1

I have on my hands an Android app, targeting SDK level 21. Therein I'm trying to connect to AWS' alive.json using java.net.HttpURLConnection.

The trust chain looks like so:

  • Baltimore CyberTrust Root (trusted by dev device)
  • DigiCert Baltimore CA-2 G2 (dev device trusts DigiCert Assured ID Root G2, Global Root CA, Global Root G2 among other DigiCerts - is this sufficient?)
  • AWS (*.us-east-etc.amazonaws.com)

My AndroidManifest.xml features <uses-permission android:name="android.permission.INTERNET"/>.

The code [boils down to] the following. It's called on a separate thread (which executes requests one by one - there's just this one for now), from NDK.

    // init() -- all optional
    System.setProperty("http.keepAlive", "false");
    HttpURLConnection.setDefaultAllowUserInteraction(false);

    // makeRequest(HttpRequest request)
    URL url = new URL(request.url);
    HttpURLConnection http = (HttpURLConnection) url.openConnection();
    http.setUseCaches(false);
    http.setReadTimeout(timeoutMs);
    http.setChunkedStreaingMode(0); // optional
    http.setDoInput(true);
    http.setRequestMethod("GET"); // optional
    http.setRequestProperty("X-Correlation-ID", x); // optional
    http.connect();

Now, if I set the timeout to 80ms, I will get an javax.net.ssl.SSLHandshakeException: SSL handshake timed out. Beyond that (800ms), it will hang forever in http.connect().

https://developer.android.com/training/articles/security-ssl.html#HttpsExample and the surrounding article details how this should be done. My understanding is that I should not need certificate pinning for this exercise.

If I do add one (along the lines of the above article), I get a javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found..

Connecting to a http:// resource works just fine.

What am I doing wrong? What extra configuration is needed on my part and why?

UPDATE:

1, OkHttp based implementation manifests the exact same behaviour.

2, Certificate pinning did not help get around the issue. Note that this is only a desperate measure, and not something for production - obviously we don't want to break when Amazon's certificates get updated.

zyndor
  • 1,418
  • 3
  • 20
  • 36
  • have you already checked the 3 possible issues reported on the link you reported? – firegloves Sep 20 '17 at 12:33
  • It seems to me that's the wrong track and I should not need custom SSL configuration. FWIW, I have checked. From the trust chain above I drew the conclusion that it isn't #1. I _have_ however used a self-signed certificate (shouldn't have), which could cause #2. #3 -- `openssl s_client -connect s3.us-east-2.amazonaws.com:443` gives me https://pastebin.com/vZcP4yjz , and Baltimore CyberTrust Root is trusted by my device. It doesn't explain the hang. – zyndor Sep 20 '17 at 13:32
  • Have you ever used these CA's certs? Maybe #1 issue in this case? "It could be because you have a certificate from a new CA that isn't yet trusted by Android". I can t figure out another reason – firegloves Sep 20 '17 at 13:44
  • Thank you for trying to help. TBH, it's the first time I get to reason about SSL certificates at this level. Baltimore CyberTrust Root is a system trusted credential. DigiCert Baltimore CA-2 G2 is not, just those close looking matches mentioned in the OP. – zyndor Sep 20 '17 at 13:52
  • Btw -- punching the same address into Chrome on the same device downloads the file fine, which was another reason I thought it can't be a problem with the system's trusted certificates. – zyndor Sep 20 '17 at 15:51
  • I think you can't be sure of that, because browsers could access a more updated list of trusted CA – firegloves Sep 20 '17 at 15:53
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/154920/discussion-between-zyndor-and-firegloves). – zyndor Sep 20 '17 at 16:14
  • See my reply at: https://stackoverflow.com/a/55691651/2603965. It's the same issue. I also replied here but a moderator deleted it without actually understanding the issue. – grebulon Apr 15 '19 at 14:50

1 Answers1

0

D'oh. Don't do this [on Android]; use http://s3.us-east-2.amazonaws.com/static-us-east/alive.json, not https://.

zyndor
  • 1,418
  • 3
  • 20
  • 36