Unable to connect to HTTP endpoint using TLS

[ilanco]

• App build number: OwnTracks beta (Google Play Store) (already uninstalled)
• Android version: 14
• Device: OnePlus 10T
• Installation source: Google Play

The beta version did not allow me to connect to a HTTP endpoint using https. However, pointing the app to the same domain using http worked without issues. The logs were unhelpful, even in debug mode. There was no indication that a connection was being established. Apologies for not pasting them here, I've already uninstalled the beta version.

I downgraded to version 2.4.12 (OSS) and both http and https endpoints are working properly.

I believe there is an issue with the beta version preventing the SSL handshake to succeed.

Wireshark capture from a failed connection attempt:

    1 0.000000000 1.1.1.1 → 10.0.0.1   TCP 74 39892 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1400 SACK_PERM=1 TSval=416650023 TSecr=0 WS=512
    2 0.000071880   10.0.0.1 → 1.1.1.1 TCP 74 443 → 39892 [SYN, ACK] Seq=0 Ack=1 Win=62636 Len=0 MSS=8960 SACK_PERM=1 TSval=2152317742 TSecr=416650023 WS=128
    3 0.177270126 1.1.1.1 → 10.0.0.1   TCP 66 39892 → 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=416650201 TSecr=2152317742
    4 0.179266497 1.1.1.1 → 10.0.0.1   TLSv1 583 Client Hello
    5 0.179296337   10.0.0.1 → 1.1.1.1 TCP 66 443 → 39892 [ACK] Seq=1 Ack=518 Win=62208 Len=0 TSval=2152317921 TSecr=416650204
    6 0.180326662   10.0.0.1 → 1.1.1.1 TLSv1.3 2813 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data
    7 0.213483756 1.1.1.1 → 10.0.0.1   TCP 66 39892 → 443 [FIN, ACK] Seq=518 Ack=1 Win=65536 Len=0 TSval=416650237 TSecr=2152317742
    8 0.213718917   10.0.0.1 → 1.1.1.1 TCP 66 443 → 39892 [FIN, ACK] Seq=2748 Ack=519 Win=62208 Len=0 TSval=2152317956 TSecr=416650237
    9 0.324802538 1.1.1.1 → 10.0.0.1   TCP 56 39892 → 443 [RST] Seq=518 Win=0 Len=0
   10 0.324802778 1.1.1.1 → 10.0.0.1   TCP 56 39892 → 443 [RST] Seq=518 Win=0 Len=0
   11 0.363477420 1.1.1.1 → 10.0.0.1   TCP 56 39892 → 443 [RST] Seq=519 Win=0 Len=0

And below is a successful attempt with version 2.4.12:

