1.77 fails to connect to TLS site - SSL errors

[GoogleCodeExporter]

Following an upgrade to ttrss-reader-fork v 1,77 which depreciates SSLv3 I am 
no longer able to connect to my tt-rss instance running on Debian with Apache.  

> What steps will reproduce the problem?
1. Open ttrss-reader-fork
2. ttrss-reader fork fails with errors (attached)

> What is the expected output?

Getting access to my feeds

> What do you see instead?

SSL Library errors and a failure to connect to tt-rss instance (see attached)

> What version of the product are you using (please provide the full version
information from the About-box!)? 

    Version: 1.77 
    Version-code: 1770

> On what android version? 

    Cyanogen Mod CM11 M11

> And what server-version is your TTRSS-Server running?

    1.13

> Please provide any additional information below:

My apache SSL/TLS (self signed cert) config is as follows

    SSLProtocol All -SSLv2 -SSLv3 
    SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL

With the exact same apache and tt-rss reader set up, ttrss-reader-fork prior to 
1.77 worked as expected.

Original issue reported on code.google.com by httpl...@gmail.com on 24 Oct 2014 at 9:07

Attachments:

• ttrss_fail.png

[GoogleCodeExporter]

I can confirm this problem (with 1.77 which did not exist before)

Original comment by Joachim....@gmx.de on 25 Oct 2014 at 11:39

[GoogleCodeExporter]

Can someone please provide me with a server-address of a non-functional 
instance? I don't need a test-account, just a responding Tiny Tiny RSS instance.

Original comment by nils.braden on 26 Oct 2014 at 1:22

• Changed state: Accepted

[GoogleCodeExporter]

https://rss.impium.de

Original comment by ad...@impium.de on 26 Oct 2014 at 1:32

[GoogleCodeExporter]

I only see this problem if I use a different server address (name not IP) from 
the internal wifi network. If I use the same (external) name for the server 
(which is also used for the self signed certificate) then it works with 1.77. 

Original comment by Joachim....@gmx.de on 26 Oct 2014 at 1:51

[GoogleCodeExporter]

I think the attached build should work, can you please have a try?

Original comment by clausthalerblubb on 26 Oct 2014 at 2:31

Attachments:

• ttrss-reader_1770_ticket258.apk

[GoogleCodeExporter]

works

Original comment by ad...@impium.de on 26 Oct 2014 at 3:17

[GoogleCodeExporter]

Original comment by nils.braden on 26 Oct 2014 at 10:07

• Changed state: Fixed

[GoogleCodeExporter]

I still see this bug: If I connect to the external server name (which is also 
used in the certificate) everything works. If I use the internal name of the 
server from my wifi network the error message as shown in the original bug 
report appears.

Original comment by Joachim....@gmx.de on 26 Oct 2014 at 11:28

[GoogleCodeExporter]

Did it work before 1.77?
Have you trie enabling "Trust all hosts"?

Problem here I think is, you connect to a server called mydomain.com and a 
certificate which was issued to the CN *.mydomain.com (or something similar). 
Now you connect to an ip address 192.168.0.xx which is obviously not equal to 
"mydomain.com".

I would have to add the SSL preferences to the set of preferences that can be 
configured for each type of network individually.

Original comment by nils.braden on 27 Oct 2014 at 10:05

[GoogleCodeExporter]

You are right: Setting the preference to trust all hosts fixes this problem. 
But it worked before 1.77 without this option set. So probably there was a bug 
before. 

But if there are different addresses for a server for WLAN/the outside, is 
there any correct way to set up the server certificate/https settings? Or is 
"trust all hosts" mandatory in this case? Then it would make sense to add this 
option to the WLAN specific settings.

Original comment by Joachim....@gmx.de on 29 Oct 2014 at 9:55

[GoogleCodeExporter]

Hm I guess you are right, there seems to have been a bug when verifying the 
hostname. I'll see what I have to do to get this into the specific preferences. 
I opened a new ticket for this since this has nothing to do with this one: 
https://code.google.com/p/ttrss-reader-fork/issues/detail?id=261

Original comment by nils.braden on 30 Oct 2014 at 12:58