o2 Connector SSL server certificate error

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Send a WebSMS

What is the expected output? What do you see instead?

Expected: Send the WebSMS

What happens: Error concerning SSL certificate

What version of the product are you using? On what operating system?

Latest

Please provide any additional information below.

-

Original issue reported on code.google.com by equalize...@googlemail.com on 13 Jul 2010 at 8:15

[GoogleCodeExporter]

Same problem here on HTC Desire (Android 2.1), since I'm still using webSMS 
v3.1.6, I'm guessing o2 changed something. This is the exact error I get:

javax.net.ssl.SSLExeption:Not trusted server certificate

Hope this helps.

Original comment by d.roustc...@googlemail.com on 13 Jul 2010 at 8:22

[GoogleCodeExporter]

I also have the same problem => 

o2:javax.net.ssl.SSLException: Not trusted server certificate

Original comment by webster2...@gmail.com on 13 Jul 2010 at 11:35

[GoogleCodeExporter]

Same system, same version, same problem!

Original comment by stylztu...@gmail.com on 13 Jul 2010 at 3:24

[GoogleCodeExporter]

Issue 273 has been merged into this issue.

Original comment by felix.bechstein on 13 Jul 2010 at 4:00

[GoogleCodeExporter]

as this is *NOT* update related, i assume this is a problem of o2.
i'll have a look on it myself as soon as possible. please be patient

Original comment by felix.bechstein on 13 Jul 2010 at 4:03

• Changed state: Accepted
• Added labels: Component-Logic, Priority-Critical, Product-O2.de
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Attached the Output from alogcat, filtered for "WebSMS". Exception seems to 
indicate that O2 switched their server-certificate to some not supported 
"Version 1" certificate, not sure if we can do anything but disable SSL :/

Original comment by clausthalerblubb on 13 Jul 2010 at 6:15

Attachments:

• alogcat.log

[GoogleCodeExporter]

Same problem here with the latest update :(

Original comment by j.erra.m...@gmail.com on 13 Jul 2010 at 6:38

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Same Problem, but I noticed that it is no longer possible to send any WebSMS in 
the "offical" "Mein o2 Beta"-App of o2. There it's an error called 
"Netzwerkfehler" (in English: Networking-Error). [Also: it's no longer possible 
to download your bill... same error] So possibly a temporary problem?

Eusebius

Original comment by eusebiu...@gmail.com on 13 Jul 2010 at 6:46

[GoogleCodeExporter]

I can confirm Eusebius' statement. We will see if o2 updates its own app or 
this really just is a temporary thing.

Original comment by equalize...@googlemail.com on 13 Jul 2010 at 6:50

[GoogleCodeExporter]

it is an SSL related problem.
this android bug [http://code.google.com/p/android/issues/detail?id=5756] is 
possibly related.

please drop me an info here if the official app is working again.
in the meantime i'm working on a workaround.

Original comment by felix.bechstein on 13 Jul 2010 at 6:52

• Changed state: Started

[GoogleCodeExporter]

just published the *INSECURE* workaround to market and download section
please test it.

beer is welcome ;)

Original comment by felix.bechstein on 13 Jul 2010 at 7:55

[GoogleCodeExporter]

Seems to work. I was able to update the number of SMS left and send one via 
WebSMS.

Nevertheless I would like to see the secure version working again.

Thanks so far Felix for the nice app and fast update. Please keep up the great 
work!

Original comment by equalize...@googlemail.com on 13 Jul 2010 at 8:29

[GoogleCodeExporter]

the workaround works! Send a test SMS to myself.
The o2 Own App "O2 WebSMS" doesenst work. Errors like eusebius90 said

Original comment by dominik....@gmail.com on 13 Jul 2010 at 8:30

[GoogleCodeExporter]

btw: insecure means: the app trusts *ANY* SSL certificate.
it better than no ssl, but insecure as hell.
please keep an eye on o2's version and drop me a note here.
i'll rollback the changes as soon as the workaround is not needed anymore.

