element-x-android icon indicating copy to clipboard operation
element-x-android copied to clipboard

Published 20 hours ago verified publisher icon element-hq

Frequent SSL errors after connecting to Element X

Open mackerel225 opened this issue 4 months ago • 0 comments

Steps to reproduce

  1. Where are you starting? What can you see? Element X Main Chat Page. I can see two 1:1 rooms with 2 different users

  2. What do you click? Click on either room and start video calling. The error appears in logs

  3. More steps…

Outcome

What did you expect?

No SSL errors appearing since we already configured our certificates. Yes we can login to our server, but there are errors in logs.

What happened instead?

SSL Errors appear

More details

  • Without Root CA installed on Android device
    • When specifying account provider https://<YOUR_SYNAPSE_SERVER>.lan:1234, we get our standard We couldn't reach this homeserver. This is expected (Message could be worded better as its HTTPS issue)
  • With Root CA installed on Android device
    • When specifying account provider https://<YOUR_SYNAPSE_SERVER>.lan:1234, we can successfully connect. This is expected
    • When you navigate around the app, primarily if you go and and attempt video call we get SSL errors: 10-08 14:17:15.909 24322 24603 E chromium: [ERROR:ssl_client_socket_impl.cc(882)] handshake failed; returned -1, SSL error code 1, net_error -202
    • Often the error is accompanied by 10-08 14:17:15.908 24322 24594 I cr_X509Util: Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found., and sometimes it is not.

See attached logs file for more details

Considerations:

  • Synapse server is isolated from outside Internet, can only be accessed via LAN
  • Synapse server is reachable through reverse proxy. Flow: LAN[Android(Element X) -> Router -> Server(Nginx -> Synapse)]
  • Self-signed certificates created: Root CA cert & Server cert
  • Root CA distributed to Android device
  • For nginx configuration I have attempted to use both:
    • Server.cert & server.key
    • fullchain.cert(Root CA cert & Server cert) & server.key
  • I have verified server certificate from another computer by issuing openssl s_client -connect <synapse_server>.lan:1234 -showcerts Below is the response of certificate

openssl s_client -connect <synapse_server>.lan:1234 -showcerts output:

Connecting to <synapse_server>
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C=<.....>, ST=<.....>, L=<.....>, O=<.....>CA, OU=<.....>CAUnit, CN=W<.....>
verify return:1
depth=0 C=<.....>, ST=<.....>, L=<.....>, O=<.....>Server, OU=<.....>Server, CN=<.....>
verify return:1
---
Certificate chain
 0 s:C=<.....>, ST=<.....>, L=<.....>, O=<.....>Server, OU=<.....>Server, CN=<.....>
   i:C=<.....>, ST=<.....>, L=<.....>, O=<.....>CA, OU=<.....>CAUnit, CN=<.....>
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  8 12:16:26 2024 GMT; NotAfter: Oct  8 12:16:26 2025 GMT
-----BEGIN CERTIFICATE-----
<.....>
-----END CERTIFICATE-----
 1 s:C=<.....>, ST=<.....>, L=<.....>, O=<.....>CA, OU=<.....>CAUnit, CN=<.....>
   i:C=<.....>, ST=<.....>, L=<.....>, O=<.....>CA, OU=<.....>CAUnit, CN=<.....>
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  7 20:59:43 2024 GMT; NotAfter: Oct  5 20:59:43 2034 GMT
-----BEGIN CERTIFICATE-----
<.....>
-----END CERTIFICATE-----
---
Server certificate
subject=C=<.....>, ST=<.....>, L=<.....>, O=<.....>Server, OU=<.....>Server, CN=<.....>
issuer=C=<.....>, ST=<.....>, L=<.....>, O=<.....>CA, OU=<.....>CAUnit, CN=<.....>
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3838 bytes and written 379 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: <.....>
    Session-ID-ctx: 
    Resumption PSK: <.....>
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - <.....>

    Start Time: 1728399584
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: <.....>
    Session-ID-ctx: 
    Resumption PSK: <.....>
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - <.....>

    Start Time: 1728399584
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Log file: elementx_exlog_https_on.txt

Your phone model

Pixel 9

Operating system version

Android 14.0

Application version and app store

Element X version 0.6.4

Homeserver

image: matrixdotorg/synapse:v1.115.0

Will you send logs?

Yes

Are you willing to provide a PR?

Yes

mackerel225 avatar Oct 08 '24 15:10 mackerel225