Error while connecting with TLS certificates

trutas83 commented 2 years ago

I'm trying to connect to the server with the self-signed TLS client certificates (created with generate-CA.sh), but I'm having some issues.

2022-06-05 22:51:15.979 D MessageProcessor: message:TLS setup failed: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key, 
2022-06-05 22:51:15.980 D BackgroundService: endpoint state changed Error. Message: TLS setup failed: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
java.io.IOException: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
    at com.android.org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(PKCS12KeyStoreSpi.java:852)
    at java.security.KeyStore.load(KeyStore.java:1484)
    at org.owntracks.android.support.SocketFactory.<init>(SourceFile:304)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:186)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:177)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.sendMessage(SourceFile:30)
    at org.owntracks.android.services.MessageProcessor.lambda$sendAvailableMessages$0(Unknown Source:2)
    at org.owntracks.android.services.MessageProcessor.$r8$lambda$bVYaIhYhXtJCzBaSxWOGtcUu6f8(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessor$$ExternalSyntheticLambda1.call(Unknown Source:4)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at android.os.Handler.handleCallback(Handler.java:938)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:226)
    at android.os.Looper.loop(Looper.java:313)
    at android.os.HandlerThread.run(HandlerThread.java:67)

Here's what I've tried so far:

Turn off TLS and verify that the recorder config is correctly set up
Used mosquitto_pub and mosquitto_sub to verify that certs generated with generate-CA.sh are working fine
Reinstall the app
Tried with new users/certs
Verified that I'm using the same CA for the server/client cert.

...but no luck so far. Not sure what's wrong, but my only guess is that either openssl is generating incorrect .p12 file or the OS/app somehow can't find the API required to open PKCS12 file.

Here are some additional information that can help the debugging process:

I've used the following command to create .p12 file from the existing crt/key file. openssl pkcs12 -export -in name.crt -inkey name.key -name "name-cert" -out name.p12
When I tried to add name.p12 file in the system settings, it did not accept the password I put in. It's a very simple password and I've verified it multiple times. Perhaps this is somehow related?
- App build number: 2.4.8, 20408019
- Android version: 12
- Device: Galaxy S21 Ultra
- Installation source: Google play

Thanks for all the help!

growse commented 2 years ago

I'm having difficulty reproducing this. Using the generate-CA.sh in the link, I ran IPLIST=10.0.2.2 ./generate-CA.sh 10.0.2.2 (10.0.2.2 is going to be my broker address). I then generated a client with ./generate-CA.sh client android and then turned it into a pkcs12 with openssl pkcs12 -export -in android.crt -inkey android.key -out android.p12 and a password of a. After copying ca.crt and android.p12 to the device and configuring the latest mosquitto with:

listener 8883

cafile ca.crt
keyfile 10.0.2.2.key
certfile 10.0.2.2.crt
require_certificate true
use_identity_as_username true

When configuring OT with the broker, enabling TLS and supplying the ca and p12, OT connects just fine, and I see on the broker:

1654809520: New client connected from 127.0.0.1:46492 as emulator64x8664arm64 (p2, c0, k3600, u'android').

it did not accept the password I put in

If the password is wrong, you get an error in the logs like org.owntracks.android.services.MqttConnectionException: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file.. Is that what you saw?

Does this work if you disable client certificates on the broker and just provide the ca.crt on OT?

trutas83 commented 2 years ago

Thanks for the reply.

That's weird. I followed what you've done and it's still giving me the same error: java.io.IOException: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key

If the password is wrong, you get an error in the logs like org.owntracks.android.services.MqttConnectionException: java.io.IOException: PKCS12 key store mac invalid - wrong password or corrupted file.. Is that what you saw?

No, it seems like I'm getting the No installed provider supports this key error before I even unlock the p12 file. Incorrect password does not seem to affect the log either--I don't see PKCS12 key store mac invalid - wrong password or corrupted file after using incorrect passwords.

Does this work if you disable client certificates on the broker and just provide the ca.crt on OT?

I've commented out require_certificate true in the configuration and provided ca certificate to the client, leaving out the client certificate and client certificate password empty. And it worked fine. Hopefully that was the correct way to disable client certificates

growse commented 2 years ago

My money's on your device OS doing something weird with the key handling libraries / providers that means (for whatever reason) the PKCS12 handling logic isn't available. Without a Samsung S21 to actually test on, I'm not going to be able to make much progress on figuring out what or why.

Good to hear it works without client certs though - my general advice is that client certs are almost never worth it, and just give you more complexity and potential failures.

trutas83 commented 2 years ago

I don't think that would be the case. I had it running just fine previously until I recently decided to migrate to a new server and reinstall the app. Is there a way to use .crt and .key files instead? Alternatively, if there's a way to test the .p12 file using mosquitto_pub, I could try that too.

growse commented 2 years ago

I'm not aware of any cli mqtt client that takes a p12 instead of a separate crt/key pair, but there may be one out there.

Only other option is to build the OT client yourself and debug through it whilst loading the key and see exactly what's going on, but I appreciate that's a little advanced. If you can reliably reproduce this (create a fresh test CA / client cert p12 and see if you get the same error), you could also mail that p12 along with the test CA cert over to support@owntracks.org and I'll see if I can debug it here.

lerra commented 2 years ago

@growse I just want to share that I am facing the same issue, it looks like it is something in my p12 certificate that is not working when the app wants to unpack it, when I test the certificates before I create the p12 file to connect to the mqtt server, it works fine,

openssl s_client -connect x.x.com:12345 -CAfile ca.crt -cert client-certs/mobile-owntracks.crt -key client-certs/mobile-owntracks.key |grep Verifica
depth=1 CN = x, O = x, OU = x, emailAddress = x@x.x
verify return:1
depth=0 CN = x.x.com, O = x, OU = x, emailAddress = x@x.x
verify return:1
Verification: OK

Here is some information about the client certificate,

openssl x509 -in client-certs/mobile-owntracks.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            x
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN = nobody, O = nobody, OU = nobody, emailAddress = nobody@nobody.net
        Validity
            Not Before: Oct 29 12:53:22 2022 GMT
            Not After : Oct 26 12:53:22 x GMT
        Subject: CN = mobile-owntracks
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
x
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name: 
                <EMPTY>

            Netscape Cert Type: 
                SSL Client, S/MIME
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Key Agreement
            Netscape Comment: 
                Client Broker Certificate
            X509v3 Subject Key Identifier: 
x
            X509v3 Authority Key Identifier: 
                keyid:x
                DirName:/CN=x/O=x/OU=x/emailAddress=x@x.x
                serial:x
    Signature Algorithm: sha512WithRSAEncryption
    Signature Value:
x
-----BEGIN CERTIFICATE-----
X
-----END CERTIFICATE-----

Some info of the p12 file

openssl pkcs12 -info -in mobile-owntracks.p12 -nodes
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    localKeyID: x 
    friendlyName: mobile certificate/key
subject=CN = mobile-owntracks
issuer=CN = x, O = x, OU = x, emailAddress = x@x.x
-----BEGIN CERTIFICATE-----
x
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Bag Attributes
    localKeyID: x
    friendlyName: lerra mobile certificate/key
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
x
-----END PRIVATE KEY-----

I get the error regardless if I have the ca file in ownapps or not and I can verify that I dont see any outgoing connections from the mobile as I did a tcpdump on the traffic on the server.

I am running version 2.4.10 of the app and here is the error

org.owntracks.android.services.MqttConnectionException: java.io.IOException: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:310)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:178)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda0.run(Unknown Source:18)
    at android.os.Handler.handleCallback(Handler.java:938)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:233)
    at android.os.Looper.loop(Looper.java:344)
    at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by: java.io.IOException: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
    at com.android.org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(PKCS12KeyStoreSpi.java:852)
    at java.security.KeyStore.load(KeyStore.java:1505)
    at org.owntracks.android.support.SocketFactory.<init>(SourceFile:305)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:187)
    ... 10 more

Is there anything else I can provider?

growse commented 2 years ago

@lerra

Are you seeing the same "No installed provider" error as the OP?

What's the make/model of your device?

lerra commented 2 years ago

@growse wow, you are super fast :-)

Yes, added the logs for it, I also used generate-CA.sh to create the cert.

I use a onplus9 with latest version of android 12

growse commented 2 years ago

Thanks.

Need to do some research here, as there's no reason I can see that the Bouncy castle p12 provider isn't on the base OS.

Might be something to do with architecture, or the specific image that both Samsung and OnePlus ship. Will do some digging and see if I can find a pattern.

lerra commented 2 years ago

Alright, thanks! Anything else I could collect that would help @growse ?

growse commented 2 years ago

This is a bit of a mystery. I've tried it on a remote Samsung device but can't replicate the issue.

The only thing i can think of is that it looks like the vendored version of bouncycastle doesn't work properly in some scenarios. Given the difficulty of reproducing it, I wonder if a good approach might be to specifically depend on a recent, full-fat version of BC and see if that solves the problem?

edit just to rule out if it's the client p12 file, can you try it with the attached? password is changeit.

test-client.zip

lerra commented 2 years ago

If you want i can test if i get an APK that have the full BC in it

On Wed, Nov 2, 2022, 14:57 Andrew Rowson @.***> wrote:

This is a bit of a mystery. I've tried it on a remote Samsung device but can't replicate the issue.

The only thing i can think of is that it looks like the vendored version of bouncycastle doesn't work properly in some scenarios. Given the difficulty of reproducing it, I wonder if a good approach might be to specifically depend on a recent, full-fat version of BC and see if that solves the problem?

— Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/1225#issuecomment-1300455624, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFTRCDUMXXA6NQOW3LDWGJXNPANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.***>

growse commented 2 years ago

The GH file limit is 25MB, and the zipped apk is 26MB :(

lerra commented 2 years ago

Upload it on https://www.filemail.com/ and use the get link functionalit, post the link + sha256 hash here

On Wed, Nov 2, 2022, 17:16 Andrew Rowson @.***> wrote:

Reopened #1225 https://github.com/owntracks/android/issues/1225.

— Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/1225#event-7725071343, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFQJPL26WPDYS3CMYT3WGKHTNANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.***>

lerra commented 2 years ago

Hi mate,

it actually looks like there is something wrong with the certificate,

This is what I get in owntracks and from my understanding it is the reject from the mqtt server due to the client certificate is not trusted,

2022-11-03 07:04:05.837 I TimberInMemoryLogTree: Logs cleared
2022-11-03 07:04:23.089 I ServiceStarter$Impl: starting service
2022-11-03 07:04:35.630 E MessageProcessorEndpointMqtt: Failed to reconnect to MQTT broker
org.owntracks.android.services.MqttConnectionException:  (0) - javax.net.ssl.SSLHandshakeException: Read error: ssl=0xb4000073695c6208: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb40000736940e188:0x00000001)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:243)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda0.run(Unknown Source:18)
    at android.os.Handler.handleCallback(Handler.java:938)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:233)
    at android.os.Looper.loop(Looper.java:344)
    at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by:  (0) - javax.net.ssl.SSLHandshakeException: Read error: ssl=0xb4000073695c6208: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb40000736940e188:0x00000001)
    at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:433)
    at java.lang.Thread.run(Thread.java:1012)
Caused by: javax.net.ssl.SSLHandshakeException: Read error: ssl=0xb4000073695c6208: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb40000736940e188:0x00000001)
    at org.conscrypt.SSLUtils.toSSLHandshakeException(Unknown Source:13)
    at org.conscrypt.ConscryptEngine.convertException(Unknown Source:14)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:369)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:28)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:11)
    at org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(SourceFile:70)
    at org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(Unknown Source:0)
    at org.conscrypt.ConscryptEngineSocket.doHandshake(Unknown Source:90)
    at org.conscrypt.ConscryptEngineSocket.startHandshake(Unknown Source:36)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(Unknown Source:83)
    at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:174)
    ... 1 more
Caused by: javax.net.ssl.SSLProtocolException: Read error: ssl=0xb4000073695c6208: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb40000736940e188:0x00000001)
    at org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
    at org.conscrypt.NativeSsl.readDirectByteBuffer(Unknown Source:16)
    at org.conscrypt.ConscryptEngine.readPlaintextDataDirect(Unknown Source:6)
    at org.conscrypt.ConscryptEngine.readPlaintextData(Unknown Source:21)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:253)
    ... 9 more