Original comment by felix.bechstein on 14 Jul 2010 at 5:05

[GoogleCodeExporter]

Very great job, Felix!! =)

Original comment by Sebbe...@googlemail.com on 16 Jul 2010 at 8:00

[GoogleCodeExporter]

The official app of o2 was recently updated. Now everything works fine again in 
"mein o2 beta"
Eusebius

Original comment by eusebiu...@gmail.com on 21 Jul 2010 at 1:53

[GoogleCodeExporter]

I can confirm this. The official app is now working again like it was supposed 
to. Your WebSMS seems also to be working. I just was not able to update my 
number of free SMS left.

Original comment by equalize...@googlemail.com on 21 Jul 2010 at 2:01

[GoogleCodeExporter]

The official app O2 WebSMS works fine know too. 

Original comment by dominik....@gmail.com on 21 Jul 2010 at 4:53

[GoogleCodeExporter]

as they updated the client side, a assume they made it insecure as i did.
so it's not a fix imho. :(

Original comment by felix.bechstein on 21 Jul 2010 at 6:43

[GoogleCodeExporter]

well. i tried to remove the hack, but had no luck. the certificate is still 
broken :/

Original comment by felix.bechstein on 12 Aug 2010 at 5:52

[GoogleCodeExporter]

Having no verification at all is very bad, as felix already noted. The 
connection is encrypted, but everyone can man-in-the-middle without any problem 
(a real issue especially if you use public wifi).

As it seems that this certificate will stay this way, I think the connector 
should hardwire the fingerprints of the current known certificates. This is of 
course less flexible and the user has to trust the developer that he checked 
the cert properly (instead of his phone-manufacturer). But as the applications 
handle sensitive data like passwords and phone-numbers anyway, users already 
trust the dev. ;-)

With this approach the risk of a man-in-the-middle-attack would be reduced back 
to the normal level.

I tried to hack this into the sources myself without making the websms-api 
backward-incompatible. I can't say I like the result, but it's OK for my 
personal use and to show the way I'd go the work-around this bug.

http://github.com/Boris-de/websms-api/commit/1be6bdba374410a9f67c5b9bcb50705140
http://github.com/Boris-de/websms-connector-o2/commit/ce16adbcee64b6da0bf707290

Original comment by boris-c...@gmx.com on 5 Sep 2010 at 5:06

[GoogleCodeExporter]

just merged your code into mine. it's way more secure as before.
and as nothing seems to be changed on o2's side.. we just need this dirty hack.

and besides that: it's more secure than hoping some really bad man (let's call 
him wolfgang) never gets an "valid" certificate from any of these dirty china 
CA (let's call it verisign) to fuck on you. :D

btw: i added your mail you're using here to the list of donators.

Original comment by felix.bechstein on 11 Sep 2010 at 2:21

[GoogleCodeExporter]

Indeed, it's more secure in this way, though more work of course if it really 
changes.

Thanks for adding me to the donator-list, I appreciate it.

Original comment by boris-c...@gmx.com on 12 Sep 2010 at 9:06

[GoogleCodeExporter]

Today:

Trying to send a sms (o2)

"Sending failed - User or password wrong"

but not always, just sometime. Not only with WEBSMS by Felix, also with the 
original "Mein o2".

Need Help

Original comment by chiefte...@gmail.com on 15 Sep 2010 at 5:20

[GoogleCodeExporter]

i got a few mails with that problem since yesterday. i'm sure it has nothing to 
do with my app.

disable tweaks may help.

it has nothing to do with this issue for sure!

Original comment by felix.bechstein on 15 Sep 2010 at 8:51

[GoogleCodeExporter]

similar problem on betamax connector:
when send sms/balance check (via webcalldirect.com or poivy.com)
"betamax: hostname in certificate didnt match ..."

Original comment by Sven.Sta...@googlemail.com on 12 Oct 2010 at 8:19

[GoogleCodeExporter]

the last Days always:
o2: Sending failed - User or password wrong"

Original comment by alexande...@googlemail.com on 12 Oct 2010 at 1:26

[GoogleCodeExporter]

@sven: please create a new issue, as betamax is not implemented by myself.

@alexadner: are you running the newest version of o2 connector?

Original comment by felix.bechstein on 12 Oct 2010 at 5:22

[GoogleCodeExporter]

as nothing changed, i let it as it is.

Original comment by felix.bechstein on 27 Dec 2010 at 7:41

• Changed state: Fixed