kittoku
commented
4 years ago Did you reboot your device?
Closed AriZoNaiCe closed 4 years ago
kittoku
commented
4 years ago Did you reboot your device?
AriZoNaiCe
commented
4 years ago Did you reboot your device?
Thank you for the suggestion. I just rebooted and tried again. Same error. :-\
kittoku
commented
4 years ago hmm...so I cannot come up with any other idea. In my environment, there is only one certificate (the server doesn't authenticate the client in a SSL/TLS handshake) and I cannot reproduce your problem. Sorry.
EDIT: After googling "android client certificate", enabling TLSv1.0 might be solution. I will update the beta release so that this app can choose what SSL/TLS protocol to use. But even with the fix, you will fail again very likely. If it is really necessary for you to use this app, capturing SSL/TLS negotiation by using a software like Wireshark will be a great help.
kittoku
commented
4 years ago Now I added SSL protocol option. Try choosing "TLSv1" in the SETTING tab. You need to uncheck MS-CHAPv2 option, check Disable Hostname Verifier, and push the SAVE button to apply settings before connecting.
You can download the beta release here.
AriZoNaiCe
commented
4 years ago Thank you for trying that! Unfortunately, same result. I actually have TLSv1 disabled on my server, so that setting probably won't work for me. Is there a way to debug/confirm that the certificate is being found/matched from the Android certificate store?
I am happy to work with you and create a pcap. What app do you recommend for tracing the traffic on the Android side, or are you wanting me to Wireshark on the server (I'm not convinced we're actually hitting the server)?
kittoku
commented
4 years ago How about TLSv1.1 or TLSv1.2 setting?
AriZoNaiCe
commented
4 years ago How about TLSv1.1 or TLSv1.2 setting?
I did try all of the different options in that dropdown, as well as combinations of all the different settings just to make sure I hadn't missed anything.
kittoku
commented
4 years ago To be honest, I'm not familiar with SSL socket implementation of Java at all. So debugging by yourself is the most straightforward way, I think.
Yes, I'm saying an unkind thing. But please consider it is much hard to solve a problem which I cannot reproduce...
AriZoNaiCe
commented
4 years ago To be honest, I'm not familiar with SSL socket implementation of Java at all. So debugging by yourself is the most straightforward way, I think.
Yes, I'm saying an unkind thing. But please consider it is much hard to solve a problem which I cannot reproduce...
It's not at all unkind -- you do not have unlimited time, and this is all for free. I thank you for all of your hard work! That said, I am willing and able to setup a test server in my environment so you can reproduce with a certificate I can provide. If you're interested in doing that, I think it could help many others looking for an Android SSTP VPN app that works with the windows RRAS VPN implementation.
Let me know -- I can set it all up in about 30 minutes for you. As always, thank you!
kittoku
commented
4 years ago It's worth a shot. However, ・I want to connect to your server via VPN gate. So it is possible that connecting will fail because it is VPN over VPN ・For now, I will spent only a few hours for this issue ・Your contribution could be in vain
If you are okay with these terms, please set up a test server. You can send files to my email address (you can find it in my commit log) or upload here directly.
kittoku
commented
4 years ago With @AriZoNaiCe's advice, a network configuration was added and it explicitly allows this app to use certificates installed in a device. Then I fixed a SstpCallConnected bug, which Softether server ignores.
Finally, we confirmed that this app works in Windows Server. @AriZoNaiCe, thanks a lot for providing debug environment and useful information.
NOTE: For now this app supports only PAP authentication protocol. It looks Windows Server needs some difficult configuration to enable that protocol (I don't know the detail). Windows Server owners should confirm whether PAP is enabled by a Windows's built-in client.
AriZoNaiCe
commented
4 years ago Thanks to some excellent work by kittoku, this has been resolved and the app now functions perfectly with a Windows Server SSTP setup using a self-signed certificate.
No Longer Required (v1.0.0 added support MS-CHAPv2)
In order to enable PAP, if you're using Windows Server Routing and Remote Access on Server 2012, 2016, or higher, you will need to:
Once you have completed both steps above, you should be able to connect successfully using this app, as denoted by the key icon in the status bar.
Hope that helps others -- and thanks again to kittoku for all the assistance and hard work!
kittoku
commented
4 years ago Thanks for providing the detailed method. Version 1.0.0 with MS-CHAPv2 was released a few days ago. Please don't understand that I delayed the release purposely to make you troubled about PAP. When you succeeded to enable PAP, MS-CHAPv2 was never implemented and I couldn't estimate how long it would take to implement it.
The method you wrote is still useful because it proves that there is a reliable way to connect to Windows Server(MS-CHAPv2 is a experimental feature now). Thanks again!
AriZoNaiCe
commented
4 years ago Thanks for providing the detailed method. Version 1.0.0 with MS-CHAPv2 was released a few days ago. Please don't understand that I delayed the release purposely to make you troubled about PAP. When you succeeded to enable PAP, MS-CHAPv2 was never implemented and I couldn't estimate how long it would take to implement it.
The method you wrote is still useful because it proves that there is a reliable way to connect to Windows Server(MS-CHAPv2 is a experimental feature now). Thanks again!
No worries -- that's great news. Thanks for the update. All of this is important because we proved the use of self-signed certificates.
You're awesome!
Iranvpn
commented
1 year ago Hello
xmadueno
commented
1 year ago Hello. Someone has tested the app conecting to Mikrotik SSTP VPN server ? Client SSTP Conection on Windows works fine. But no connection on Android. On Windows clients I have to install CA auth. on local machine certifs (no for local user).
Any idea to test ?
BossyBigBoss
commented
1 month ago Hello. Someone has tested the app conecting to Mikrotik SSTP VPN server ? Client SSTP Conection on Windows works fine. But no connection on Android. On Windows clients I have to install CA auth. on local machine certifs (no for local user).
Any idea to test ?
I've tried it on my Samsung phone (Android 13) with Sahrzad vpn based on the Mikrotik SSTP server. It did not allow me to switch the switcher to connect. I enabled the log in the app and here is what I see:
[2024-08-13 16:08:30.343] Establish VPN connection [2024-08-13 16:08:30.976] CERT_PATH: ERR_VERIFICATION_FAILED [MESSAGE] Trust anchor for certification path not found.
[REASON] UNSPECIFIED
VPN Client Pro (another SSTP client) works fine with Mikrotik SSTP server.
Does anyone know what can be done to get it work with Open SSTP app?
I have installed both my Root CA and my VPN cert (same ones that work for connecting using the Windows VPN clients), yet I am receiving SSLPeerUnverifiedException.
To install the certificates, I did so in the Settings --> Security & lock screen --> Advanced --> Encryption & Credentials --> Install from storage
I see both certificates installed in the "User credentials" dialog and the Root CA installed in the "Trusted credentials" dialog under "USER"
I am connecting to a Windows Server 2016 SSTP VPN and have no issues connecting from Windows and Mac SSTP client software after the certificates are installed.
Let me know if you've seen this before or if you have any idea how to resolve. I like the simplicity of this client.
Thanks!