Uploaded image for project: 'Couchbase Lite'
  1. Couchbase Lite
  2. CBL-1748

X509TrustManager.checkServerTrusted with X509TrustManagerExtensions.checkServerTrusted

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.8.0
    • 3.0
    • Java, Java-Android
    • Security Level: Public
    • None
    • Hide
      Mandatory:
       
      Show
      Mandatory:  
    • 1

    Description

      A forum post pointed out a StackOverflow question that highlights a bug in CBLTrustManager.java:

      https://stackoverflow.com/questions/58934384/network-security-configuration-not-working-with-third-party-api

      It's a new behaviour of the Android Framework. If your network config contains any <domain-config blocks, Framework throws CertificateException if you call checkServerTrusted(X509Certificate[] certs, String authType) in X509TrustManager. So instead you should use X509TrustManagerExtensions

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            blake.meike Blake Meike added a comment -

            Comment from CBL-1955:

            To my complete amazement, we did support domain specific server authentication, in v2.7 and broke it in 2.8.

            Conscrypt, the subsystem to which OkHttp delegates for TLS authentication, attempts to call a method with the signature checkServerTrusted (X509Certificate[], String, String), by reflection. In 2.7 we used Android's default trust manager, which did have such a method. In 2.8, to support our new Listener modes, we install our own custom trust manager and proxy most calls to the default. Our custom trust manager, however, does not have the method. Conscrypt falls back to using the default method checkServerTrusted (X509Certificate[], String), which fails if the app has a network-security-config.

            I believe that this fix is, simply, to add the missing signature and to proxy it to the default manager.

            Pasin suggests just installing the DefaultTrustManager whe useDefaultTrustManager(). While an elegant solution, that means that Conscrypt will try two method calls by introspection, before it falls back to the normal method, when using our CBLTrustManager. That's a fair amount of overhead.

            Here's relevant documentation:
            https://issues.couchbase.com/browse/CBL-1955
            https://developer.android.com/training/articles/security-config
            https://developer.android.com/reference/android/net/http/X509TrustManagerExtensions
            https://square.github.io/okhttp/4.x/okhttp/okhttp3/-ok-http-client/-builder/ssl-socket-factory/

            blake.meike Blake Meike added a comment - Comment from CBL-1955 : To my complete amazement, we did support domain specific server authentication, in v2.7 and broke it in 2.8. Conscrypt, the subsystem to which OkHttp delegates for TLS authentication, attempts to call a method with the signature checkServerTrusted (X509Certificate[], String, String), by reflection. In 2.7 we used Android's default trust manager, which did have such a method. In 2.8, to support our new Listener modes, we install our own custom trust manager and proxy most calls to the default. Our custom trust manager, however, does not have the method. Conscrypt falls back to using the default method checkServerTrusted (X509Certificate[], String), which fails if the app has a network-security-config. I believe that this fix is, simply, to add the missing signature and to proxy it to the default manager. Pasin suggests just installing the DefaultTrustManager whe useDefaultTrustManager(). While an elegant solution, that means that Conscrypt will try two method calls by introspection, before it falls back to the normal method, when using our CBLTrustManager. That's a fair amount of overhead. Here's relevant documentation: https://issues.couchbase.com/browse/CBL-1955 https://developer.android.com/training/articles/security-config https://developer.android.com/reference/android/net/http/X509TrustManagerExtensions https://square.github.io/okhttp/4.x/okhttp/okhttp3/-ok-http-client/-builder/ssl-socket-factory/
            blake.meike Blake Meike added a comment -

            proto-solution in coucbase-lite-java-common @ 23e5eae526459ea986.

            Needs extensive testing. Bugs against it to be filed separately.

            blake.meike Blake Meike added a comment - proto-solution in coucbase-lite-java-common @ 23e5eae526459ea986. Needs extensive testing. Bugs against it to be filed separately.

            Build couchbase-lite-android-3.0.0-118 contains couchbase-lite-java-common commit 23e5eae with commit message:
            CBL-1748: Support domain-specific validation: first attempt

            build-team Couchbase Build Team added a comment - Build couchbase-lite-android-3.0.0-118 contains couchbase-lite-java-common commit 23e5eae with commit message: CBL-1748 : Support domain-specific validation: first attempt

            Build couchbase-lite-android-3.0.0-118 contains couchbase-lite-java-ee-root commit 69d8374 with commit message:
            CBL-1748: Support domain-specific validation: first attempt

            build-team Couchbase Build Team added a comment - Build couchbase-lite-android-3.0.0-118 contains couchbase-lite-java-ee-root commit 69d8374 with commit message: CBL-1748 : Support domain-specific validation: first attempt

            Build couchbase-lite-java-3.0.0-118 contains couchbase-lite-java-common commit 23e5eae with commit message:
            CBL-1748: Support domain-specific validation: first attempt

            build-team Couchbase Build Team added a comment - Build couchbase-lite-java-3.0.0-118 contains couchbase-lite-java-common commit 23e5eae with commit message: CBL-1748 : Support domain-specific validation: first attempt

            Build couchbase-lite-java-3.0.0-118 contains couchbase-lite-java-ee-root commit 69d8374 with commit message:
            CBL-1748: Support domain-specific validation: first attempt

            build-team Couchbase Build Team added a comment - Build couchbase-lite-java-3.0.0-118 contains couchbase-lite-java-ee-root commit 69d8374 with commit message: CBL-1748 : Support domain-specific validation: first attempt

            Build couchbase-lite-java-3.0.0-119 contains couchbase-lite-java-ee-root commit 9ad30b6 with commit message:
            CBL-1748: Support domain-specific validation: first attempt

            build-team Couchbase Build Team added a comment - Build couchbase-lite-java-3.0.0-119 contains couchbase-lite-java-ee-root commit 9ad30b6 with commit message: CBL-1748 : Support domain-specific validation: first attempt

            Build couchbase-lite-android-3.0.0-119 contains couchbase-lite-java-ee-root commit 9ad30b6 with commit message:
            CBL-1748: Support domain-specific validation: first attempt

            build-team Couchbase Build Team added a comment - Build couchbase-lite-android-3.0.0-119 contains couchbase-lite-java-ee-root commit 9ad30b6 with commit message: CBL-1748 : Support domain-specific validation: first attempt

            People

              The Lite The Lite
              blake.meike Blake Meike
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 6h
                  6h

                  Gerrit Reviews

                    There are no open Gerrit changes

                    PagerDuty