5 until this line is removed: https://github.com/ParsePlatform/Parse-SDK-Android/blob/master/Parse/src/main/java/com/parse/ParseOkHttpClient.java#L60
On newer versions of android (6+) this error does not seem to happen.
What repercussions would we face if we stop overriding the SSL socket factory?
Simple test case to reproduce
Example stacktraces:
The text was updated successfully, but these errors were encountered: