obilodeau
commented
8 years ago (by luiscarlos) No updates on this?
Open obilodeau opened 8 years ago
obilodeau
commented
8 years ago (by luiscarlos) No updates on this?
obilodeau
commented
8 years ago (by s-lange-web) I have the same problem. I am looking forward for a correction.
obilodeau
commented
8 years ago (by j-4) Hi! I have no problem on my Android L device running the latest Tomdroid. Could you share more details? Logs, your server setup details etc. I will try to do my best to get this fixed!
obilodeau
commented
8 years ago (by tycho-schenkeveld-5) I had the same issue, I think it is something to do with the encryption algorithms not matching. There's a thread on the Rainy mailing list about this. Apparently Lollipop is a bit stricter with its algorithms and mono only supports some older ones, so there is no common supported method anymore.
Anyway, what I've done is put rainy behind nginx and that solved it. So nginx handles the SSL encryption now.
obilodeau
commented
8 years ago (by tycho-schenkeveld-5) Sorry a little update: I found the link for that thread, it was actually the Tomboy mailing list: http://lists.beatniksoftware.com/pipermail/tomboy-list-beatniksoftware.com/2014-December/017212.html
obilodeau
commented
8 years ago (by luiscarlos) Stefan as I said before I think my problem is that the SSL certificate is self-signed. Are you using self-signed too?
obilodeau
commented
8 years ago (by j-4) @Luis: I use self signed certificate with a standard Rainy instance. Works fine on the Nexus 7, Android 5.0.2. Maybe the Tomdroid logs together with the Rainy logs will tell us whats going on in your case. Do you know how to get the logs?
obilodeau
commented
8 years ago (by luiscarlos) I know how to get the rainy ones, how about the tomdroid?
obilodeau
commented
8 years ago obilodeau
commented
8 years ago (by luiscarlos) Tomdroid:
I/Tomdroid(28632): Creating dialog
V/PhoneStatusBar( 885): setLightsOn(true)
I/WebConnection(28632): Sending http-header: X-Tomboy-Client: org.tomdroid v0.7.5, build 14, Android v5.0.1, LGE/Nexus 5
D/AccountMetadataUpdater(29024): updateCapabilityFromSiblingApps interval=1287 ms
W/System.err(28632): javax.net.ssl.SSLHandshakeException: Connection closed by peer
W/System.err(28632): at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302)
W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:598)
W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:560)
W/System.err(28632): at org.apache.http.impl.io.SocketInputBuffer.
Nothing on rainy logs (I can see logs output if I access rainy through other means). The errors shows up almost immediately so it looks like it does actually send any packet to rainy.
obilodeau
commented
8 years ago (by luiscarlos) Is there any progress on this // any other info I can provide??
Thanks!
On Tue, Jan 20, 2015 at 10:41 PM, Luis Carlos Cobo
Tomdroid:
I/Tomdroid(28632): Creating dialog V/PhoneStatusBar( 885): setLightsOn(true) I/WebConnection(28632): Sending http-header: X-Tomboy-Client: org.tomdroid v0.7.5, build 14, Android v5.0.1, LGE/Nexus 5 D/AccountMetadataUpdater(29024): updateCapabilityFromSiblingApps interval=1287 ms W/System.err(28632): javax.net.ssl.SSLHandshakeException: Connection closed by peer W/System.err(28632): at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302) W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:598) W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:560) W/System.err(28632): at org.apache.http.impl.io.SocketInputBuffer.
(SocketInputBuffer.java:70) W/System.err(28632): at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:83) W/System.err(28632): at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:170) W/System.err(28632): at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:106) W/System.err(28632): at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:129) W/System.err(28632): at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:172) W/System.err(28632): at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164) W/System.err(28632): at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119) W/System.err(28632): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360) W/System.err(28632): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555) W/System.err(28632): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487) W/System.err(28632): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465) W/System.err(28632): at org.tomdroid.sync.web.WebConnection.execute(WebConnection.java:124) W/System.err(28632): at org.tomdroid.sync.web.AnonymousConnection.get(AnonymousConnection.java:42) W/System.err(28632): at org.tomdroid.sync.web.OAuthConnection.getAuthorizationUrl(OAuthConnection.java:131) W/System.err(28632): at org.tomdroid.sync.web.SnowySyncService$1.run(SnowySyncService.java:102) W/System.err(28632): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112) W/System.err(28632): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587) W/System.err(28632): at java.lang.Thread.run(Thread.java:818) W/System.err(28632): org.json.JSONException: End of input at character 0 of W/System.err(28632): at org.json.JSONTokener.syntaxError(JSONTokener.java:450) W/System.err(28632): at org.json.JSONTokener.nextValue(JSONTokener.java:97) W/System.err(28632): at org.json.JSONObject. (JSONObject.java:156) W/System.err(28632): at org.json.JSONObject. (JSONObject.java:173) W/System.err(28632): at org.tomdroid.sync.web.OAuthConnection.getAuthorizationUrl(OAuthConnection.java:136) W/System.err(28632): at org.tomdroid.sync.web.SnowySyncService$1.run(SnowySyncService.java:102) W/System.err(28632): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112) W/System.err(28632): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587) W/System.err(28632): at java.lang.Thread.run(Thread.java:818) Nothing on rainy logs (I can see logs output if I access rainy through other means). The errors shows up almost immediately so it looks like it does actually send any packet to rainy.
You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1407060
Title: Can't connect to Rainy through https
To manage notifications about this bug go to: https://bugs.launchpad.net/tomdroid/+bug/1407060/+subscriptions
Luis Carlos Cobo Rus GnuPG ID: 44019B60
obilodeau
commented
8 years ago (by unclejedd) It's hit me too after (but not sure how precisely after / resultant) the Lollipop upgrade to my Nexus 5 phone.
Samsung Tab worked fine, and rainy 0.5 VM hadn't had any changes.
Switched rainy's config to http rather than https, and able to sync again from Nexus 5.
obilodeau
commented
8 years ago (by obilodeau) Your server is probably running an old version of SSL/TLS or a cipher suite with no suitable ciphers for lollipop's new requirements.
SSL configuration has seen many changes in the past year or so due to security vulnerabilities.
Troubleshoot with "openssl s_client" or scan your server with qualy's ssllabs and adjust its configuration.
obilodeau
commented
8 years ago (by luiscarlos) openssl s_client output:
CONNECTED(00000003)
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1428086986 Timeout : 300 (sec)
Anything odd? Also I am using this server, https://github.com/Dynalon/Rainy/releases. It is already precompiled and it was compiled in 2013, but I would assume the openssl config comes from the system wide libraries.
Any idea?
obilodeau
commented
8 years ago (by obilodeau)
ssl handshake failure... no peer certificate ...
Are you sure you have a certificate configured on your server?
The Cipher (none) bit is worrying also but might be caused by the previous error.
obilodeau
commented
8 years ago (by luiscarlos) I can access through https via web (and Tomboy desktop). The certificate is self-signed.
On Thu, Apr 9, 2015 at 5:07 AM, Olivier Bilodeau
obilodeau
commented
8 years ago (by obilodeau) Without more information it's hard to know what's going on. Send me your sync URL in private and I will poke it. No need to send credentials. Only URL.
obilodeau
commented
8 years ago (by luiscarlos) Olivier did you receive my email?
On Thu, Apr 9, 2015 at 2:06 PM, Olivier Bilodeau
obilodeau
commented
8 years ago (by obilodeau) Yes I did but forgot about it. I'll check tonight (EDT).
obilodeau
commented
8 years ago (by obilodeau) [output of testssl.sh sent in private]
The server seems incompatible with lollipop's SSL/TLS requirements and its not openssl's fault. Mono seem to have their own SSL suites activated in their Mono-HTTPAPI server which are way outdated.
As someone in this bug mentioned, running an nginx reverse-proxy in front of a non-SSL rainy instance binded to localhost would be the right approach IMO. http://lists.beatniksoftware.com/pipermail/tomboy-list-beatniksoftware.com/2014-December/017221.html
@Stefan, I'm surprised yours work. Can you send me your server's URL in private so I can maybe find a difference in your SSL configuration? Also, do you know if we do any shenanigans like mentioned here: https://code.google.com/p/android/issues/detail?id=79910#c14 in tromdoid's code? It's been ages since I looked at that code.
Refs:
obilodeau
commented
8 years ago (by luiscarlos) Thanks for looking into this Olivier, specially since the issue is not even in your app.
I set up nginx as you suggest and I can run rainy on http and add the https layer on the nginx. So now I can access via web fine through nginx, but neither tomdriod or desktop tomboy on Ubuntu can't connect to the server. Debugging tomdroid I see:
[DEBUG 22:13:40.488] Listening on http://localhost:8000/tomboy-web-sync/ for OAuth callback [DEBUG 22:13:40.490] Building web request for URL: http://MY_HOSTNAME:8087/oauth/request_token [ERROR 22:15:20.654] Failed to get auth URL from https://MY_HOSTNAME:8088. Exception was: System.Net.WebException: The request timed out
(edited MY_HOSTNAME in). So even though the original request goes to the nginx, https, 8088 port, we then get an auth URL for http and the original port where rainy is attached (which is not accessible from outside of my network).
