You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by Roy Hashimoto <ro...@gmail.com> on 2019/10/12 23:24:15 UTC

TLS protocol error using HttpCore 5.0 beta9 on Android 8.1

I have implemented a simple HTTPS server using HttpCore 5.0 beta9 on
Android with its default JSSE:

https://github.com/rhashimoto/Android-HttpCore-Protocol-Bug/blob/master/app/src/main/java/com/example/httpcore/WebServer.kt

When running on Android 8.1 (Oreo), requests to the server fail with a TLS
protocol error in the middle of transferring the response body. When I look
at a packet dump (sample attached) the problem is that the server properly
sends some TLS-encrypted data but then sends some plaintext data.

This seems like it might be caused by the Conscrypt bug fixed here:

https://github.com/google/conscrypt/pull/189

I don't entirely understand the description of the bug and fix, but I do
not see the bad behavior when running on Android 10 and the time frame
seems about right.

My guess is that this is not an HttpCore bug but I thought I would document
it here in case someone else encounters it or can suggest a workaround.

Roy

Re: TLS protocol error using HttpCore 5.0 beta9 on Android 8.1

Posted by Roy Hashimoto <ro...@gmail.com>.

A workaround is to include a recent version of Conscrypt, e.g.:

    implementation 'org.conscrypt:conscrypt-android:2.2.1'

and explicitly use it as the JSSE provider when building the SSLContext,
e.g.:

    val tlsContext = SSLContexts.custom()
      .setProvider(Conscrypt.newProvider())
      .setProtocol("TLSv1.2")
      .loadKeyMaterial(keyStore, password.toCharArray())
      .build()

This bloats the APK size a bit but also enables HTTP2. Using only one
connection per client seems like a decent tradeoff.

On Sat, Oct 12, 2019 at 4:24 PM Roy Hashimoto <ro...@gmail.com>
wrote:

> I have implemented a simple HTTPS server using HttpCore 5.0 beta9 on
> Android with its default JSSE:
>
>
> https://github.com/rhashimoto/Android-HttpCore-Protocol-Bug/blob/master/app/src/main/java/com/example/httpcore/WebServer.kt
>
> When running on Android 8.1 (Oreo), requests to the server fail with a TLS
> protocol error in the middle of transferring the response body. When I look
> at a packet dump (sample attached) the problem is that the server properly
> sends some TLS-encrypted data but then sends some plaintext data.
>
> This seems like it might be caused by the Conscrypt bug fixed here:
>
> https://github.com/google/conscrypt/pull/189
>
> I don't entirely understand the description of the bug and fix, but I do
> not see the bad behavior when running on Android 10 and the time frame
> seems about right.
>
> My guess is that this is not an HttpCore bug but I thought I would
> document it here in case someone else encounters it or can suggest a
> workaround.
>
> Roy
>

Re: TLS protocol error using HttpCore 5.0 beta9 on Android 8.1

Posted by Oleg Kalnichevski <ol...@apache.org>.

On Sat, 2019-10-12 at 16:24 -0700, Roy Hashimoto wrote:
> I have implemented a simple HTTPS server using HttpCore 5.0 beta9 on
> Android with its default JSSE:
> 
> 
https://github.com/rhashimoto/Android-HttpCore-Protocol-Bug/blob/master/app/src/main/java/com/example/httpcore/WebServer.kt
> 
> When running on Android 8.1 (Oreo), requests to the server fail with
> a TLS protocol error in the middle of transferring the response body.
> When I look at a packet dump (sample attached) the problem is that
> the server properly sends some TLS-encrypted data but then sends some
> plaintext data.
> 
> This seems like it might be caused by the Conscrypt bug fixed here:
> 
> https://github.com/google/conscrypt/pull/189
> 
> I don't entirely understand the description of the bug and fix, but I
> do not see the bad behavior when running on Android 10 and the time
> frame seems about right.
> 
> My guess is that this is not an HttpCore bug but I thought I would
> document it here in case someone else encounters it or can suggest a
> workaround.workaround.
> 
> Roy

Hi Roy

I am presently working on building JSSE provider integration tests for
the latest Conscrypt, Bouncy Castle and various versions of Oracle JSSE
providers. 

At this point Conscrypt appears to be the only stable TLSv1.3
implementation. JSSE provider shipped with JRE 11.0.2 still appears buggy and I cannot get Bouncy Castle to work for me at all.

If you can reproduce your issue using our integration test framework I
will make sure this condition is properly covered in our integration
tests

https://github.com/apache/httpcomponents-core/tree/jsse-provider-tests
https://github.com/apache/httpcomponents-core/blob/jsse-provider-tests/httpcore5-testing/src/test/java/org/apache/hc/core5/testing/nio/JSSEProviderIntegrationTest.java

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org