Closed
Bug 717691
Opened 13 years ago
Closed 12 years ago
Android SDK r8 OpenSSL and certificate annoyances
Categories
(Firefox for Android Graveyard :: Android Sync, defect, P2)
Tracking
(firefox11 verified, fennec+)
VERIFIED
FIXED
People
(Reporter: liuche, Assigned: rnewman, NeedInfo)
References
Details
Attachments
(4 files)
Android Sync crashes on 2.2.2 device, log attached. SDK apparently does not contain some Arrays methods, or Editor.apply method. Changing Android project build target to SDK 8 shows errors in project.
Assignee | ||
Comment 1•13 years ago
|
||
What about Editor.commit? We probably want synchronous commits anyway. copyOf might just require the second argument, judging by the stack trace.
Assignee: nobody → liuche
Status: NEW → ASSIGNED
OS: Mac OS X → Android
Hardware: x86 → ARM
Reporter | ||
Comment 2•13 years ago
|
||
Crashes Sync app on a device running r8. It sounds like not much testing has been done on older devices.
Assignee | ||
Comment 3•13 years ago
|
||
(In reply to Chenxia Liu [:liuche] from comment #2) > Created attachment 588490 [details] > "Protocol SSL_RSA_WITH_RC4_128_SHA is not supported" erro > > Crashes Sync app on a device running r8. It sounds like not much testing has > been done on older devices. I haven't done *any* testing on devices before 2.3.4. We can see if things work by not specifying a cipher in our TLSSocketFactory, but other than that I'm not sure of the solution.
Updated•12 years ago
|
tracking-fennec: --- → ?
Updated•12 years ago
|
tracking-fennec: ? → +
Assignee | ||
Comment 5•12 years ago
|
||
Tony, could you run http://people.mozilla.com/~rnewman/bugs/717691/CipherTest.apk on a 2.2 device, and post the `adb logcat` output? It should be a list of CIPHER lines. Chenxia, if you have a 2.2 device and see this first, please feel free to dive in :) Thanks!
Keywords: qawanted
Assignee | ||
Comment 6•12 years ago
|
||
My experiments with a 2.2 emulator suggest that it's returning the wrong cipher suite names. It's *supposed* to return the spec name (according to <http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#PLUG>), e.g., SSL_RSA_WITH_RC4_128_SHA but instead it returns the OpenSSL name: RC4-SHA The values passed to setEnabledCipherSuiteNames must be a subset of the values returned by getEnabledCipherSuiteNames, or the IllegalArgumentException that we see in the log will be thrown. This of course puts us in a quandary, because we can't specify equivalent values from two disjoint sets. (Of course, 2.2's list is also shorter than 4.0's: <https://gist.github.com/1653596>) My proposed solution is to *attempt* to set the cipher list, and otherwise roll merrily on with the default and hope that it works.
Assignee | ||
Comment 7•12 years ago
|
||
… and here's a try build. https://tbpl.mozilla.org/?tree=Try&rev=c2eb636eb334 http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/rnewman@mozilla.com-c2eb636eb334 Tony or Tracy, could you give this a look when it's done building?
Comment 8•12 years ago
|
||
sure, i'll try and track down a 2.2 device this weekend. If not, i can't get to this until monday when i get back to office.
Comment 9•12 years ago
|
||
I have a 2.2 device. What would I need to do to verify this?
Assignee | ||
Comment 10•12 years ago
|
||
Martijn: install the APK from the second link, tap Firefox Sync, and see if you see the twelve character setup code. thanks!
Comment 11•12 years ago
|
||
I see the see the twelve character setup code, but I'm not seeing any characters, just the dots. Not sure if that is expected.
Comment 12•12 years ago
|
||
This was tested on the LG Optimus Black, using Android 2.2.2, btw.