2022-11-03 07:04:37.854 I MQTTReconnectWorker: MQTTReconnectWorker started on threadID: Thread[androidx.work-2,5,main]
2022-11-03 07:04:38.048 E MessageProcessorEndpointMqtt: Failed to reconnect to MQTT broker
org.owntracks.android.services.MqttConnectionException:  (0) - javax.net.ssl.SSLHandshakeException: Read error: ssl=0xb40000736a9bf488: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb40000736953a5c8:0x00000001)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:243)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda0.run(Unknown Source:18)
    at android.os.Handler.handleCallback(Handler.java:938)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:233)
    at android.os.Looper.loop(Looper.java:344)
    at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by:  (0) - javax.net.ssl.SSLHandshakeException: Read error: ssl=0xb40000736a9bf488: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb40000736953a5c8:0x00000001)
    at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:433)
    at java.lang.Thread.run(Thread.java:1012)
Caused by: javax.net.ssl.SSLHandshakeException: Read error: ssl=0xb40000736a9bf488: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb40000736953a5c8:0x00000001)
    at org.conscrypt.SSLUtils.toSSLHandshakeException(Unknown Source:13)
    at org.conscrypt.ConscryptEngine.convertException(Unknown Source:14)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:369)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:28)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:11)
    at org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(SourceFile:70)
    at org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(Unknown Source:0)
    at org.conscrypt.ConscryptEngineSocket.doHandshake(Unknown Source:90)
    at org.conscrypt.ConscryptEngineSocket.startHandshake(Unknown Source:36)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(Unknown Source:83)
    at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:174)
    ... 1 more
Caused by: javax.net.ssl.SSLProtocolException: Read error: ssl=0xb40000736a9bf488: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb40000736953a5c8:0x00000001)
    at org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
    at org.conscrypt.NativeSsl.readDirectByteBuffer(Unknown Source:16)
    at org.conscrypt.ConscryptEngine.readPlaintextDataDirect(Unknown Source:6)
    at org.conscrypt.ConscryptEngine.readPlaintextData(Unknown Source:21)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:253)
    ... 9 more

2022-11-03 07:05:14.794 W MessageProcessorEndpointMqtt: failed connection attempts: 21
2022-11-03 07:05:14.794 E MessageProcessor: Message delivery failed. queueLength: 2, messageId: 1667455267380-c36bb2
2022-11-03 07:05:14.794 W MessageProcessor: Error sending message. Re-queueing
2022-11-03 07:05:14.797 I MessageProcessor: Waiting for 120 s before retrying
2022-11-03 07:05:48.071 I MQTTReconnectWorker: MQTTReconnectWorker started on threadID: Thread[androidx.work-3,5,main]
2022-11-03 07:05:48.404 E MessageProcessorEndpointMqtt: Failed to reconnect to MQTT broker
org.owntracks.android.services.MqttConnectionException:  (0) - javax.net.ssl.SSLHandshakeException: Read error: ssl=0xb4000073692e8408: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb4000073692ac388:0x00000001)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:243)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda0.run(Unknown Source:18)
    at android.os.Handler.handleCallback(Handler.java:938)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:233)
    at android.os.Looper.loop(Looper.java:344)
    at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by:  (0) - javax.net.ssl.SSLHandshakeException: Read error: ssl=0xb4000073692e8408: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb4000073692ac388:0x00000001)
    at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:433)
    at java.lang.Thread.run(Thread.java:1012)
Caused by: javax.net.ssl.SSLHandshakeException: Read error: ssl=0xb4000073692e8408: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb4000073692ac388:0x00000001)
    at org.conscrypt.SSLUtils.toSSLHandshakeException(Unknown Source:13)
    at org.conscrypt.ConscryptEngine.convertException(Unknown Source:14)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:369)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:28)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:11)
    at org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(SourceFile:70)
    at org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(Unknown Source:0)
    at org.conscrypt.ConscryptEngineSocket.doHandshake(Unknown Source:90)
    at org.conscrypt.ConscryptEngineSocket.startHandshake(Unknown Source:36)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(Unknown Source:83)
    at androidx.work.impl.utils.WorkForegroundUpdater$1.run(SourceFile:174)
    ... 1 more
Caused by: javax.net.ssl.SSLProtocolException: Read error: ssl=0xb4000073692e8408: Failure in SSL library, usually a protocol error
error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA (/usr/local/google/home/prb/src/boringssl/ssl/tls_record.cc:594 0xb4000073692ac388:0x00000001)
    at org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
    at org.conscrypt.NativeSsl.readDirectByteBuffer(Unknown Source:16)
    at org.conscrypt.ConscryptEngine.readPlaintextDataDirect(Unknown Source:6)
    at org.conscrypt.ConscryptEngine.readPlaintextData(Unknown Source:21)
    at org.conscrypt.ConscryptEngine.unwrap(Unknown Source:253)
    ... 9 more

