countly-sdk-android icon indicating copy to clipboard operation
countly-sdk-android copied to clipboard

Published 20 hours ago verified publisher icon Countly

Servers with TLSv1.3 get authType generic leads to connection failure

Open appcoders opened this issue 4 years ago • 6 comments

On a server with nginx and

ssl-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-protocols TLSv1.2 TLSv1.3

the authType here

https://github.com/Countly/countly-sdk-android/blob/0183e779d641f5575105f12679ab59c40e171652/sdk/src/main/java/ly/count/android/sdk/CertificateTrustManager.java#L65

gets GENERIC as value, and so it fails to proceed.

Expected Behavior

Working TLSv1.3 support

Current Behavior

Failure to test trust successfully

###Fix add GENERIC as valid value to condition

Your Environment

Server with TLSv1.3 support:

- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=xxxx', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04e9144a791109259cb796a9f14c167d08c4, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-10-01 14:09:11 UTC', expires `2021-12-30 14:09:10 UTC', pin-sha256="kXQROHwb/fw4tN6SKZYOyuUESd13exPRf0Bjk+AC3y4="
	Public Key ID:
		sha1:f93e26e75fbc8c8951fc49a0a24c4dddea18eeb1
		sha256:917411387c1bfdfc38b4de9229960ecae50449dd777b13d17f406393e002df2e
	Public Key PIN:
		pin-sha256:kXQROHwb/fw4tN6SKZYOyuUESd13exPRf0Bjk+AC3y4=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Options:
- Handshake was completed

Server with TLSv1.3 support disabled:

- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=xxxxx', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04e9144a791109259cb796a9f14c167d08c4, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-10-01 14:09:11 UTC', expires `2021-12-30 14:09:10 UTC', pin-sha256="kXQROHwb/fw4tN6SKZYOyuUESd13exPRf0Bjk+AC3y4="
	Public Key ID:
		sha1:f93e26e75fbc8c8951fc49a0a24c4dddea18eeb1
		sha256:917411387c1bfdfc38b4de9229960ecae50449dd777b13d17f406393e002df2e
	Public Key PIN:
		pin-sha256:kXQROHwb/fw4tN6SKZYOyuUESd13exPRf0Bjk+AC3y4=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.
- Description: (TLS1.2-X.509)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
- Session ID: 42:8F:A4:4D:C4:9E:1E:42:67:56:0E:20:19:94:62:C2:D0:51:A0:1D:B8:73:B9:AC:F2:E7:4E:E6:DC:60:CC:C9
- Options: extended master secret, safe renegotiation,
- Handshake was completed

appcoders avatar Oct 11 '21 14:10 appcoders

Hello, could you show your init code? Are you using certificate pinning?

ArtursKadikis avatar Oct 11 '21 15:10 ArtursKadikis

Hi @ArtursKadikis,

yes we are using certificate pinning.


   Countly
            .enablePublicKeyPinning(
                listOf(
                        "MIIFYzCCBEugAwIBAgISA5C9MuEFXrvOBpA2fAiO1mRyMA0GCSqGSIb3DQEBCwUA" +
                     .......
                )
            )
            .init(
                context,
                serverUrl,
                appKey,
                managementAPI.uniqueDeviceID()
            )

appcoders avatar Oct 12 '21 06:10 appcoders

Any news? We would like to update our server back to TLSv1.3

appcoders avatar Nov 14 '21 13:11 appcoders

@ArtursKadikis Any news? Thanks.

appcoders avatar Dec 03 '21 14:12 appcoders

Hello, sorry for taking so long to respond. Could verify this issue. Currently the best fix seems to be removing the authType check. The fix can be found in the commit #fe31c83

Will be released part of the next release

ArtursKadikis avatar Dec 06 '21 18:12 ArtursKadikis

thanks @ArtursKadikis

appcoders avatar Dec 07 '21 10:12 appcoders