Comment 13•12 years ago
|
||
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #11) > I see the see the twelve character setup code, but I'm not seeing any > characters, just the dots. Not sure if that is expected. what does logcat say? you should see something like this if you're actually generating a code: 01-21 16:30:35.733: DEBUG/JPakeClient(3685): Uploading message. 01-21 16:30:35.733: DEBUG/JPakeRequest(3685): new URI: https://setup.services.mozilla.com/fb2f 01-21 16:30:35.748: INFO/BaseResource(3685): HTTP PUT https://setup.services.mozilla.com/fb2f where "/fb2f" is the last row of the code. Else if nothing, i bet you see something like: 01-21 16:32:49.988: DEBUG/JPakeRequest(3685): new URI: https://setup.services.mozilla.com/new_channel 01-21 16:32:49.988: INFO/BaseResource(3685): HTTP GET https://setup.services.mozilla.com/new_channel
Assignee | ||
Comment 14•12 years ago
|
||
(In reply to Tony Chung [:tchung] from comment #13) > (In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #11) > > I see the see the twelve character setup code, but I'm not seeing any > > characters, just the dots. Not sure if that is expected. > > what does logcat say? Martijn had provided me the log privately. Now we get back to the original exception that caused this code to exist in the first place: JPakeClient(8668): HttpIOException JPakeClient(8668): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate JPakeClient(8668): at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:257) JPakeClient(8668): at ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) JPakeClient(8668): at ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397) JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148) JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149) JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121) JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573) JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425) JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:818) JPakeClient(8668): at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:752) JPakeClient(8668): at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:204) JPakeClient(8668): at org.mozilla.gecko.sync.net.BaseResource.go(BaseResource.java:228) JPakeClient(8668): at org.mozilla.gecko.sync.net.BaseResource.get(BaseResource.java:234) JPakeClient(8668): at org.mozilla.gecko.sync.jpake.JPakeRequest.get(JPakeRequest.java:68) JPakeClient(8668): at org.mozilla.gecko.sync.jpake.JPakeClient.getChannel(JPakeClient.java:250) JPakeClient(8668): at org.mozilla.gecko.sync.jpake.JPakeClient.access$100(JPakeClient.java:78) JPakeClient(8668): at org.mozilla.gecko.sync.jpake.JPakeClient$1.run(JPakeClient.java:180) JPakeClient(8668): at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) JPakeClient(8668): at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:305) JPakeClient(8668): at java.util.concurrent.FutureTask.run(FutureTask.java:137) JPakeClient(8668): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1068) JPakeClient(8668): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:561) JPakeClient(8668): at java.lang.Thread.run(Thread.java:1096) JPakeClient(8668): Failed on GetChannel.
Assignee | ||
Comment 15•12 years ago
|
||
Trying again: https://tbpl.mozilla.org/?tree=Try&rev=fde38c3888f5 http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/rnewman@mozilla.com-fde38c3888f5
Comment 16•12 years ago
|
||
New catlog of try build from comment 15.
Assignee | ||
Comment 17•12 years ago
|
||
The problem now is that Android 2.2 and earlier don't support the GeoTrust CA that we use for *.services.m.c. That means the crypto half of this bug *is* fixed. See: http://code.google.com/p/android/issues/detail?id=10807 http://code.google.com/p/android/issues/detail?id=1946 http://www.geocerts.com/support/cross_root There are possible workarounds: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1425 https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426 The only real solution client-side is to ship Android Sync with a newer .bks format keystore, including a modern set of certificates. This is a bigger kettle of fish than I'd like to fry. (The crappy solutions are "trust all certs!", or "embed our cert in code!". I don't want to consider either of those.)
Assignee | ||
Comment 18•12 years ago
|
||
As you can see, you can get a certificate issue just by using the built-in browser on older Android versions.
Assignee | ||
Comment 19•12 years ago
|
||
atoll, do you have any response to Comment 17 or Comment 18, or any idea of better people to ask about our certificate chains and addressing this issue?
Assignee: liuche → rnewman
Keywords: qawanted
Assignee | ||
Updated•12 years ago
|
Summary: Android SDK r8 not compatible with sync.crypto and gecko.sync → Android SDK r8 OpenSSL and certificate annoyances
Assignee | ||
Comment 20•12 years ago
|
||
Hypothesis: mw22, if you open https://auth.services.mozilla.com with that last build, and get a certificate warning popup, is there a way to add the certificate to some trusted list? (Probably View Certificate > Trust or somesuch.) If so, do you then see the J-PAKE setup code if you launch the Sync setup wizard?
