Closed Bug 717691 Opened 13 years ago Closed 12 years ago

Android SDK r8 OpenSSL and certificate annoyances

Categories

(Firefox for Android Graveyard :: Android Sync, defect, P2)

Product:
Firefox for Android Graveyard
Component:
Android Sync
Platform:
ARM
Android
Type:
defect

Tracking

(firefox11 verified, fennec+)

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox11 --- verified
fennec + ---

People

(Reporter: liuche, Assigned: rnewman, NeedInfo)

References

Details

Attachments

(4 files)

Fatal exception during manual account creation, on SDK 8.
3.67 KB, text/plain
Details
"Protocol SSL_RSA_WITH_RC4_128_SHA is not supported" erro
3.17 KB, text/plain
Details
log of try build from comment 15
75.29 KB, text/plain
Details
Built-in Android 2.2 browser cert exception
114.43 KB, image/png
Details 
Android Sync crashes on 2.2.2 device, log attached. 

SDK apparently does not contain some Arrays methods, or Editor.apply method.

Changing Android project build target to SDK 8 shows errors in project.
What about Editor.commit? We probably want synchronous commits anyway.

copyOf might just require the second argument, judging by the stack trace.
Assignee: nobody → liuche
Status: NEW → ASSIGNED
OS: Mac OS X → Android
Hardware: x86 → ARM
Crashes Sync app on a device running r8. It sounds like not much testing has been done on older devices.
(In reply to Chenxia Liu [:liuche] from comment #2)
> Created attachment 588490 [details]
> "Protocol SSL_RSA_WITH_RC4_128_SHA is not supported" erro
> 
> Crashes Sync app on a device running r8. It sounds like not much testing has
> been done on older devices.

I haven't done *any* testing on devices before 2.3.4.

We can see if things work by not specifying a cipher in our TLSSocketFactory, but other than that I'm not sure of the solution.
Blocks: 709341
Priority: -- → P2
Blocks: 718493
tracking-fennec: --- → ?
tracking-fennec: ? → +
Tony, could you run

  http://people.mozilla.com/~rnewman/bugs/717691/CipherTest.apk

on a 2.2 device, and post the `adb logcat` output? It should be a list of CIPHER lines.

Chenxia, if you have a 2.2 device and see this first, please feel free to dive in :)

Thanks!
Keywords: qawanted
My experiments with a 2.2 emulator suggest that it's returning the wrong cipher suite names. It's *supposed* to return the spec name (according to <http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#PLUG>), e.g.,

  SSL_RSA_WITH_RC4_128_SHA

but instead it returns the OpenSSL name:

  RC4-SHA

The values passed to setEnabledCipherSuiteNames must be a subset of the values returned by getEnabledCipherSuiteNames, or the IllegalArgumentException that we see in the log will be thrown. This of course puts us in a quandary, because we can't specify equivalent values from two disjoint sets.

(Of course, 2.2's list is also shorter than 4.0's: <https://gist.github.com/1653596>)

My proposed solution is to *attempt* to set the cipher list, and otherwise roll merrily on with the default and hope that it works.
… and here's a try build.

  https://tbpl.mozilla.org/?tree=Try&rev=c2eb636eb334
  http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/rnewman@mozilla.com-c2eb636eb334

Tony or Tracy, could you give this a look when it's done building?
sure, i'll try and track down a 2.2 device this weekend.   If not, i can't get to this until monday when i get back to office.
I have a 2.2 device. What would I need to do to verify this?
Martijn: install the APK from the second link, tap Firefox Sync, and see if you see the twelve character setup code. 
thanks!
I see the see the twelve character setup code, but I'm not seeing any characters, just the dots. Not sure if that is expected.
This was tested on the LG Optimus Black, using Android 2.2.2, btw.
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #11)
> I see the see the twelve character setup code, but I'm not seeing any
> characters, just the dots. Not sure if that is expected.

what does logcat say?  you should see something like this if you're actually generating a code:

01-21 16:30:35.733: DEBUG/JPakeClient(3685): Uploading message.
01-21 16:30:35.733: DEBUG/JPakeRequest(3685): new URI: https://setup.services.mozilla.com/fb2f
01-21 16:30:35.748: INFO/BaseResource(3685): HTTP PUT https://setup.services.mozilla.com/fb2f

where "/fb2f" is the last row of the code.   Else if nothing, i bet you see something like:

01-21 16:32:49.988: DEBUG/JPakeRequest(3685): new URI: https://setup.services.mozilla.com/new_channel
01-21 16:32:49.988: INFO/BaseResource(3685): HTTP GET https://setup.services.mozilla.com/new_channel
(In reply to Tony Chung [:tchung] from comment #13)
> (In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #11)
> > I see the see the twelve character setup code, but I'm not seeing any
> > characters, just the dots. Not sure if that is expected.
> 
> what does logcat say?

