Custom https-cert causes infinite hang at startup

brad2014 commented 4 months ago

I have set the syncthing web gui listen address to 0.0.0.0:8384 and imported a custom https-cert.pem / https-key.pem with CN=myphone.mydomain.com signed by my home lab's CA.

With the most recent App version, this causes syncthing to go into an infinite hang upon startup. It appears that PollWebGuiAvailTask throws an error if the certificate does not validate (maybe because it doesn't detect my home lab root CA cert in the Android trust store, or the CN/SNI of the certificate is not what is required?).

Expected behavior

Any of these (roughly in order of usability):

accept the certificate (which makes sense since the phone owner put it there, which is the ultimate assertion of its validity)
when the local app is connecting to the local web server, do not attempt or validate https (so no certificate is required for local use), and only offer the certificate to remote web clients. Makes sense since the native app talking to the native web GUI is secure without SSL. Demote "unverified https-cert" from an error to a warning.
show an error message instead of hanging (perhaps with an option to replace the unacceptable certificates with generated ones in order to continue).

Actual behavior

Upon startup, the app hangs with a spinner in an infinite loop. Logcat continuously repeats this error:

03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: Unexpected error while polling web gui
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: error:1a000064:ECDSA routines:OPENSSL_internal:BAD_SIGNATURE
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.volley.toolbox.NetworkUtility.shouldRetryException(NetworkUtility.java:173)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:145)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:132)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:111)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:90)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: Caused by: javax.net.ssl.SSLHandshakeException: error:1a000064:ECDSA routines:OPENSSL_internal:BAD_SIGNATURE
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:356)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:896)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:236)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:218)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:196)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:153)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:116)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:186)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:128)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:97)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:289)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:232)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:465)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:411)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:542)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:106)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:30)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.volley.toolbox.HurlStack.executeRequest(HurlStack.java:91)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:104)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask:   ... 3 more

Version Information

App Version: 1.27.3
Syncthing Version: 1.27.3
Android Version: Android 14

Workaround

Open to ideas. Goal is to present the syncthing web gui as a trusted site in my domain.

imsodin commented 4 months ago

Open to ideas. Goal is to present the syncthing web gui as a trusted site in my domain.

I tink you can add CAs to the android's system store. So you could add your home-labs CA there, which should help if it's the missing root cert that's the issue here.

brad2014 commented 4 months ago

So you could add your home-labs CA there

Sorry if unclear - when I said, "it doesn't detect my home lab root CA cert in the Android trust store," I meant that my CA was already added when the error occurred.

syncthing / syncthing-android