I get the following error on the mqtt server

OpenSSL Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
 Socket error on client <unknown>, disconnecting.

For some reason I can not use openssl to check / extract the certificate even if I paste the password,

openssl pkcs12 -info -in test-client.p12 -nodes
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
801B94A8707F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

When I use the ubuntu gui to check the certificate (pasting the same password), I can see that there is a CA included in your certificate. I will try to see if that would help in my case.

lerra commented 2 years ago

Tried by building a new p12 (openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile ca.crt) with a simple password, but got the same initial error as I had

growse commented 2 years ago

Upload it on https://www.filemail.com/ and use the get link functionalit, post the link + sha256 hash here … On Wed, Nov 2, 2022, 17:16 Andrew Rowson @.> wrote: Reopened #1225 <#1225>. — Reply to this email directly, view it on GitHub <#1225 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFQJPL26WPDYS3CMYT3WGKHTNANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.>

https://www.filemail.com/d/tchtibttcxucyuh app-gms-debug.apk SHA-256 30FAD86BE5A34193614F0851FF8FBB4DE5809C9BB92506BD94DE4B2B92CDE8D4

growse commented 2 years ago

I can see that there is a CA included in your certificate. I will try to see if that would help in my case.

That's pretty weird. Can you try creating a whole new cert bundle (CA, server-side cert/key, client p12) with mkcert (https://github.com/FiloSottile/mkcert) and see what the behaviour is?

$ mkcert <mqtt-hostname>
$ mkcert -client -pkcs12 test

Bluntly, I don't trust openssl to ever do the right, or useful thing. There's too many options, and not enough ergonomics to be sure that it's doing what you want. mkcert fixes that by getting rid of all the options and just does the Right Thing. If you still have an issue with a mkcert-generated cert, then it's OT that's the problem. If not, it's maybe the cert that openssl is generating?

lerra commented 2 years ago

Looks like the apk actually works, or at least not a certificate loading problem and i can see the failed connection on the mqtt server. Will continue troubleshooting during the weekend,

This is the logs from the app

2022-11-03 22:50:30.047 I TimberInMemoryLogTree/clear/36: Logs cleared
2022-11-03 22:50:37.284 I ServiceStarter$Impl/startService/16: starting service
2022-11-03 22:50:41.393 E MessageProcessorEndpointMqtt/reconnect/518: Failed to reconnect to MQTT broker
org.owntracks.android.services.MqttConnectionException: Not authorized to connect (5)
 at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(MessageProcessorEndpointMqtt.java:296)
 at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(MessageProcessorEndpointMqtt.java:516)
 at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1$org-owntracks-android-services-MessageProcessorEndpointMqtt(MessageProcessorEndpointMqtt.java:509)
 at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda2.run(Unknown Source:4)
 at android.os.Handler.handleCallback(Handler.java:938)
 at android.os.Handler.dispatchMessage(Handler.java:99)
 at android.os.Looper.loopOnce(Looper.java:233)
 at android.os.Looper.loop(Looper.java:344)
 at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by: Not authorized to connect (5)
 at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:28)
 at org.eclipse.paho.client.mqttv3.internal.ClientState.notifyReceivedAck(ClientState.java:1053)
 at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:151)
 at java.lang.Thread.run(Thread.java:1012)

Mqtt logs, will ensure that it actually tried with the certificate so it is not lost

New connection from x.x.x.x on port x.
Socket error on client <unknown>, disconnecting.

growse commented 2 years ago

That's encouraging. So maybe we do just need to vendor BC?

edit I think that "Not authorized to connect" is a message from mosquitto post-TLS, so might indicate that TLS is success.

lerra commented 2 years ago

Give me the weekend to confirm :)

On Thu, Nov 3, 2022, 22:58 Andrew Rowson @.***> wrote:

That's encouraging. So maybe we do just need to vendor BC?

— Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/1225#issuecomment-1302721509, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFQS3GP6TFMWJ27YAWLWGQYQNANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.***>

lerra commented 2 years ago

Confirmed, screenshot of the apk you sent in working state with client certificate and then i exported and imported the config to the lastest version from Google play and it does not work :)

Big thanks for the great support!

Latest version in google play:

The apk you uploaded yesterday: Screenshot_2022-11-04-20-03-30-59_9951077289cab6671e6adf4f98f78cdd.jpg

Btw, any plans to enable github sponsors on the repo ?

growse commented 2 years ago

Great to hear, I'll get that BC vendor change merged for the next release.

For sponsorships, we use liberapay.com/owntracks.org

lerra commented 2 years ago

Alright, big thanks again for helping out, i really appreciate it and sent a donation.

On Sun, Nov 6, 2022, 21:16 Andrew Rowson @.***> wrote:

Great to hear, I'll get that BC vendor change merged for the next release.

For sponsorships, we use liberapay.com/owntracks.org

— Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/1225#issuecomment-1304884769, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFT2KYP6ACMERK5N3YLWHAG2RANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.***>

corus87 commented 2 years ago

Hi @growse I ran into the same issue, any plans to release a new version soon? Or could you please upload an APK with the fix? FYI, I'm running Android 13 AOSP based custom rom.

Thank you for your work.

growse commented 2 years ago

Hi @growse I ran into the same issue, any plans to release a new version soon? Or could you please upload an APK with the fix? FYI, I'm running Android 13 AOSP based custom rom.

Thank you for your work.

We'll have a new version the moment we've solved the objectbox issue. Unfortunately, this is very non-trivial....

corus87 commented 2 years ago

Hi @growse I ran into the same issue, any plans to release a new version soon? Or could you please upload an APK with the fix? FYI, I'm running Android 13 AOSP based custom rom. Thank you for your work.

We'll have a new version the moment we've solved the objectbox issue. Unfortunately, this is very non-trivial....

Oh damn...

Upload it on https://www.filemail.com/ and use the get link functionalit, post the link + sha256 hash here … On Wed, Nov 2, 2022, 17:16 Andrew Rowson @.**> wrote: Reopened #1225 <#1225>. — Reply to this email directly, view it on GitHub <#1225 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFQJPL26WPDYS3CMYT3WGKHTNANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.**>

https://www.filemail.com/d/tchtibttcxucyuh app-gms-debug.apk SHA-256 30FAD86BE5A34193614F0851FF8FBB4DE5809C9BB92506BD94DE4B2B92CDE8D4

Any chance you may still got this APK laying around? As a work around it would be fine for me.

growse commented 2 years ago

Sure, let me dig it out once I get near an actual computer.

corus87 commented 2 years ago

Thank you!

growse commented 2 years ago

If you can get to https://app.circleci.com/pipelines/github/owntracks/android?branch=master then that's the CI pipeline. The latest apks should be available as artefacts on the "publish to play store" job.

corus87 commented 2 years ago

Thanks for the hint with the CI pipeline, I was able to download the latest APK. But now I get another error, "TLS setup failed: exception decrypting data - java.security.NoSuchAlgorithmException..." I'm going to check my certificates and some other stuff, maybe this is an error on my end. Anyway thanks for the quick support!

growse commented 2 years ago

Possibly a proguard issue, if it's discarding bits of bouncycastle that then turn out to be needed via reflection. If you can drop the full stacktrace I can take a look.

corus87 commented 1 year ago

Hi @growse, sorry for the late response, it was a busy week...

