Can't connect to Rainy through https

No updates on this?

I have the same problem. I am looking forward for a correction.

Hi! I have no problem on my Android L device running the latest Tomdroid.
Could you share more details? Logs, your server setup details etc.
I will try to do my best to get this fixed!

- Stefan

I had the same issue, I think it is something to do with the encryption algorithms not matching. There's a thread on the Rainy mailing list about this. Apparently Lollipop is a bit stricter with its algorithms and mono only supports some older ones, so there is no common supported method anymore.

Anyway, what I've done is put rainy behind nginx and that solved it. So nginx handles the SSL encryption now.

Sorry a little update: I found the link for that thread, it was actually the Tomboy mailing list: http://lists.beatniksoftware.com/pipermail/tomboy-list-beatniksoftware.com/2014-December/017212.html

Stefan as I said before I think my problem is that the SSL certificate is self-signed. Are you using self-signed too?

@Luis: I use self signed certificate with a standard Rainy instance. Works fine on the Nexus 7, Android 5.0.2.
Maybe the Tomdroid logs together with the Rainy logs will tell us whats going on in your case.
Do you know how to get the logs?

- Stefan

I know how to get the rainy ones, how about the tomdroid?

http://bazaar.launchpad.net/~tomdroid-maintainers/tomdroid/main/view/head:/doc/gather-logs.txt

or install one of those:
https://play.google.com/store/apps/details?id=org.jtb.alogcat&hl=en
https://play.google.com/store/apps/details?id=com.nolanlawson.logcat&hl=en
(might require root)

Tomdroid:

I/Tomdroid(28632): Creating dialog
V/PhoneStatusBar( 885): setLightsOn(true)
I/WebConnection(28632): Sending http-header: X-Tomboy-Client: org.tomdroid v0.7.5, build 14, Android v5.0.1, LGE/Nexus 5
D/AccountMetadataUpdater(29024): updateCapabilityFromSiblingApps interval=1287 ms
W/System.err(28632): javax.net.ssl.SSLHandshakeException: Connection closed by peer
W/System.err(28632): at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302)
W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:598)
W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:560)
W/System.err(28632): at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:70)
W/System.err(28632): at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:83)
W/System.err(28632): at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:170)
W/System.err(28632): at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:106)
W/System.err(28632): at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:129)
W/System.err(28632): at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:172)
W/System.err(28632): at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
W/System.err(28632): at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
W/System.err(28632): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
W/System.err(28632): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
W/System.err(28632): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
W/System.err(28632): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
W/System.err(28632): at org.tomdroid.sync.web.WebConnection.execute(WebConnection.java:124)
W/System.err(28632): at org.tomdroid.sync.web.AnonymousConnection.get(AnonymousConnection.java:42)
W/System.err(28632): at org.tomdroid.sync.web.OAuthConnection.getAuthorizationUrl(OAuthConnection.java:131)
W/System.err(28632): at org.tomdroid.sync.web.SnowySyncService$1.run(SnowySyncService.java:102)
W/System.err(28632): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err(28632): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err(28632): at java.lang.Thread.run(Thread.java:818)
W/System.err(28632): org.json.JSONException: End of input at character 0 of
W/System.err(28632): at org.json.JSONTokener.syntaxError(JSONTokener.java:450)
W/System.err(28632): at org.json.JSONTokener.nextValue(JSONTokener.java:97)
W/System.err(28632): at org.json.JSONObject.<init>(JSONObject.java:156)...

Is there any progress on this // any other info I can provide??

Thanks!

On Tue, Jan 20, 2015 at 10:41 PM, Luis Carlos Cobo <email address hidden> wrote:
> Tomdroid:
>
> I/Tomdroid(28632): Creating dialog
> V/PhoneStatusBar( 885): setLightsOn(true)
> I/WebConnection(28632): Sending http-header: X-Tomboy-Client: org.tomdroid v0.7.5, build 14, Android v5.0.1, LGE/Nexus 5
> D/AccountMetadataUpdater(29024): updateCapabilityFromSiblingApps interval=1287 ms
> W/System.err(28632): javax.net.ssl.SSLHandshakeException: Connection closed by peer
> W/System.err(28632): at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
> W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302)
> W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:598)
> W/System.err(28632): at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:560)
> W/System.err(28632): at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:70)
> W/System.err(28632): at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:83)
> W/System.err(28632): at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:170)
> W/System.err(28632): at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:106)
> W/System.err(28632): at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:129)
> W/System.err(28632): at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:172)
> W/System.err(28632): at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
> W/System.err(28632): at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
> W/System.err(28632): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
> W/System.err(28632): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
> W/System.err(28632): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
> W/System.err(28632): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
> W/System.err(28632): at org.tomdroid.sync.web.WebConnection.execute(WebConnection.java:124)
> W/System.err(28632): at org.tomdroid.sync.web.AnonymousConnection.get(AnonymousConnection.java:42)
> W/System.err(28632): at org.tomdroid.sync.web.OAuthConnection.getAuthorizationUrl(OAuthConnection.java:131)
> W/System.err(28632): at org.tomdroid.sync.web.SnowySyncService$1.run(SnowySyncService.java:102)
> W/System.err(28632): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
> W/System.err(28632): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
> W/System.err(28632): at java.lang.Thread.run(Thread.java:818)
> W/System.err(28632): org.json.JSONException: ...

