search

apache / cordova-plugin-file-transfer

Apache Cordova File Transfer Plugin
https://cordova.apache.org/
Apache License 2.0
596 stars 888 forks source link

SSLHandshakeException: Chain validation failed #225

Closed Mr-Anonymous closed 3 years ago

Mr-Anonymous commented 5 years ago

Problem

SSL Handshake is failing. When a file is uploaded to the server, I am getting the error: W/FileTransfer: Error getting HTTP status code from connection. javax.net.ssl.SSLHandshakeException: Chain validation failed

What is expected to happen?

The SSL is valid until April 2019. The SSL is generated by Let's Encrypt Authority X3. Chrome or other browsers does not have this error. So the upload should work since the SSL is valid and TLS v1.2 is enabled.

What does actually happen?

If I upload from ionic mobile app using the native XHR method, it works. If I upload using the File Transfer plugin, the SSL Handshake fails. Particularly, it appears users with Android phones are having this issue.

Information

I did a scan using ssllabs.com and the only 2 things I found in that are:

  1. OCSP STAPLING ERROR: OCSP response expired on Mon Mar 04 16:00:00 UTC 2019

  2. TLS 1.1 and TLS 1.0 is not enabled. I am not sure if we need that since most of the users who have reported this uses Android 8+.

Can any of the above cause this SSL Handshake issue? Can an expired OCSP stapling cause this handshake error on uploads in File Transfer plugin?

Environment, Platform, Device

User 1:
OS: android 9 
Browser: chrome 72.0.3626.105 

User 2: 
OS: android 8.0.0 
Browser: chrome 72.0.3626.105 

User 3: 
OS: android 8.1.0 
Browser: chrome 72.0.3626.105

Version information

code-push 2.0.4 "CodePushAcquisition"
cordova-android-support-gradle-release 1.4.2 "cordova-android-support-gradle-release"
cordova-plugin-appcenter-analytics 0.1.4 "App Center Analytics for Cordova"
cordova-plugin-appcenter-crashes 0.1.4 "App Center Crashes for Cordova"
cordova-plugin-appcenter-shared 0.1.3 "App Center shared code for Cordova"
cordova-plugin-camera 4.0.3 "Camera"
cordova-plugin-code-push 1.11.10 "CodePush"
cordova-plugin-device 2.0.2 "Device"
cordova-plugin-dialogs 2.0.1 "Notification"
cordova-plugin-file 6.0.1 "File"
cordova-plugin-file-opener2 2.0.19 "File Opener2"
cordova-plugin-file-transfer 1.7.1 "File Transfer"
cordova-plugin-headercolor 1.0 "HeaderColor"
cordova-plugin-ignore-lint-translation 0.0.1 "cordova-plugin-ignore-lint-translation"
cordova-plugin-ionic-webview 2.3.1 "cordova-plugin-ionic-webview"
cordova-plugin-ios-camera-permissions 1.2.0 "iOS Permissions"
cordova-plugin-mediapicker-dmcbig 2.3.8 "MediaPicker"
cordova-plugin-network-information 2.0.1 "Network Information"
cordova-plugin-splashscreen 5.0.2 "Splashscreen"
cordova-plugin-statusbar 2.4.2 "StatusBar"
cordova-plugin-whitelist 1.3.3 "Whitelist"
cordova-plugin-zip 3.1.0 "cordova-plugin-zip"
ionic-plugin-deeplinks 1.0.15 "Ionic Deeplink Plugin"
ionic-plugin-keyboard 2.2.1 "Keyboard"
cli packages: (/usr/local/lib/node_modules)

    @ionic/cli-utils  : 1.19.2
    ionic (Ionic CLI) : 3.20.0

global packages:

    cordova (Cordova CLI) : 8.0.0 

local packages:

    Cordova Platforms : android 7.0.0 ios 4.5.5
    Ionic Framework   : ionic1 1.3.3

System:

    ios-deploy : 1.9.2 
    ios-sim    : 5.0.13 
    Node       : v9.3.0
    npm        : 5.7.1 
    OS         : macOS
    Xcode      : Xcode 10.1 Build version 10B61 

Environment Variables:

    ANDROID_HOME : not set

Misc:

    backend : pro
Mr-Anonymous commented 5 years ago

Here is an update. I may have resolved this issue in the end. Like I suspected, it did turn out to be due to OCSP Stapling renewal. It last expired on March 4 and hence the upload from mobile app stopped working in Mar 5. The server did not renew the OCSP stapling although it was enabled in the SSL setting. So I did the following changes to the web server config.

  1. nano /etc/apache2/conf.d/includes/pre_main_global.conf

    # ADDED THIS
<IfModule Litespeed>
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
</IfModule>

  2. nano /etc/apache2/conf.d/userdata/lscache_vhosts.conf

    # Added This
<IfModule Litespeed>
SSLUseStapling on
</IfModule>

  3. Apply these changes to all Virtual Hosts by running the following command:

    /scripts/ensure_vhost_includes --all-users

After that, the mobile uploads started to work on these devices. Although I am yet to receive confirmation from our users but from my testing, it seems to work in the emulators. It appears Chrome and most browsers does not care much about the OCSP Stapling expired error but it seems the file transfer cordova plugin was very strict about it and rejected the file upload due to this.

Mr-Anonymous commented 5 years ago

I still have issues with this. I have enabled OCSP Stapling and sometimes when the OCSP stapling cache did not get refreshed, even when the SSL certification is valid, the file upload fails. This happens only in android using this file transfer plugin.

Do we even need to have OCSP Stapling enabled in the server? If I disable OCSP Stapling, will the file transfer no longer work in Android? Has anyone had experience on this issue?

breautek commented 3 years ago

Do we even need to have OCSP Stapling enabled in the server?

This depends on the security policy of your company.

If I disable OCSP Stapling, will the file transfer no longer work in Android? Has anyone had experience on this issue?

I have some servers that doesn't have OCSP Stapling enabled and file transfer plugin is working for me on those servers.

elysiopires commented 3 years ago

Hello @Mr-Anonymous ,

Did you have any success with this error?

Getting the same here...

Have a great day.

Best, Elysio Pires

timbru31 commented 3 years ago

A chain validation error mostly indicated a faulty webserver config. You can, e.g., use https://www.ssllabs.com/ to check your server and it's certificates. It will highlight missing intermediate certificates.

timbru31 commented 3 years ago

Closing due to lack of feedback and probably a mis-configured web server - that's out of scope for us to fix.

Mr-Anonymous commented 3 years ago

Hello @Mr-Anonymous ,

Did you have any success with this error?

Getting the same here...

Have a great day.

Best, Elysio Pires

Sorry for the delay in replying. I resolved the issue by contacting the Litespeed team directly and they added an update in Litespeed to fix this issue. This issue was happening due to some LiteSpeed issue. Once it was reported to them, they rectified it and soon my web server was patched with that update.

Hope this helps.