2022-11-18 21:04:41.136 D MessageProcessorEndpointMqtt: MQTT not current connecting
2022-11-18 21:04:41.137 D MessageProcessorEndpointMqtt: Connecting to broker. ThreadId: Thread[networkHandlerThread,5,main]
2022-11-18 21:04:41.137 D MessageProcessorEndpointMqtt: Connecting on non-ui worker thread: Thread[networkHandlerThread,5,main]
2022-11-18 21:04:41.137 D MessageProcessorEndpointMqtt: Acquired connecting lock
2022-11-18 21:04:41.137 D MessageProcessor: message:null, 
2022-11-18 21:04:41.138 D MessageProcessorEndpointMqtt: Disconnecting mqtt Client
2022-11-18 21:04:41.138 D MessageProcessorEndpointMqtt: Error disconnecting from mqtt client.
 (32101)
    at okio.Okio__OkioKt.createMqttException(Unknown Source:9)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms.disconnect(SourceFile:113)
    at org.eclipse.paho.client.mqttv3.MqttAsyncClient.disconnect(SourceFile:51)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:135)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda0.run(Unknown Source:18)
    at android.os.Handler.handleCallback(Handler.java:942)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:201)
    at android.os.Looper.loop(Looper.java:288)
    at android.os.HandlerThread.run(HandlerThread.java:67)

2022-11-18 21:04:41.138 D MessageProcessorEndpointMqtt: Initializing new mqttClient
2022-11-18 21:04:41.139 D MessageProcessorEndpointMqtt: client id :test_client, connect string: ssl://mydomain.de:8883
2022-11-18 21:04:41.150 D MessageProcessor: message:TLS setup failed: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key, 
2022-11-18 21:04:41.150 E MessageProcessorEndpointMqtt: Failed to reconnect to MQTT broker
org.owntracks.android.services.MqttConnectionException: java.io.IOException: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:310)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:178)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda0.run(Unknown Source:18)
    at android.os.Handler.handleCallback(Handler.java:942)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:201)
    at android.os.Looper.loop(Looper.java:288)
    at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by: java.io.IOException: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
    at com.android.org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(PKCS12KeyStoreSpi.java:852)
    at java.security.KeyStore.load(KeyStore.java:1505)
    at org.owntracks.android.support.SocketFactory.<init>(SourceFile:305)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:187)
    ... 10 more

If there is anything else I can test or provide, let me know.

growse commented 1 year ago

Np - is that for version 20411011? (In the about screen)

corus87 commented 1 year ago

Oh sorry... this was indeed the version installed from the playstore... I reinstalled the apk from the CI Pipeline (20411011).

2022-11-20 09:57:01.862 D MessageProcessorEndpointMqtt: Initializing new mqttClient
2022-11-20 09:57:01.862 D MessageProcessorEndpointMqtt: client id :myclient, connect string: ssl://mydomain.de:8883
2022-11-20 09:57:01.881 D MessageProcessor: message:TLS setup failed: exception decrypting data - java.security.NoSuchAlgorithmException: No provider found for 2.16.840.1.101.3.4.1.42, 
2022-11-20 09:57:01.881 E MessageProcessorEndpointMqtt: Failed to reconnect to MQTT broker
org.owntracks.android.services.MqttConnectionException: java.io.IOException: exception decrypting data - java.security.NoSuchAlgorithmException: No provider found for 2.16.840.1.101.3.4.1.42
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:310)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:178)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda1.run(Unknown Source:18)
    at android.os.Handler.handleCallback(Handler.java:942)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:201)
    at android.os.Looper.loop(Looper.java:288)
    at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by: java.io.IOException: exception decrypting data - java.security.NoSuchAlgorithmException: No provider found for 2.16.840.1.101.3.4.1.42
    at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(SourceFile:116)
    at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(SourceFile:676)
    at java.security.KeyStore.load(KeyStore.java:1505)
    at org.owntracks.android.support.SocketFactory.<init>(SourceFile:311)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:187)
    ... 10 more