It's hit me too after (but not sure how precisely after / resultant) the Lollipop upgrade to my Nexus 5 phone.

Samsung Tab worked fine, and rainy 0.5 VM hadn't had any changes.

Switched rainy's config to http rather than https, and able to sync again from Nexus 5.

Your server is probably running an old version of SSL/TLS or a cipher suite
with no suitable ciphers for lollipop's new requirements.

SSL configuration has seen many changes in the past year or so due to
security vulnerabilities.

Troubleshoot with "openssl s_client" or scan your server with qualy's
ssllabs and adjust its configuration.

openssl s_client output:

CONNECTED(00000003)
139670133552800:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : TLSv1
    Cipher : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1428086986
    Timeout : 300 (sec)
    Verify return code: 0 (ok)
---

Anything odd? Also I am using this server, https://github.com/Dynalon/Rainy/releases. It is already precompiled and it was compiled in 2013, but I would assume the openssl config comes from the system wide libraries.

Any idea?

> ssl handshake failure... no peer certificate ...

Are you sure you have a certificate configured on your server?

The Cipher (none) bit is worrying also but might be caused by the previous
error.

I can access through https via web (and Tomboy desktop). The
certificate is self-signed.

On Thu, Apr 9, 2015 at 5:07 AM, Olivier Bilodeau
<email address hidden> wrote:
>> ssl handshake failure... no peer certificate ...
>
> Are you sure you have a certificate configured on your server?
>
> The Cipher (none) bit is worrying also but might be caused by the previous
> error.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1407060
>
> Title:
> Can't connect to Rainy through https
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/tomdroid/+bug/1407060/+subscriptions

--
Luis Carlos Cobo Rus GnuPG ID: 44019B60

Without more information it's hard to know what's going on. Send me your
sync URL in private and I will poke it. No need to send credentials. Only
URL.

Olivier did you receive my email?

On Thu, Apr 9, 2015 at 2:06 PM, Olivier Bilodeau
<email address hidden> wrote:
> Without more information it's hard to know what's going on. Send me your
> sync URL in private and I will poke it. No need to send credentials. Only
> URL.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1407060
>
> Title:
> Can't connect to Rainy through https
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/tomdroid/+bug/1407060/+subscriptions

--
Luis Carlos Cobo Rus GnuPG ID: 44019B60

Yes I did but forgot about it. I'll check tonight (EDT).

[output of testssl.sh sent in private]

The server seems incompatible with lollipop's SSL/TLS requirements and its not openssl's fault. Mono seem to have their own SSL suites activated in their Mono-HTTPAPI server which are way outdated.

As someone in this bug mentioned, running an nginx reverse-proxy in front of a non-SSL rainy instance binded to localhost would be the right approach IMO. http://lists.beatniksoftware.com/pipermail/tomboy-list-beatniksoftware.com/2014-December/017221.html

@Stefan, I'm surprised yours work. Can you send me your server's URL in private so I can maybe find a difference in your SSL configuration? Also, do you know if we do any shenanigans like mentioned here: https://code.google.com/p/android/issues/detail?id=79910#c14 in tromdoid's code? It's been ages since I looked at that code.

Refs:
* https://developer.android.com/about/versions/android-5.0-changes.html#ssl

Thanks for looking into this Olivier, specially since the issue is not even in your app.

I set up nginx as you suggest and I can run rainy on http and add the https layer on the nginx. So now I can access via web fine through nginx, but neither tomdriod or desktop tomboy on Ubuntu can't connect to the server. Debugging tomdroid I see:

[DEBUG 22:13:40.488] Listening on http://localhost:8000/tomboy-web-sync/ for OAuth callback
[DEBUG 22:13:40.490] Building web request for URL: http://MY_HOSTNAME:8087/oauth/request_token
[ERROR 22:15:20.654] Failed to get auth URL from https://MY_HOSTNAME:8088. Exception was: System.Net.WebException: The request timed out

(edited MY_HOSTNAME in). So even though the original request goes to the nginx, https, 8088 port, we then get an auth URL for http and the original port where rainy is attached (which is not accessible from outside of my network).

Any idea on how to make it work?

@Tycho: can you share your nginx / rainy config?

If he's not subscribed to the bug's notification emails we'll have to email
him. Unfortunately I can't verify since I'm offline right now. Sorry.

Ok once more ;) I was trying to make it clear which bits need to be filled
in with fancy formatting, but I see the launchpad bugtracker has messed
this up by adding asterisks around the part I had put in bold.