Assignee | ||
Comment 21•12 years ago
|
||
Crypto part fixed: https://github.com/mozilla-services/android-sync/commit/3ecff39e0aa015536e00c154c68d6f861a8d4003 Filed Bug 720471 to address initial comment (!). Now addressing cert stuff.
Comment 22•12 years ago
|
||
(In reply to Richard Newman [:rnewman] from comment #17) > The problem now is that Android 2.2 and earlier don't support the GeoTrust > CA that we use for *.services.m.c. > http://www.geocerts.com/support/cross_root Cross root intermediate added to stage Zeus. Waiting for dev and QA confirmation that things still work. Things to test: Android 2.2, 2.3, 3.0, 4.0 stock browser to https://stage-auth.s.m.c/ rnewman confirms fixed on Android 2.2 stock, atoll confirms working on Android 3.3 stock Things to test: Firefox 5, 9+ atoll confirms working on Aurora 11.0a2
Comment 23•12 years ago
|
||
3.1 stock 404's (no cert warning)
Comment 24•12 years ago
|
||
(In reply to Richard Soderberg [:atoll] from comment #22) > Things to test: Android 2.2, 2.3, 3.0, 4.0 stock browser to > https://stage-auth.s.m.c/ > Confirmed Galaxy Nexus 4.0.2 syncs with https://stage-auth.services.mozilla.com
Comment 25•12 years ago
|
||
(In reply to Richard Newman [:rnewman] from comment #20) > Hypothesis: mw22, if you open > > https://auth.services.mozilla.com > > with that last build, and get a certificate warning popup, is there a way to > add the certificate to some trusted list? (Probably View Certificate > Trust > or somesuch.) I didn't get a certificate warning popup at all. I did see one in the stock browser, when I first visited, but after that not anymore.
Assignee | ||
Comment 26•12 years ago
|
||
Could someone with a 2.2 device test this: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/rnewman@mozilla.com-5337493d509d/try-android/ and let me know if you see a J-PAKE setup code?
Comment 27•12 years ago
|
||
Yeah, with that build I see the J-PAKE setup code.
Assignee | ||
Comment 28•12 years ago
|
||
Thanks Martijn! OK, so with my fix (in develop, due to land soon in m-c; see Comment 21) and the cert change in Bug 720478, this is done.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•12 years ago
|
status-firefox11:
--- → fixed
Updated•11 years ago
|
Product: Mozilla Services → Android Background Services
Comment 30•11 years ago
|
||
Comment on attachment 588115 [details] Fatal exception during manual account creation, on SDK 8. >01-12 11:05:18.815: D/SyncAuthenticatorService(31516): onCreate >01-12 11:05:18.825: D/SyncAuthenticatorService(31516): getAuthToken() >01-12 11:05:18.825: D/SyncAuthenticatorService(31516): AccountManager.get(org.mozilla.gecko.sync.setup.SyncAuthenticatorService@3274b3a8) >01-12 11:05:18.835: I/rnewman(31516): Account vjvv hashes to vjvv >01-12 11:05:18.835: I/rnewman(31516): Setting Sync Key to fkcv >01-12 11:05:18.835: D/NotificationManager(185): android: cancel(3) >01-12 11:05:18.915: D/NotificationManager(185): android: cancel(3) >01-12 11:05:18.925: I/SyncAdapter(31516): AccountManagerCallback invoked. >01-12 11:05:18.925: D/SyncAdapter(31516): Username: vjvv >01-12 11:05:18.925: D/SyncAdapter(31516): Server: https://setup.services.mozilla.com/ >01-12 11:05:18.925: D/SyncAdapter(31516): Password? true >01-12 11:05:18.925: D/SyncAdapter(31516): Key? true >01-12 11:05:18.935: W/dalvikvm(31516): VFY: unable to resolve static method 3554: Ljava/util/Arrays;.copyOf ([BI)[B >01-12 11:05:18.955: W/dalvikvm(31516): VFY: unable to resolve static method 3555: Ljava/util/Arrays;.copyOfRange ([BII)[B >01-12 11:05:18.975: W/dalvikvm(31516): threadid=1: thread exiting with uncaught exception (group=0x2aac87d8) >01-12 11:05:18.975: E/AndroidRuntime(31516): Uncaught handler: thread main exiting due to uncaught exception >01-12 11:05:18.985: I/global(31516): Default buffer size used in BufferedWriter constructor. It would be better to be explicit if an 8k-char buffer is required. >01-12 11:05:18.995: E/AndroidRuntime(31516): FATAL EXCEPTION: main >01-12 11:05:18.995: E/AndroidRuntime(31516): java.lang.NoSuchMethodError: java.util.Arrays.copyOf >01-12 11:05:18.995: E/AndroidRuntime(31516): at org.mozilla.gecko.sync.Utils.concatAll(Utils.java:118) >01-12 11:05:18.995: E/AndroidRuntime(31516): at org.mozilla.gecko.sync.crypto.KeyBundle.<init>(KeyBundle.java:110) >01-12 11:05:18.995: E/AndroidRuntime(31516): at org.mozilla.gecko.sync.syncadapter.SyncAdapter$1.run(SyncAdapter.java:273) >01-12 11:05:18.995: E/AndroidRuntime(31516): at android.accounts.AccountManager$10.run(AccountManager.java:1134) >01-12 11:05:18.995: E/AndroidRuntime(31516): at android.os.Handler.handleCallback(Handler.java:587) >01-12 11:05:18.995: E/AndroidRuntime(31516): at android.os.Handler.dispatchMessage(Handler.java:92) >01-12 11:05:18.995: E/AndroidRuntime(31516): at android.os.Looper.loop(Looper.java:123) >01-12 11:05:18.995: E/AndroidRuntime(31516): at android.app.ActivityThread.main(ActivityThread.java:4627) >01-12 11:05:18.995: E/AndroidRuntime(31516): at java.lang.reflect.Method.invokeNative(Native Method) >01-12 11:05:18.995: E/AndroidRuntime(31516): at java.lang.reflect.Method.invoke(Method.java:521) >01-12 11:05:18.995: E/AndroidRuntime(31516): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:860) >01-12 11:05:18.995: E/AndroidRuntime(31516): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:618) >01-12 11:05:18.995: E/AndroidRuntime(31516): at dalvik.system.NativeStart.main(Native Method) >01-12 11:05:19.005: I/global(31516): Default buffer size used in BufferedWriter constructor. It would be better to be explicit if an 8k-char buffer is required. >01-12 11:05:19.015: I/global(31516): Default buffer size used in BufferedReader constructor. It would be better to be explicit if an 8k-char buffer is required. >01-12 11:05:19.015: W/System.err(31516): java.io.FileNotFoundException: /data/plog.log (Permission denied) >01-12 11:05:19.025: W/ActivityManager(185): Force finishing activity org.mozilla.gecko/.sync.setup.activities.SetupSyncActivity >01-12 11:05:19.533: W/ActivityManager(185): Activity pause timeout for HistoryRecord{32bb5828 org.mozilla.gecko/.sync.setup.activities.SetupSyncActivity}
Comment 31•11 years ago
|
||
> >01-12 11:05:18.995: E/AndroidRuntime(31516): java.lang.NoSuchMethodError: java.util.Arrays.copyOf This is an API r9 addition, but it's no longer in our source code. What version of Firefox are you using? This might be as simple as upgrading. I'm not seeing this in current Release (Firefox 23) or current Beta (Firefox 24): http://hg.mozilla.org/releases/mozilla-release/file/2ad6831ca95e/mobile/android/base/sync/Utils.java http://hg.mozilla.org/releases/mozilla-beta/file/b2beae751b6e/mobile/android/base/sync/Utils.java
Flags: needinfo?(abhiram1202)
Updated•7 years ago
|
Product: Android Background Services → Firefox for Android
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•