So here's a weird situation. I have a website running on https. I also have an app on android which leverages this website to make rest API calls. Everything was working fine until now. Recently my hoster changed something and everything is falling apart. When I fire rest request from browser it works fine. But when I do it using the app it doesn't work and I get this exception:
javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException:
Could not validate certificate: Certificate expired at Thu Aug 21 06:03:34 EDT 2014 (compared to Sat Aug 22 17:41:59 EDT 2015)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java
But everything working fine on pc and I double checked the certificates are expiring on 2016.
So I went a step further and tried to browsershot my website and I got some funny results. Out of 300 browsers I got the same issue in a couple of them.
http://i.stack.imgur.com/d86tE.png
http://oi60.tinypic.com/30ml1n4.jpg
Also I'm now getting this warning in my host while installing SSL.
"Note: You do not have a dedicated IP address. As a result, web browsers that do not support SNI will probably give false security warnings to your users when they access any of your SSL websites. Microsoft® Internet Explorer™ on Windows XP™ is the most widely used web browser that does not support SNI."
I'm not 100% sure whether this warning was there earlier or not but I'm just trying to put the pieces together.
There is nothing wrong with the code as my apps on the phone have stopped working which was working earlier.
Server Name Indication (SNI) means that the client (browser, app) sends the expected host name inside the SSL/TLS handshake. This is similar to the Host HTTP header and makes it possible to have multiple virtual servers with different hostnames share the same IP address.
If your client does not support SNI the server will either send some default certificate back or will trigger an error in the SSL/TLS handshake.
SNI is supported by all modern browsers, but older browsers or platforms like IE8 on XP do not support SNI. Also the Apache HTTP Request Library as shipped with the Android SDK does not support SNI which might be the issue in your case.
Everything was working fine until now. Recently my hoster changed something and everything is falling apart.
I guess this is the result of an incomplete change. It looks like the certificate for clients using SNI was replaced with a newer version because the previous one expired. But the default certificate of the site, i.e. the one used for non-SNI clients, is still the old expired certificate. Thus you get a valid certificate with all clients using SNI but an expired error with all clients not capable of doing SNI.
I ran into the same problem while calling a third party API from my android app.
To solve the problem I used HttpsURLConnection class from javax.net.ssl package which has SNI support.
A example to perform an API call.
import javax.net.ssl.HttpsURLConnection;
import java.net.URL;
public void performApiCall() {
try {
URL url = new URL("https://yourdestination.com");
HttpsURLConnection connection = (HttpsURLConnection)url.openConnection();
connection.setRequestProperty("content-type", "application/x-www-form-urlencoded");
connection.setRequestMethod("POST");
// other stuffs like adding parameters etc. Used android.util.Pair.
connection.connect();
// you can read response based on connection.getResponseCode()
}catch(Exception e){
e.printStackTrace();
}
}
Related
Problem: Since Chrome updated a while back (version 58?), I'm not able to access my computer's development Express web server with HTTPS from a remote machine on the same private LAN.
I have created a self-signed certificate on the server (my laptop), and it works great from the same machine via https://localhost:8383 (the local SSL port).
In the past I could bypass the warning on a remote machine on the same network but it has stopped working.
I've gone through the steps of creating a local secure DNS server on my own router with DD-WRT, and self-signed a new certificate with SAN so I could use a DNS host name to access it without specifying an IP address.
I'm able to get to the page after bypassing the message that warns the site's SSL certificate could not be verified. But that's not good enough because while the site will load, the underlying websocket service I'm using on the same port does not work, and so the application loads but is broken on the remote machine. Still works on the local machine because the certificate is valid.
It seems the issue centers around Websockets within Express.
Any guidance would be greatly appreciated! This is a strictly secure environment that's meant to be used on a private network and it makes no sense for me to spend a bunch of money on a public certificate if that even matters.
Thank you.
It appears that the issue is with mobile Chrome and Safari on IOS -- I can get untrusted SSL certificates to work with websockets from another computer on the same network with the latest versions of Chrome and Safari. But on IOS (ipads and iphones), the page will load after being prompted, but Websockets FAIL to function whatsoever.
I've found a couple other people finding this issue.
My workaround for this problem was to revert away from SSL for my private network and completely avoid self-signed certificates.
In a private environment this is OK.
When attempting to access my Apache Tomcat v9 site via HTTPS in Firefox, I am met with:
An error occurred during a connection to localhost:8443. SSL received an alert record with an unknown alert description.
Error code: SSL_ERROR_RX_UNKNOWN_ALERT
The Tomcat server has a certificate that is trusted by my Firefox. The Tomcat server is configured to require client certificates, of which I have one installed, but Firefox is not prompting me to select one.
There are no errors (or messages of any kind) in any logs in Tomcat. The strange thing is that this used to work last week but has stopped. I tried issuing the server a new certificate but that did not resolve this.
It turns out this is the cryptic error you get in Firefox when it cannot find a client certificate to send the server. In my case the client certificate I had installed expired a couple days ago (which is why it used to work) and so Firefox was not sending it to the server and was thus getting that response.
Generating a new client certificate and loading it into Firefox resolved the issue.
I was able reproduce the error later on by selecting "Cancel" when Firefox asks me what client certificate to use.
I am not sure if it's Tomcat giving the weird SSL response of if it's Firefox not able to understand what's going on but I hope this answer helps others facing this issue in the future.
I am trying to access an HTTPS page using a 11.3 version Ipad. The server certificates are signed by a custom CA, and thus, it causes Safari to show the "untrusted site" message. But if I install the CA certificates profile, and mark it as a trusted CA, when I try to hit the same pages, Safari goes all berserk constantly reloading the page 200 times a minute without actually showing the page. This isn't a constant behavior, the same tablet may work for some addresses and not for other ones (both using the same CA signing certs).
Is anybody aware of any known issues on Safari regarding non-bundle CA certificates?
We are also using non default ports (non 443) for the HTTPS server, in case this is of some significance.
I have little to none knowledge about ipad and safari, is there any way to get safari logs from the ipad?
Thank you!
After some deep digging in Wireshark traces, I found a difference in the SSL handshake between a server where safari was behaving as expected, and a server where the same safari was behaving erratically.
The working connection looked like:
And the non working one:
I took a deep dive into the Server Hello and find a slight difference:
Working:
Non working:
The server on the working scenario was providing two of the certificates in the signing chain, while the other server was providing only the server certificate. Seems that Safari does not like the last one.
I modified the server configuration to provide also the issuer cert in the cert chain and the bad server started to work fine.
I have a website using tls1.2,1.1 and 1.0(ssllabs) . I am using websense proxy to access it. Have enabled tls1.1 and tls1.2 on the WCG. I am still getting Peer disconnected error. The website worked once and is giving the error randomly. I have websense 8 and the URL in question is https://rem2.piiapps.com/site/login. It works fine with websense 7. I dont have a ssl bypass option due to security restrictions. Sometimes the browser indicates that the certificate is broken and sometimes it is healthy.
I did some analysis and found that this URL was using a real time communication protocol which is not supported by deafult in websense. It has to be tunneled in the incident list.
On a customer's internal network, I can make a request to my SSL site using IE6 SP1 (on Win2K) and see one cert validation requests, but if I use IE6 SP2 (on XP) 13 separate cert validation requests get fired off. Needless to say, this slows down my page load a lot.
Firefox loads the page just fine with no unnecessary cert validation requests.
The server is Apache running a pretty new lampp stack. All the server certificate / CA chain configurations seem to be fine (users can authenticate w/ trusted certs, the system can communicate to other systems with that server cert, etc.)
Is there anything I can do from a configuration standpoint? Any other ideas at all?
I'm guessing that "upgrade IE" is off the table, right? You're probably trying to find a way to support IE 6.0, SP2, with XP, so your users can use this version.
OK... one thought is trying to mess with the SSL configuration. As I remember, SSL has a number of settings that can be used and perhaps you can change one of them on your server and get a different behavior. It might be worth it to research what's happening during the SSL Handshake on the working and not-working versions of IE 6.0. I favor Ethereal, a free network traffic watching tool that will capture the SSL. It can't decrypt it easily, but you can at least see the first few messages that happen in the clear. It might give an inkling into why all these validation requests are coming in.