Can't connect to Rainy through https
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Tomdroid |
Incomplete
|
High
|
Unassigned | ||
mono |
New
|
Undecided
|
Unassigned |
Bug Description
When trying the initial authentication with Rainy, I get "The connection to the server has failed, plase check that the address you entered is correct".
Configuring Rainy to not use ssl and replacing https with http on the server url, it seems to work. This may be a regression of #1153289 as I am using a self-signed certificate, and it used to work fine.
I run tomdroid 0.7.5 on Android L and Rainy 0.5.0.
Let me know if you need any other information.
Luis Carlos Cobo (luiscarlos) wrote : | #1 |
Sebastian Lange (s-lange-web) wrote : | #2 |
I have the same problem. I am looking forward for a correction.
Stefan Hammer (j-4-deactivatedaccount) wrote : | #3 |
Hi! I have no problem on my Android L device running the latest Tomdroid.
Could you share more details? Logs, your server setup details etc.
I will try to do my best to get this fixed!
- Stefan
Changed in tomdroid: | |
importance: | Undecided → High |
status: | New → Incomplete |
Tycho Schenkeveld (tycho-schenkeveld) wrote : | #4 |
I had the same issue, I think it is something to do with the encryption algorithms not matching. There's a thread on the Rainy mailing list about this. Apparently Lollipop is a bit stricter with its algorithms and mono only supports some older ones, so there is no common supported method anymore.
Anyway, what I've done is put rainy behind nginx and that solved it. So nginx handles the SSL encryption now.
Tycho Schenkeveld (tycho-schenkeveld) wrote : | #5 |
Sorry a little update: I found the link for that thread, it was actually the Tomboy mailing list: http://
Luis Carlos Cobo (luiscarlos) wrote : | #6 |
Stefan as I said before I think my problem is that the SSL certificate is self-signed. Are you using self-signed too?
Stefan Hammer (j-4-deactivatedaccount) wrote : | #7 |
@Luis: I use self signed certificate with a standard Rainy instance. Works fine on the Nexus 7, Android 5.0.2.
Maybe the Tomdroid logs together with the Rainy logs will tell us whats going on in your case.
Do you know how to get the logs?
- Stefan
Luis Carlos Cobo (luiscarlos) wrote : | #8 |
I know how to get the rainy ones, how about the tomdroid?
Stefan Hammer (j-4-deactivatedaccount) wrote : | #9 |
Luis Carlos Cobo (luiscarlos) wrote : | #10 |
Tomdroid:
I/Tomdroid(28632): Creating dialog
V/PhoneStatusBar( 885): setLightsOn(true)
I/WebConnection
D/AccountMetada
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
W/System.
Luis Carlos Cobo (luiscarlos) wrote : Re: [Bug 1407060] Re: Can't connect to Rainy through https | #11 |
Is there any progress on this // any other info I can provide??
Thanks!
On Tue, Jan 20, 2015 at 10:41 PM, Luis Carlos Cobo <email address hidden> wrote:
> Tomdroid:
>
> I/Tomdroid(28632): Creating dialog
> V/PhoneStatusBar( 885): setLightsOn(true)
> I/WebConnection
> D/AccountMetada
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
> W/System.
jedd (unclejedd) wrote : | #12 |
It's hit me too after (but not sure how precisely after / resultant) the Lollipop upgrade to my Nexus 5 phone.
Samsung Tab worked fine, and rainy 0.5 VM hadn't had any changes.
Switched rainy's config to http rather than https, and able to sync again from Nexus 5.
Olivier Bilodeau (plaxx) wrote : | #13 |
Your server is probably running an old version of SSL/TLS or a cipher suite
with no suitable ciphers for lollipop's new requirements.
SSL configuration has seen many changes in the past year or so due to
security vulnerabilities.
Troubleshoot with "openssl s_client" or scan your server with qualy's
ssllabs and adjust its configuration.
Luis Carlos Cobo (luiscarlos) wrote : | #14 |
openssl s_client output:
CONNECTED(00000003)
139670133552800
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1428086986
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Anything odd? Also I am using this server, https:/
Any idea?
Olivier Bilodeau (plaxx) wrote : | #15 |
> ssl handshake failure... no peer certificate ...
Are you sure you have a certificate configured on your server?
The Cipher (none) bit is worrying also but might be caused by the previous
error.
