When connectting wss with SecureSocket on a specific PC, the SecurityError #2048 occurs.

[jeremyheo-nsuslab]

Problem Description

• Air SDK Version : 33.1.1.856

When connectting wss with SecureSocket on a specific PC, the SecurityError #2048 occurs. If open the https page of same domain with Other browsers( microsoft edge, chrome, etc), it works fine.

Steps to Reproduce

Information of the PC where the error occurred

• OS : Windows 10 64bit
• CPU : Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz
• MB : ASRock Z77 Extreme4
• Graphic : NVIDIA GeForce GTX 1080 Ti
• RAM : 16GB

The code when the error occurred..

Security.sandboxType is application

var socket:SecureSocket = new SecureSocket();

socket.addEventListener(SecurityErrorEvent.SECURITY_ERROR, function (e:SecurityErrorEvent) {
    trace("error", e); // <-- the error #2048 occurred at this point!
});
socket.connect("somedomain.com", 443); 

[M4rkY4]

Hi, I'm also interested in this topic, so please write here if you find any useful information.

Maybe I'm mistaken, i'm not experienced with this topic, but from what I currently understand, TCP Sockets (SecureSocket) and Web Sockets (wss) are two different technologies, aren't they? You were able to connect them on another PC, right? Did you try AS3WebSocket from theturtle32? Moreover, TLS 1.0 encryption is very old, maybe it causes problems (anti-virus/firewall/OS support) and most likely Flash/AIR needs modern encryption methods to be implemented.

[jeremyheo-nsuslab]

Hi, I'm also interested in this topic, so please write here if you find any useful information.

Maybe I'm mistaken, i'm not experienced with this topic, but from what I currently understand, TCP Sockets (SecureSocket) and Web Sockets (wss) are two different technologies, aren't they? You were able to connect them on another PC, right? Did you try AS3WebSocket from theturtle32? Moreover, TLS 1.0 encryption is very old, maybe it causes problems (anti-virus/firewall/OS support) and most likely Flash/AIR needs modern encryption methods to be implemented.

Thanks for your interest in this topic. SecureSocket and WSS are different technologies, but they work the same before the connection event.

For example, the code below works fine in a normal PC environment.

var socket:SecureSocket = new SecureSocket();
...
socket.addEventListener(Event.CONNECT, function (e:*) {
    trace("CONNECT"); //<-- I cound get that this log is printed.
});
socket.connect("google.com", 443); 

[ajwfrost]

Hi

Just to check, for this issue:

when connectting wss with SecureSocket on a specific PC, the SecurityError #2048 occurs.

Given the other comments, I think you're saying that if you try connecting to google.com from this PC, it works; and if you try connecting to this specific domain, on another PC, it works; but it's just you have a problem with a specific domain from a specific PC?

My assumption would be there's a certificate issue or maybe a TLS protocol restriction that's causing the issue.. are you able to confirm the certificate issuer here? (Using Chrome/Edge, go to this domain, click on the padlock, 'connection is secure' -> find the little certificate icon at the top right of the pop-up, and then you should be able to see the certificate details; we're looking for the "issuer" details). Plus if you do Start -> type "internet options" and go to the Advanced tab, which of the TLS options at the bottom of the list are ticked?

thanks

[nanhuichen]

Hi,

I got the similar issue with SecureSocket at Android device, please see the serverCertificateStatus is "invalid".

But it's no problems at iOS device, it's serverCertificateStatus is "trusted".

thanks

[ajwfrost]

Hi @nanhuichen - does this happen with all remote addresses? or if not, are you able to confirm the issuer of the server certificate? (Also wondering if we could reproduce this here, if this is a specific IP address -> would there be any chance of us trying it out if you could email the IP over privately?)

thanks

[nanhuichen]

Hi @nanhuichen - does this happen with all remote addresses? or if not, are you able to confirm the issuer of the server certificate? (Also wondering if we could reproduce this here, if this is a specific IP address -> would there be any chance of us trying it out if you could email address the IP over privately?)

thanks

@ajwfrost Sure, I can email the remote address to you, which email address I can send to? Our remote address is pointed to a Load Balancer on Google Cloud Platform, and its SSL certificates is hosted on Google with auto refresh mechanism.

[ajwfrost]

@nanhuichen thanks - I'm wondering whether this is as simple as us needing to refresh the root certificates on Android (but it should be picking these up from the OS, I thought!) -> if you can use andrew.frost at harman.com it would be good..

thanks

[nanhuichen]

@ajwfrost I just tested "google.com", it failed too.

[ajwfrost]

Ah okay - so, this issue on Android may be specific just to Android, rathe than the original issue reported here which was on Windows 10.

We can see an error on the Android side introduced in a recent update, which would result in the 'invalid' certificate status. We've just updated the code and are now seeing 'trusted' for this, which matches what we get on a desktop platform. So this part will be fixed in our next update.

thanks

[M4rkY4]

My mistake, message removed

[ajwfrost]

@M4rkY4 just checking here, does your C# application have the handling for TLS? From what I see in the C# Socket documentation, it just supports normal sockets rather than secure ones. Likewise with Colyseum, unless you have configured this with TLS support and your custom certificates, it should throw an io error..

When we try connecting to a server that has support for TLS - e.g. google.com - it seems to work fine (on an M1 MacBook..)

[M4rkY4]

@ajwfrost Sorry, just checked again / asked nodejs server dev and it seems that you're right and encryption is not enabled on both servers. My bad.

[jeremyheo-nsuslab]

Hi @ajwfrost

Given the other comments, I think you're saying that if you try connecting to google.com from this PC, it works; and if you try connecting to this specific domain, on another PC, it works; but it's just you have a problem with a specific domain from a specific PC?

Unfortunately, I couldn't confirm whether it works to google.com. However, as a result of testing several ssl domains, all did not work. And I think it's a little different from the problem of android. Because serverCetificateStatus value is treated as unknown when the error occurred. Does this mean that the problem occurred before the server certificate? And is there a way to see a more detailed log when an error occurs?

[Malke]

hello, I have encountered an issue that seems similar to the topic you discussed.

I've set up an SSL connection with my server using a Letsencrypt SSL certificate. Everything works perfectly on Windows. However, on Android, I'm encountering the following error event:

[IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2031: Socket Error. URL: xxxxxxx" errorID=2031]

For info : The Letsencrypt certificate receives a green rating on SSL Labs and SSL Shopper, with all the necessary chain certificates. I've specified the "XSRG1 Root X1" route to generate the Letsencrypt certificate and ensure its validation beyond 2021. The certificate chain consists of : Server > R3 > ISRG Root X1 (self-signed).

My online server is running Debian 11.7 with Openssl 1.1.1n. I did some tests using the secureSocket serverCertificateStatus result :

• sdk 32.0.0.116 :
  windows : trusted android : trusted

• sdk 33.1.1.935: windows : trusted android : invalid

• sdk 50.2.3.4 : windows : trusted android : invalid

I've also tested with the URL "google.com" and received a "trusted" status everywhere.

If anyone could provide guidance on what I might have overlooked in my code or other suggestions, I would greatly appreciate it. Thank you.

[ajwfrost]

Hi @Malke - the fix we made for this went into 50.2.2.6, so if you're seeing an issue still on 50.2.3.4 then we have something else that's going wrong...

If your server is externally accessible, could you please post (or email me) the address so that we can check what's happening within the validation code? Or failing that, we can look at creating a runtime that has more debug information in it for the Android build to see what may be going on..

thanks

[Malke]

Hi @ajwfrost I have just sent you an email containing the urls if you want to test them with your debug runtimes. thk you.