Martijn had provided me the log privately. Now we get back to the original exception that caused this code to exist in the first place:

JPakeClient(8668): HttpIOException
JPakeClient(8668): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
JPakeClient(8668): at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:257)
JPakeClient(8668): at ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
JPakeClient(8668): at ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:818)
JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:752)
JPakeClient(8668): at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:204)
JPakeClient(8668): at org.mozilla.gecko.sync.net.BaseResource.go(BaseResource.java:228)
JPakeClient(8668): at org.mozilla.gecko.sync.net.BaseResource.get(BaseResource.java:234)
JPakeClient(8668): at org.mozilla.gecko.sync.jpake.JPakeRequest.get(JPakeRequest.java:68)
JPakeClient(8668): at org.mozilla.gecko.sync.jpake.JPakeClient.getChannel(JPakeClient.java:250)
JPakeClient(8668): at org.mozilla.gecko.sync.jpake.JPakeClient.access$100(JPakeClient.java:78)
JPakeClient(8668): at org.mozilla.gecko.sync.jpake.JPakeClient$1.run(JPakeClient.java:180)
JPakeClient(8668): at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
JPakeClient(8668): at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:305)
JPakeClient(8668): at java.util.concurrent.FutureTask.run(FutureTask.java:137)
JPakeClient(8668): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1068)
JPakeClient(8668): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:561)
JPakeClient(8668): at java.lang.Thread.run(Thread.java:1096)
JPakeClient(8668): Failed on GetChannel.
New catlog of try build from comment 15.
The problem now is that Android 2.2 and earlier don't support the GeoTrust CA that we use for *.services.m.c.

That means the crypto half of this bug *is* fixed.

See:

  http://code.google.com/p/android/issues/detail?id=10807
  http://code.google.com/p/android/issues/detail?id=1946
  http://www.geocerts.com/support/cross_root

There are possible workarounds:

  https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1425
  https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426

The only real solution client-side is to ship Android Sync with a newer .bks format keystore, including a modern set of certificates. This is a bigger kettle of fish than I'd like to fry.

(The crappy solutions are "trust all certs!", or "embed our cert in code!". I don't want to consider either of those.)
As you can see, you can get a certificate issue just by using the built-in browser on older Android versions.
atoll, do you have any response to Comment 17 or Comment 18, or any idea of better people to ask about our certificate chains and addressing this issue?
Assignee: liuche → rnewman
Keywords: qawanted
Summary: Android SDK r8 not compatible with sync.crypto and gecko.sync → Android SDK r8 OpenSSL and certificate annoyances
Hypothesis: mw22, if you open 

  https://auth.services.mozilla.com

with that last build, and get a certificate warning popup, is there a way to add the certificate to some trusted list? (Probably View Certificate > Trust or somesuch.)

If so, do you then see the J-PAKE setup code if you launch the Sync setup wizard?
Crypto part fixed:

https://github.com/mozilla-services/android-sync/commit/3ecff39e0aa015536e00c154c68d6f861a8d4003

Filed Bug 720471 to address initial comment (!).

Now addressing cert stuff.
(In reply to Richard Newman [:rnewman] from comment #17)
> The problem now is that Android 2.2 and earlier don't support the GeoTrust
> CA that we use for *.services.m.c.

>   http://www.geocerts.com/support/cross_root

Cross root intermediate added to stage Zeus.  Waiting for dev and QA confirmation that things still work.

Things to test: Android 2.2, 2.3, 3.0, 4.0 stock browser to https://stage-auth.s.m.c/

rnewman confirms fixed on Android 2.2 stock, atoll confirms working on Android 3.3 stock

Things to test: Firefox 5, 9+

atoll confirms working on Aurora 11.0a2
3.1 stock 404's  (no cert warning)
Depends on: 720478
(In reply to Richard Soderberg [:atoll] from comment #22)
> Things to test: Android 2.2, 2.3, 3.0, 4.0 stock browser to
> https://stage-auth.s.m.c/
> 

Confirmed Galaxy Nexus 4.0.2 syncs with https://stage-auth.services.mozilla.com
(In reply to Richard Newman [:rnewman] from comment #20)
> Hypothesis: mw22, if you open 
> 
>   https://auth.services.mozilla.com
> 
> with that last build, and get a certificate warning popup, is there a way to
> add the certificate to some trusted list? (Probably View Certificate > Trust
> or somesuch.)

I didn't get a certificate warning popup at all. I did see one in the stock browser, when I first visited, but after that not anymore.
Blocks: 720933
Could someone with a 2.2 device test this:

http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/rnewman@mozilla.com-5337493d509d/try-android/

and let me know if you see a J-PAKE setup code?
Yeah, with that build I see the J-PAKE setup code.
Thanks Martijn!