Luis Carlos Cobo (luiscarlos) wrote : | #16 |
I can access through https via web (and Tomboy desktop). The
certificate is self-signed.
On Thu, Apr 9, 2015 at 5:07 AM, Olivier Bilodeau
<email address hidden> wrote:
>> ssl handshake failure... no peer certificate ...
>
> Are you sure you have a certificate configured on your server?
>
> The Cipher (none) bit is worrying also but might be caused by the previous
> error.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Can't connect to Rainy through https
>
> To manage notifications about this bug go to:
> https:/
--
Luis Carlos Cobo Rus GnuPG ID: 44019B60
Olivier Bilodeau (plaxx) wrote : | #17 |
Without more information it's hard to know what's going on. Send me your
sync URL in private and I will poke it. No need to send credentials. Only
URL.
Luis Carlos Cobo (luiscarlos) wrote : | #18 |
Olivier did you receive my email?
On Thu, Apr 9, 2015 at 2:06 PM, Olivier Bilodeau
<email address hidden> wrote:
> Without more information it's hard to know what's going on. Send me your
> sync URL in private and I will poke it. No need to send credentials. Only
> URL.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Can't connect to Rainy through https
>
> To manage notifications about this bug go to:
> https:/
--
Luis Carlos Cobo Rus GnuPG ID: 44019B60
Olivier Bilodeau (plaxx) wrote : | #19 |
Yes I did but forgot about it. I'll check tonight (EDT).
Olivier Bilodeau (plaxx) wrote : | #20 |
[output of testssl.sh sent in private]
The server seems incompatible with lollipop's SSL/TLS requirements and its not openssl's fault. Mono seem to have their own SSL suites activated in their Mono-HTTPAPI server which are way outdated.
As someone in this bug mentioned, running an nginx reverse-proxy in front of a non-SSL rainy instance binded to localhost would be the right approach IMO. http://
@Stefan, I'm surprised yours work. Can you send me your server's URL in private so I can maybe find a difference in your SSL configuration? Also, do you know if we do any shenanigans like mentioned here: https:/
Refs:
* https:/
Luis Carlos Cobo (luiscarlos) wrote : | #21 |
Thanks for looking into this Olivier, specially since the issue is not even in your app.
I set up nginx as you suggest and I can run rainy on http and add the https layer on the nginx. So now I can access via web fine through nginx, but neither tomdriod or desktop tomboy on Ubuntu can't connect to the server. Debugging tomdroid I see:
[DEBUG 22:13:40.488] Listening on http://
[DEBUG 22:13:40.490] Building web request for URL: http://
[ERROR 22:15:20.654] Failed to get auth URL from https:/
(edited MY_HOSTNAME in). So even though the original request goes to the nginx, https, 8088 port, we then get an auth URL for http and the original port where rainy is attached (which is not accessible from outside of my network).
Any idea on how to make it work?
Olivier Bilodeau (plaxx) wrote : | #22 |
@Tycho: can you share your nginx / rainy config?
If he's not subscribed to the bug's notification emails we'll have to email
him. Unfortunately I can't verify since I'm offline right now. Sorry.
Tycho Schenkeveld (tycho-schenkeveld) wrote : Re: [Bug 1407060] Re: Can't connect to Rainy through https | #25 |
Ok once more ;) I was trying to make it clear which bits need to be filled
in with fancy formatting, but I see the launchpad bugtracker has messed
this up by adding asterisks around the part I had put in bold.
So just to make it clear, here it is in plain text. Because it won't work
with those *'s in it. And yes it fixes the problem that Luis is having, I
was having exactly the same! It took me quite some messing around to get it
working ;)
server {
listen <external port for rainy clients> ssl;
server_name <FQDN of my server>;
ssl_certificate /etc/ssl/
ssl_certifica
# These certs are free signed certs from StartSSL (highly recommended!)
so that you don't get the usual self-signed certs warnings. Not sure if it
will even work without it!
location / {
rewrite https://<Server FQDN>:<External port> http://<Server
FQDN>:<internal port that Rainy listens on> ;
sub_
sub_filter{
rewrite http://<Server FQDN>:<internal port that Rainy listens on>
https://<Server FQDN>:<External port> ;
sub_filter_once off;
chunked_
proxy_
proxy_pass http://
}
On Thu, Apr 23, 2015 at 10:14 PM, Olivier Bilodeau <
<email address hidden>> wrote:
> @Tycho: can you share your nginx / rainy config?