Any idea on how to make it work?
obilodeau
commented
8 years ago (by obilodeau) @Tycho: can you share your nginx / rainy config?
If he's not subscribed to the bug's notification emails we'll have to email him. Unfortunately I can't verify since I'm offline right now. Sorry.
obilodeau
commented
8 years ago (by tycho-schenkeveld-5) Yes no problem!
I put this in /etc/nginx/conf.d/rainy.conf
server {
listen
https://colopi.schenkeveld.com:40203 ;
https://colopi.schenkeveld.com:40203 ;
location / { rewrite https://colopi.schenkeveld.com:40203 http://colopi.schenkeveld.com:40201 ; sub_filter_types application/json; sub_filter http://colopi.schenkeveld.com:40201 https://colopi.schenkeveld.com:40203 ; sub_filter_once off; chunked_transfer_encoding off;
proxy_set_header Host $host;
proxy_pass http://localhost:40201;}
On Thu, Apr 23, 2015 at 10:14 PM, Olivier Bilodeau <
obilodeau
commented
8 years ago (by tycho-schenkeveld-5) ARGHHHH Gmail sent this while I was still editing. Must have pressed a wrong key.
Here's the file cleaned up (All the stuff that's commented out was happening during my trial & error sessions).
I put this in /etc/nginx/conf.d/rainy.conf
server {
listen
location / {
rewrite https://_
So, basically I have Rainy listening on a different port than the clients connect to, and nginx forwards to it. All the rewrite and sub_filter stuff is necessary because rainy specifies some callback addresses in its API and those are incorrect if you do this.
PS: Olivier: If you could remove my previous email from the bugtracker that'd be appreciated, I did not mean to share my server addresses with the world. I have good security on it of course but still..
Regards,
Tycho
On Thu, Apr 23, 2015 at 10:14 PM, Olivier Bilodeau <
obilodeau
commented
8 years ago (by tycho-schenkeveld-5) Ok once more ;) I was trying to make it clear which bits need to be filled in with fancy formatting, but I see the launchpad bugtracker has messed this up by adding asterisks around the part I had put in bold.
So just to make it clear, here it is in plain text. Because it won't work with those *'s in it. And yes it fixes the problem that Luis is having, I was having exactly the same! It took me quite some messing around to get it working ;)
server {
listen
so that you don't get the usual self-signed certs warnings. Not sure if it will even work without it!
location / {
rewrite https://
On Thu, Apr 23, 2015 at 10:14 PM, Olivier Bilodeau <
obilodeau
commented
8 years ago (by luiscarlos) Tycho, thanks so much, I think this is going to make it work for me. I think you are missing the closing curly brace from the sub_filter, is it right after the rewrite?
obilodeau
commented
8 years ago (by luiscarlos) I tried just "sub_filter internal external" but that sill does not seem to cut it. Adding the two locations above, /oauth/* does not seem to finally fix it either. Maybe there is some caching issue?
On Thu, Apr 23, 2015 at 5:25 PM, Luis Carlos Cobo
Tycho, thanks so much, I think this is going to make it work for me. I think you are missing the closing curly brace from the sub_filter, is it right after the rewrite?
You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1407060
Title: Can't connect to Rainy through https
To manage notifications about this bug go to: https://bugs.launchpad.net/tomdroid/+bug/1407060/+subscriptions
Luis Carlos Cobo Rus GnuPG ID: 44019B60
obilodeau
commented
8 years ago (by luiscarlos) Ops, looks like I was missing sub_filter_once.
On Thu, Apr 23, 2015 at 5:49 PM, Luis Carlos Cobo Rus
obilodeau
commented
8 years ago (by luiscarlos) Success!! Thanks so much.
On Thu, Apr 23, 2015 at 5:55 PM, Luis Carlos Cobo Rus
When trying the initial authentication with Rainy, I get "The connection to the server has failed, plase check that the address you entered is correct".
Configuring Rainy to not use ssl and replacing https with http on the server url, it seems to work. This may be a regression of #1153289 as I am using a self-signed certificate, and it used to work fine.
I run tomdroid 0.7.5 on Android L and Rainy 0.5.0.
Let me know if you need any other information.
Imported from Launchpad using lp2gh.