You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cordova.apache.org by GitBox <gi...@apache.org> on 2022/05/20 09:08:32 UTC

[GitHub] [cordova-android] tudordumitriu opened a new issue, #1435: Authentication call not working to remote API in release mode because SSL Error

tudordumitriu opened a new issue, #1435:
URL: https://github.com/apache/cordova-android/issues/1435

   # Bug Report
   After upgrading to Cordova Android 10.1.1 the login stopped working in release mode. The login being a call to a remote API on https that returns a Set-Cookie header.
   
   ## Problem
   First of all, the very same call to the very same API in debug deployment works perfectly
   After days of trial and error, first of all trying to attach to a release deployment with an inspector to see the console warning, that finally didn't help at all we found out that the problem was caused by a SSL error (still don't know what it is) that was handled differently in debug mode
   
   ### What is expected to happen?
   To work in both release and debug mode the same
   
   ## Information
   <!-- Include all relevant information that might help understand and reproduce the problem -->
   SystemWebViewClient onReceivedSslError method treats the SSL errors differently in debug mode and makes calls being handled differently
   
   
   ### Command or Code
   <!-- What command or code is needed to reproduce the problem? -->
   Our temporary solution was to always call handler.proceed()
   `if (true || (appInfo.flags & ApplicationInfo.FLAG_DEBUGGABLE) != 0) {
                   // debug = true
                   handler.proceed();
                   return;
               } else {
                   // debug = false
                   super.onReceivedSslError(view, handler, error);
               }`
   
   ### Environment, Platform, Device
   <!-- In what environment, on what platform or on which device are you experiencing the issue? -->
   Cordova Android 10.1.1
   
   
   ### Version information
   <!--
   What are relevant versions you are using?
   For example:
   Cordova: Cordova CLI, Cordova Platforms, Cordova Plugins
   Other Frameworks: Ionic Framework and CLI version
   Operating System, Android Studio, Xcode etc.
   -->
   Cordova CLI 11
   Windows
   Android Studio Chipmunk
   
   
   
   ## Checklist
   <!-- Please check the boxes by putting an x in the [ ] like so: [x] -->
   
   - [ ] I searched for existing GitHub issues
   - [ ] I updated all Cordova tooling to most recent version
   - [ ] I included all the necessary information above
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-android] tudordumitriu commented on issue #1435: Authentication call not working to remote API in release mode because SSL Error

Posted by GitBox <gi...@apache.org>.
tudordumitriu commented on issue #1435:
URL: https://github.com/apache/cordova-android/issues/1435#issuecomment-1137380706

   Thanks @breautek 
   We have just figured it out, the intermediate certificate had to be installed in the API server services properly.
   All fine once we have correctly done that
   So the underlying issue fixed, but the secondary problem persists, how can you get properly informed on the nature of the real issue, could these maybe be forwarded to console, at least to get an idea what the problem might be. 
   In my case I ended up commenting out that flag just because there were only few places and since in debug was working, well, we were trying to eliminate one by one the potential issues, but in the end this consumed us few days, and I guess other people might be facing this
   By all means feel free to close it if there is no other way to elevate these errors.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-android] breautek commented on issue #1435: Authentication call not working to remote API in release mode because SSL Error

Posted by GitBox <gi...@apache.org>.
breautek commented on issue #1435:
URL: https://github.com/apache/cordova-android/issues/1435#issuecomment-1135881026

   SSL errors are generally caused by:
   
   1. Missing intermediate certificate on the local device (e..g the webserver does not supply the full certificate chain)
   2. There is a mismatch of supported encryption algorithms and/or ciphers between the device and the server. This is often the case with older phones or phones that isn't up-to-date with their updates. Sometimes in order to support older devices, you need to use/enable weaker, potentially insecure SSL settings on the server. Of course, this becomes a risk vs value assessment.
   
   [SSL Labs](https://www.ssllabs.com/ssltest/) offers a great testing tool for the server to test your server's configuration, including potential security vulnerabilities, as well as generally supported browsers / devices.
   
   > SystemWebViewClient onReceivedSslError method treats the SSL errors differently in debug mode and makes calls being handled differently
   
   I think I agree with this sentiment. Relaxed SSL errors are often saught upon for local development, so that you can run self-signed certificates for example, but maybe this should be either an opt-in or opt-out kind of feature.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-android] tudordumitriu commented on issue #1435: [Feature Request]: Improve error feedback to webview from native

Posted by GitBox <gi...@apache.org>.
tudordumitriu commented on issue #1435:
URL: https://github.com/apache/cordova-android/issues/1435#issuecomment-1138134012

   I think the title is comprehensive and thanks for all the support!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org

[GitHub] [cordova-android] breautek commented on issue #1435: Authentication call not working to remote API in release mode because SSL Error

Posted by GitBox <gi...@apache.org>.
breautek commented on issue #1435:
URL: https://github.com/apache/cordova-android/issues/1435#issuecomment-1137407828

   > could these maybe be forwarded to console
   
   It's possible they are printed in the native console, but yah, maybe native logs using the cordova logger could be printed to the webview console. That could simplify a lot of debugging for many people, especially if they aren't familiar with using native tools, as with the case with many cordova users.
   
   > By all means feel free to close it if there is no other way to elevate these errors.
   
   I think we can probably keep this open for context, but I'll reword the title. My idea for changing how SSL is accepted is a bit more of a dangerous territory. Forwarding console logs is definitely a doable feature I think that can be added at any time, and definitely safer I think.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org