    1 0.000000000 1.1.1.1 → 10.0.0.1   TCP 74 42236 → 443 [SYN] Seq=0 Win=65535 Len=0 MSS=1400 SACK_PERM=1 TSval=444367340 TSecr=0 WS=512
    2 0.000070640   10.0.0.1 → 1.1.1.1 TCP 74 443 → 42236 [SYN, ACK] Seq=0 Ack=1 Win=62636 Len=0 MSS=8960 SACK_PERM=1 TSval=2206995941 TSecr=444367340 WS=128
    3 0.152193718 1.1.1.1 → 10.0.0.1   TCP 66 42236 → 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=444367493 TSecr=2206995941
    4 0.160965644 1.1.1.1 → 10.0.0.1   TLSv1 583 Client Hello
    5 0.161015164   10.0.0.1 → 1.1.1.1 TCP 66 443 → 42236 [ACK] Seq=1 Ack=518 Win=62208 Len=0 TSval=2206996102 TSecr=444367498
    6 0.161928209   10.0.0.1 → 1.1.1.1 TLSv1.3 2811 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data
    7 0.313457523 1.1.1.1 → 10.0.0.1   TCP 66 42236 → 443 [ACK] Seq=518 Ack=1389 Win=68608 Len=0 TSval=444367655 TSecr=2206996103
    8 0.313457723 1.1.1.1 → 10.0.0.1   TCP 66 42236 → 443 [ACK] Seq=518 Ack=2746 Win=71168 Len=0 TSval=444367655 TSecr=2206996103
    9 0.320719561 1.1.1.1 → 10.0.0.1   TLSv1.3 130 Change Cipher Spec, Application Data
   10 0.321126643   10.0.0.1 → 1.1.1.1 TLSv1.3 353 Application Data
   11 0.321262004   10.0.0.1 → 1.1.1.1 TLSv1.3 353 Application Data
   12 0.474970610 1.1.1.1 → 10.0.0.1   TLSv1.3 680 Application Data
   13 0.478465828   10.0.0.1 → 1.1.1.1 TLSv1.3 323 Application Data
   14 0.511342160 1.1.1.1 → 10.0.0.1   TCP 66 42236 → 443 [ACK] Seq=1196 Ack=3320 Win=76800 Len=0 TSval=444367852 TSecr=2206996262
   15 0.637051739 1.1.1.1 → 10.0.0.1   TCP 66 42236 → 443 [ACK] Seq=1196 Ack=3577 Win=79872 Len=0 TSval=444367977 TSecr=2206996420
   16 0.637349501 1.1.1.1 → 10.0.0.1   TLSv1.3 90 Application Data
   17 0.637621022   10.0.0.1 → 1.1.1.1 TCP 66 443 → 42236 [FIN, ACK] Seq=3577 Ack=1220 Win=61696 Len=0 TSval=2206996579 TSecr=444367979
   18 0.639295271 1.1.1.1 → 10.0.0.1   TCP 66 42236 → 443 [FIN, ACK] Seq=1220 Ack=3577 Win=79872 Len=0 TSval=444367980 TSecr=2206996420
   19 0.639314311   10.0.0.1 → 1.1.1.1 TCP 66 443 → 42236 [ACK] Seq=3578 Ack=1221 Win=61696 Len=0 TSval=2206996580 TSecr=444367980
   20 0.819259174 1.1.1.1 → 10.0.0.1   TCP 66 42236 → 443 [ACK] Seq=1221 Ack=3578 Win=79872 Len=0 TSval=444368160 TSecr=2206996579

Thanks, Ilan

[jpmens]

Have you read "Breaking Changes" in our Changelog ?

[ilanco]

Hi @jpmens , thanks for responding

I'm using a certificate from Let's Encrypt, so it should be trusted by the Android trust store. I can connect to the same URI using curl or chrome.

[jpmens]

Do I see a TLS v1 connection attempt there? Our Changelog says:

TLSv1 and TLSv1.1 are deprecated. Supported TLS versions are 1.2 and 1.3.

[growse]

I think it's a v1 request with a v1.3 response.

Without seeing both the app log and status message, it's going to be hard to figure out what's going on here.

[jpmens]

@ilanco are you able to send both, unobfuscated please, to support@owntracks.org so that @growse can take a look?

[growse]

If you also want to email us your endpoint, I can try and recreate the connection here.

[ilanco]

I've sent both the app log and status message and the endpoint to support@owntracks.org. Thanks!

[growse]

Thanks - I seem to be able to send messages from my test device to your endpoint. I see you're using HTTP auth, are you including those credentials in the URL itself, or setting them with the credentials part on the connection screen?

[ilanco]

Hi Growse, thank you for testing the endpoint from your side. I believe I set the credentials in the dedicated settings. However, I tested without HTTP auth as well and could not connect using https, only http.

Did you use the beta version installed from Google Play or from the GitHub releases?

[ilanco]

Hi guys, I've performed another test using owntracks-release-oss-420500002.apk loaded from the GitHub releases page. Using this version I was able to connect using https.

[growse]

Ok, that's weird.

Could you confirm that the oss APK (from the GH release) works, but the gms one doesn't?