2022-11-20 09:57:10.826 D MessageProcessorEndpointMqtt: MQTT not current connecting
2022-11-20 09:57:10.827 D MessageProcessorEndpointMqtt: Connecting to broker. ThreadId: Thread[networkHandlerThread,5,main]
2022-11-20 09:57:10.827 D MessageProcessorEndpointMqtt: Connecting on non-ui worker thread: Thread[networkHandlerThread,5,main]
2022-11-20 09:57:10.828 D MessageProcessorEndpointMqtt: Acquired connecting lock
2022-11-20 09:57:10.828 D MessageProcessor: message:null, 
2022-11-20 09:57:10.828 D MessageProcessorEndpointMqtt: Disconnecting mqtt Client
2022-11-20 09:57:10.829 D MessageProcessorEndpointMqtt: Error disconnecting from mqtt client.
 (32101)
    at androidx.room.Room.createMqttException(Unknown Source:9)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms.disconnect(SourceFile:113)
    at org.eclipse.paho.client.mqttv3.MqttAsyncClient.disconnect(SourceFile:51)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:135)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda1.run(Unknown Source:18)
    at android.os.Handler.handleCallback(Handler.java:942)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:201)
    at android.os.Looper.loop(Looper.java:288)
    at android.os.HandlerThread.run(HandlerThread.java:67)

2022-11-20 09:57:10.829 D MessageProcessorEndpointMqtt: Initializing new mqttClient
2022-11-20 09:57:10.829 D MessageProcessorEndpointMqtt: client id :myclient, connect string: ssl://mydomain.de:8883
2022-11-20 09:57:10.864 D MessageProcessor: message:TLS setup failed: exception decrypting data - java.security.NoSuchAlgorithmException: No provider found for 2.16.840.1.101.3.4.1.42, 
2022-11-20 09:57:10.865 E MessageProcessorEndpointMqtt: Failed to reconnect to MQTT broker
org.owntracks.android.services.MqttConnectionException: java.io.IOException: exception decrypting data - java.security.NoSuchAlgorithmException: No provider found for 2.16.840.1.101.3.4.1.42
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:310)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:178)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.reconnect(SourceFile:46)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.lambda$reconnect$1(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.$r8$lambda$3UR4gQL2b_UbF_ekJLIMhafolpU(Unknown Source:0)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt$$ExternalSyntheticLambda1.run(Unknown Source:18)
    at android.os.Handler.handleCallback(Handler.java:942)
    at android.os.Handler.dispatchMessage(Handler.java:99)
    at android.os.Looper.loopOnce(Looper.java:201)
    at android.os.Looper.loop(Looper.java:288)
    at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by: java.io.IOException: exception decrypting data - java.security.NoSuchAlgorithmException: No provider found for 2.16.840.1.101.3.4.1.42
    at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.cryptData(SourceFile:116)
    at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(SourceFile:676)
    at java.security.KeyStore.load(KeyStore.java:1505)
    at org.owntracks.android.support.SocketFactory.<init>(SourceFile:311)
    at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:187)
    ... 10 more

growse commented 1 year ago

So, went down a bit of a rabbit hole on this one. I ended up needing to widen the proguard rules for BouncyCastle a little, so now it should be able to parse AES256-encrypted PKCS12 files, so if you can try the next CI build (once it's finished), that might fix it.

corus87 commented 1 year ago

@growse Hi, thanks a lot, the last build did fixed the issue, I could finally connect to my broker :) Thank you very much for not giving up!

lerra commented 1 year ago

So, went down a bit of a rabbit hole on this one. I ended up needing to widen the proguard rules for BouncyCastle a little, so now it should be able to parse AES256-encrypted PKCS12 files, so if you can try the next CI build (once it's finished), that might fix it.

When will it be published to google play? :)

growse commented 1 year ago

Need to fix a few blockers first, specifically #1298 which involves reverse-engineering the objectbox datastore. Non-trivial.

lerra commented 1 year ago

@growse Hey mate, hope you are well :-)

I was wondering if there are any plans to publish the fix to Google play store?

Cheers and thanks again for the support!

growse commented 1 year ago

So many plans, so little time......

Life's a little busy at the moment, but the next release will be 2.5.0 and hopefully not too far away. The big problem to still be solved is reverse engineering objectbox so we can move to an open source storage implementation and publish back on F-Droid. Progress is slow here, but steady.

lerra commented 3 months ago

@growse it works like a charm, big thanks for your effort to this 🙏

owntracks / android

Error while connecting with TLS certificates #1225