>
> If he's not subscribed to the bug's notification emails we'll have to email
> him. Unfortunately I can't verify since I'm offline right now. Sorry.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Can't connect to Rainy through https
>
> Status in Tomdroid - Tomboy note-taking on Android:
> Incomplete
>
> Bug description:
> When trying the initial authentication with Rainy, I get "The
> connection to the server has failed, plase check that the address you
> entered is correct".
>
> Configuring Rainy to not use ssl and replacing https with http on the
> server url, it seems to work. This may be a regression of #1153289 as
> I am using a self-signed certificate, and it used to work fine.
>
> I run tomdroid 0.7.5 on Android L and Rainy 0.5.0.
>
> Let me know if you need any other information.
>
> To manage notifications about this bug go to:
> https:/
>
Luis Carlos Cobo (luiscarlos) wrote : | #26 |
Tycho, thanks so much, I think this is going to make it work for me. I think you are missing the closing curly brace from the sub_filter, is it right after the rewrite?
Luis Carlos Cobo (luiscarlos) wrote : | #27 |
I tried just "sub_filter internal external" but that sill does not
seem to cut it. Adding the two locations above, /oauth/* does not seem
to finally fix it either. Maybe there is some caching issue?
On Thu, Apr 23, 2015 at 5:25 PM, Luis Carlos Cobo <email address hidden> wrote:
> Tycho, thanks so much, I think this is going to make it work for me. I
> think you are missing the closing curly brace from the sub_filter, is it
> right after the rewrite?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Can't connect to Rainy through https
>
> To manage notifications about this bug go to:
> https:/
--
Luis Carlos Cobo Rus GnuPG ID: 44019B60
Luis Carlos Cobo (luiscarlos) wrote : | #28 |
Ops, looks like I was missing sub_filter_once.
On Thu, Apr 23, 2015 at 5:49 PM, Luis Carlos Cobo Rus
<email address hidden> wrote:
> I tried just "sub_filter internal external" but that sill does not
> seem to cut it. Adding the two locations above, /oauth/* does not seem
> to finally fix it either. Maybe there is some caching issue?
>
> On Thu, Apr 23, 2015 at 5:25 PM, Luis Carlos Cobo <email address hidden> wrote:
>> Tycho, thanks so much, I think this is going to make it work for me. I
>> think you are missing the closing curly brace from the sub_filter, is it
>> right after the rewrite?
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https:/
>>
>> Title:
>> Can't connect to Rainy through https
>>
>> To manage notifications about this bug go to:
>> https:/
>
>
>
> --
> Luis Carlos Cobo Rus GnuPG ID: 44019B60
--
Luis Carlos Cobo Rus GnuPG ID: 44019B60
Luis Carlos Cobo (luiscarlos) wrote : | #29 |
Success!! Thanks so much.
On Thu, Apr 23, 2015 at 5:55 PM, Luis Carlos Cobo Rus
<email address hidden> wrote:
> Ops, looks like I was missing sub_filter_once.
>
> On Thu, Apr 23, 2015 at 5:49 PM, Luis Carlos Cobo Rus
> <email address hidden> wrote:
>> I tried just "sub_filter internal external" but that sill does not
>> seem to cut it. Adding the two locations above, /oauth/* does not seem
>> to finally fix it either. Maybe there is some caching issue?
>>
>> On Thu, Apr 23, 2015 at 5:25 PM, Luis Carlos Cobo <email address hidden> wrote:
>>> Tycho, thanks so much, I think this is going to make it work for me. I
>>> think you are missing the closing curly brace from the sub_filter, is it
>>> right after the rewrite?
>>>
>>> --
>>> You received this bug notification because you are subscribed to the bug
>>> report.
>>> https:/
>>>
>>> Title:
>>> Can't connect to Rainy through https
>>>
>>> To manage notifications about this bug go to:
>>> https:/
>>
>>
>>
>> --
>> Luis Carlos Cobo Rus GnuPG ID: 44019B60
>
>
>
> --
> Luis Carlos Cobo Rus GnuPG ID: 44019B60
--
Luis Carlos Cobo Rus GnuPG ID: 44019B60
No updates on this?