search

nilsbraden / ttrss-reader-fork

An Android-Client for the self-hosted Tiny Tiny RSS feedreader
https://www.nilsbraden.de/TTRSS-Reader/
151 stars 40 forks source link

Changes of version 1.93.2 break SSL client certificate #391

Closed Elv1zz closed 4 years ago

Elv1zz commented 5 years ago

Hi and thanks for the really great app! I have been using the ttrss-reader app for quite a while now. Recently I changed my ttrss server setup to also use client certificates, just to learn, that the app's support for client certificates is broken at the moment.

I verified that my server setup is working as expected with the OpenHab client app (I am using a totally unrelated openhab server as well), that is using the same server setup for SSL client certificates. And that app is working fine with the setup.

So I investigated further and checked the code and debugged it to verify the code setting up the client certificate SSL socket factory (SSLUtils.trustClientCert) is actually called -- which it is. However, the app just does not send the client certificate to the server.

From the nginx error log (IP and host name were modified by me for this post):

*4938 client sent no required SSL certificate while reading client request headers, client: 1.2.3.4, server: ttrss.example.com, request: "POST /tt-rss/api/index.php HTTP/1.1", host: "ttrss.example.com"

From the commit history I just learned that the client certificate code changed in version 1.93.2 so I reverted back to 1.93.1 and I was able to connect to my server! Any ideas to fix it without breaking #376 again?

nilsbraden commented 5 years ago

I had a look at the code and couldn't determine any obvious errors except one which I want to try to find by debugging an actual connection using a client-certificate. Can you provide me with a certificate and account on your machine to try this? If possible send the data to ttrss@nilsbraden.de.

nilsbraden commented 4 years ago

See release here to further investigate the problem: https://github.com/nilsbraden/ttrss-reader-fork/releases/tag/v1.94.0

Elv1zz commented 4 years ago

Finally I could test your new release! Thank you very much for digging into this!

As you suggested in your mail, it works with the new release when I disable the "Use Google Play services: Provider-installer" option in "SSL settings". 😄 After thinking about it I tested with the Play Store version 1.93.3 again, now using the same settings... and it works as well! And I was so sure, that I tested that already. Still confused, that 1.93.1 worked with Play services enabled... 😕

nilsbraden commented 4 years ago

Well I'm never entirely sure if these Play services are used or not in the described cases, it might be they were still loaded and changing the settings doesn't really unload them or the other way round. Anyway I think I finished working on the next version, if you want to join the beta test you can use this link: https://play.google.com/apps/testing/org.ttrssreader

I didn't change anything related to SSL settings anymore though so it's only a lot of changes in other parts of the app.