OK, so with my fix (in develop, due to land soon in m-c; see Comment 21) and the cert change in Bug 720478, this is done.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
status-firefox11: --- → fixed
verified with Fx 11 and 12 on 2.2
Status: RESOLVED → VERIFIED
status-firefox11: fixedverified
Product: Mozilla Services → Android Background Services
See Also: → 883915
Comment on attachment 588115 [details]
Fatal exception during manual account creation, on SDK 8.

>01-12 11:05:18.815: D/SyncAuthenticatorService(31516): onCreate
>01-12 11:05:18.825: D/SyncAuthenticatorService(31516): getAuthToken()
>01-12 11:05:18.825: D/SyncAuthenticatorService(31516): AccountManager.get(org.mozilla.gecko.sync.setup.SyncAuthenticatorService@3274b3a8)
>01-12 11:05:18.835: I/rnewman(31516): Account vjvv hashes to vjvv
>01-12 11:05:18.835: I/rnewman(31516): Setting Sync Key to fkcv
>01-12 11:05:18.835: D/NotificationManager(185): android: cancel(3)
>01-12 11:05:18.915: D/NotificationManager(185): android: cancel(3)
>01-12 11:05:18.925: I/SyncAdapter(31516): AccountManagerCallback invoked.
>01-12 11:05:18.925: D/SyncAdapter(31516): Username: vjvv
>01-12 11:05:18.925: D/SyncAdapter(31516): Server:   https://setup.services.mozilla.com/
>01-12 11:05:18.925: D/SyncAdapter(31516): Password? true
>01-12 11:05:18.925: D/SyncAdapter(31516): Key?      true
>01-12 11:05:18.935: W/dalvikvm(31516): VFY: unable to resolve static method 3554: Ljava/util/Arrays;.copyOf ([BI)[B
>01-12 11:05:18.955: W/dalvikvm(31516): VFY: unable to resolve static method 3555: Ljava/util/Arrays;.copyOfRange ([BII)[B
>01-12 11:05:18.975: W/dalvikvm(31516): threadid=1: thread exiting with uncaught exception (group=0x2aac87d8)
>01-12 11:05:18.975: E/AndroidRuntime(31516): Uncaught handler: thread main exiting due to uncaught exception
>01-12 11:05:18.985: I/global(31516): Default buffer size used in BufferedWriter constructor. It would be better to be explicit if an 8k-char buffer is required.
>01-12 11:05:18.995: E/AndroidRuntime(31516): FATAL EXCEPTION: main
>01-12 11:05:18.995: E/AndroidRuntime(31516): java.lang.NoSuchMethodError: java.util.Arrays.copyOf
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at org.mozilla.gecko.sync.Utils.concatAll(Utils.java:118)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at org.mozilla.gecko.sync.crypto.KeyBundle.<init>(KeyBundle.java:110)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at org.mozilla.gecko.sync.syncadapter.SyncAdapter$1.run(SyncAdapter.java:273)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at android.accounts.AccountManager$10.run(AccountManager.java:1134)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at android.os.Handler.handleCallback(Handler.java:587)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at android.os.Handler.dispatchMessage(Handler.java:92)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at android.os.Looper.loop(Looper.java:123)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at android.app.ActivityThread.main(ActivityThread.java:4627)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at java.lang.reflect.Method.invokeNative(Native Method)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at java.lang.reflect.Method.invoke(Method.java:521)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:860)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:618)
>01-12 11:05:18.995: E/AndroidRuntime(31516): 	at dalvik.system.NativeStart.main(Native Method)
>01-12 11:05:19.005: I/global(31516): Default buffer size used in BufferedWriter constructor. It would be better to be explicit if an 8k-char buffer is required.
>01-12 11:05:19.015: I/global(31516): Default buffer size used in BufferedReader constructor. It would be better to be explicit if an 8k-char buffer is required.
>01-12 11:05:19.015: W/System.err(31516): java.io.FileNotFoundException: /data/plog.log (Permission denied)
>01-12 11:05:19.025: W/ActivityManager(185):   Force finishing activity org.mozilla.gecko/.sync.setup.activities.SetupSyncActivity
>01-12 11:05:19.533: W/ActivityManager(185): Activity pause timeout for HistoryRecord{32bb5828 org.mozilla.gecko/.sync.setup.activities.SetupSyncActivity}
> >01-12 11:05:18.995: E/AndroidRuntime(31516): java.lang.NoSuchMethodError: java.util.Arrays.copyOf

This is an API r9 addition, but it's no longer in our source code.  What version of Firefox are you using?  This might be as simple as upgrading.

I'm not seeing this in current Release (Firefox 23) or current Beta (Firefox 24):

http://hg.mozilla.org/releases/mozilla-release/file/2ad6831ca95e/mobile/android/base/sync/Utils.java
http://hg.mozilla.org/releases/mozilla-beta/file/b2beae751b6e/mobile/android/base/sync/Utils.java
Flags: needinfo?(abhiram1202)
Product: Android Background Services → Firefox for Android
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: