Uploaded image for project: 'Titanium SDK/CLI'
  1. Titanium SDK/CLI
  2. TIMOB-26992

Android: HTTPClient may use SSLv3 by default on Android 4.x when it shouldn't

    Details

    • Story Points:
      13

      Description

      Summary:
      Titanium's HTTPClient is internally coded to always disable the SSLv3 protocol and only support TLS 1.0 and higher protocols for "https://" communications. This is because SSLv3 is no longer considered secure as of 2014.
      https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

      Unfortunately, there is a bug on Google's end where Android 4.4 and older OS versions will ignore our TLS settings in Java and default to the SSLv3 protocol instead. This can cause communication errors since modern web servers typically respond to SSLv3 requests with an error since this protocol is not considered secure.

      The Android bug report can be found here...
      https://issuetracker.google.com/issues/37008635

      Steps to reproduce:

      1. Acquire an Android 4.4 device.
      2. Make sure the device has Internet access.
      3. Build and run with the below code.
      4. Tap on the "HTTP Get" button.
      5. Notice an "SSLProtocolException" error is displayed on screen.
      6. Run the app on Android 5.0 or newer device.
      7. After tapping on "HTTP Get", notice that a valid HTTP response is displayed onscreen.

      var window = Ti.UI.createWindow();
      var scrollView = Ti.UI.createScrollView({
      	width: Ti.UI.FILL,
      	height: Ti.UI.FILL,
      });
      var label = Ti.UI.createLabel({
      	width: Ti.UI.FILL,
      	height: Ti.UI.SIZE,
      });
      scrollView.add(label);
      window.add(scrollView);
      var button = Ti.UI.createButton({
      	title: "HTTP Get",
      	bottom: "10dp",
      	right: "10dp",
      });
      button.addEventListener("click", function(e) {
      	var httpClient = Ti.Network.createHTTPClient({
      		onload: function(e) {
      			label.text = httpClient.responseText;
      			button.enabled = true;
      		},
      		onerror: function(e) {
      			var message = e.error;
      			if (!message) {
      				message = "Unknown error occurred.";
      			}
      			label.text = message;
      			button.enabled = true;
      		},
      	});
      	label.text = "Fetching...";
      	button.enabled = false;
      	httpClient.open("GET", "https://www.nasa.gov");
      	httpClient.send();
      });
      window.add(button);
      window.open();
      

      Result:
      The following SSLv3 error gets logged when running on Android 5.1 and older OS versions.

      [ERROR] :  TiHTTPClient: (TiHttpClient-1) [8913,9013] HTTP Error (javax.net.ssl.SSLHandshakeException): javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x76d92718: Failure in SSL library, usually a protocol error
      [ERROR] :  TiHTTPClient: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x733bdd74:0x00000000)
      [ERROR] :  TiHTTPClient: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x76d92718: Failure in SSL library, usually a protocol error
      [ERROR] :  TiHTTPClient: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x733bdd74:0x00000000)
      [ERROR] :  TiHTTPClient: 	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:448)
      [ERROR] :  TiHTTPClient: 	at com.android.okhttp.Connection.upgradeToTls(Connection.java:146)
      [ERROR] :  TiHTTPClient: 	at com.android.okhttp.Connection.connect(Connection.java:107)
      [ERROR] :  TiHTTPClient: 	at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:294)
      [ERROR] :  TiHTTPClient: 	at com.android.okhttp.internal.http.HttpEngine.sendSocketRequest(HttpEngine.java:255)
      [ERROR] :  TiHTTPClient: 	at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:206)
      [ERROR] :  TiHTTPClient: 	at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:345)
      [ERROR] :  TiHTTPClient: 	at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:296)
      [ERROR] :  TiHTTPClient: 	at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:503)
      [ERROR] :  TiHTTPClient: 	at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:136)
      [ERROR] :  TiHTTPClient: 	at ti.modules.titanium.network.TiHTTPClient$ClientRunnable.run(TiHTTPClient.java:1319)
      [ERROR] :  TiHTTPClient: 	at java.lang.Thread.run(Thread.java:841)
      [ERROR] :  TiHTTPClient: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x76d92718: Failure in SSL library, usually a protocol error
      [ERROR] :  TiHTTPClient: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x733bdd74:0x00000000)
      [ERROR] :  TiHTTPClient: 	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
      [ERROR] :  TiHTTPClient: 	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)
      

      Work-around:
      Simplest solution is to change the app's min supported Android version to 5.0 (aka: API Level 21). This can be done by adding the following to the "tiapp.xml" file.

      <?xml version="1.0" encoding="UTF-8"?>
      <ti:app xmlns:ti="http://ti.appcelerator.org">
      	<android xmlns:android="http://schemas.android.com/apk/res/android">
      		<manifest>
      			<uses-sdk android:minSdkVersion="21"/>
      		</manifest>
      	</android>
      </ti:app>
      

      Alternatively, this can be worked-around server side by allowing the SSLv3 protocol, but this is not advised since this protocol is not considered secure.

      Unfortunately, setting the HTTPClient "tlsVersion" property will not work since Android 4.4 and older OS versions may ignore this setting and use SSLv3 instead, which is the bug on Google's end that this ticket is about.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jquick Joshua Quick
                Reporter:
                jquick Joshua Quick
              • Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Backbone Issue Sync

                  • Backbone Issue Sync is enabled for your project, but we do not have any synchronization info for this issue.

                    Git Integration