So just to make it clear, here it is in plain text. Because it won't work
with those *'s in it. And yes it fixes the problem that Luis is having, I
was having exactly the same! It took me quite some messing around to get it
working ;)

server {
  listen <external port for rainy clients> ssl;
  server_name <FQDN of my server>;
  ssl_certificate /etc/ssl/nginx/znc.pem;
  ssl_certificate_key /etc/ssl/nginx/znc.key;
  # These certs are free signed certs from StartSSL (highly recommended!)
so that you don't get the usual self-signed certs warnings. Not sure if it
will even work without it!

 location / {
    rewrite https://<Server FQDN>:<External port> http://<Server
FQDN>:<internal port that Rainy listens on> ;
    sub_filter_types application/json;
    sub_filter{
    rewrite http://<Server FQDN>:<internal port that Rainy listens on>
https://<Server FQDN>:<External port> ;
    sub_filter_once off;
    chunked_transfer_encoding off;
    proxy_set_header Host $host;
    proxy_pass http://localhost:<internal port that Rainy listens on>;
  }

On Thu, Apr 23, 2015 at 10:14 PM, Olivier Bilodeau <
<email address hidden>> wrote:

> @Tycho: can you share your nginx / rainy config?
>
> If he's not subscribed to the bug's notification emails we'll have to email
> him. Unfortunately I can't verify since I'm offline right now. Sorry.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1407060
>
> Title:
> Can't connect to Rainy through https
>
> Status in Tomdroid - Tomboy note-taking on Android:
> Incomplete
>
> Bug description:
> When trying the initial authentication with Rainy, I get "The
> connection to the server has failed, plase check that the address you
> entered is correct".
>
> Configuring Rainy to not use ssl and replacing https with http on the
> server url, it seems to work. This may be a regression of #1153289 as
> I am using a self-signed certificate, and it used to work fine.
>
> I run tomdroid 0.7.5 on Android L and Rainy 0.5.0.
>
> Let me know if you need any other information.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/tomdroid/+bug/1407060/+subscriptions
>

Tycho, thanks so much, I think this is going to make it work for me. I think you are missing the closing curly brace from the sub_filter, is it right after the rewrite?

I tried just "sub_filter internal external" but that sill does not
seem to cut it. Adding the two locations above, /oauth/* does not seem
to finally fix it either. Maybe there is some caching issue?

On Thu, Apr 23, 2015 at 5:25 PM, Luis Carlos Cobo <email address hidden> wrote:
> Tycho, thanks so much, I think this is going to make it work for me. I
> think you are missing the closing curly brace from the sub_filter, is it
> right after the rewrite?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1407060
>
> Title:
> Can't connect to Rainy through https
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/tomdroid/+bug/1407060/+subscriptions

--
Luis Carlos Cobo Rus GnuPG ID: 44019B60

Ops, looks like I was missing sub_filter_once.

On Thu, Apr 23, 2015 at 5:49 PM, Luis Carlos Cobo Rus
<email address hidden> wrote:
> I tried just "sub_filter internal external" but that sill does not
> seem to cut it. Adding the two locations above, /oauth/* does not seem
> to finally fix it either. Maybe there is some caching issue?
>
> On Thu, Apr 23, 2015 at 5:25 PM, Luis Carlos Cobo <email address hidden> wrote:
>> Tycho, thanks so much, I think this is going to make it work for me. I
>> think you are missing the closing curly brace from the sub_filter, is it
>> right after the rewrite?
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1407060
>>
>> Title:
>> Can't connect to Rainy through https
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/tomdroid/+bug/1407060/+subscriptions
>
>
>
> --
> Luis Carlos Cobo Rus GnuPG ID: 44019B60

--
Luis Carlos Cobo Rus GnuPG ID: 44019B60

Success!! Thanks so much.

On Thu, Apr 23, 2015 at 5:55 PM, Luis Carlos Cobo Rus
<email address hidden> wrote:
> Ops, looks like I was missing sub_filter_once.
>
> On Thu, Apr 23, 2015 at 5:49 PM, Luis Carlos Cobo Rus
> <email address hidden> wrote:
>> I tried just "sub_filter internal external" but that sill does not
>> seem to cut it. Adding the two locations above, /oauth/* does not seem
>> to finally fix it either. Maybe there is some caching issue?
>>
>> On Thu, Apr 23, 2015 at 5:25 PM, Luis Carlos Cobo <email address hidden> wrote:
>>> Tycho, thanks so much, I think this is going to make it work for me. I
>>> think you are missing the closing curly brace from the sub_filter, is it
>>> right after the rewrite?
>>>
>>> --
>>> You received this bug notification because you are subscribed to the bug
>>> report.
>>> https://bugs.launchpad.net/bugs/1407060
>>>
>>> Title:
>>> Can't connect to Rainy through https
>>>
>>> To manage notifications about this bug go to:
>>> https://bugs.launchpad.net/tomdroid/+bug/1407060/+subscriptions
>>
>>
>>
>> --
>> Luis Carlos Cobo Rus GnuPG ID: 44019B60
>
>
>
> --
> Luis Carlos Cobo Rus GnuPG ID: 44019B60

--
Luis Carlos Cobo Rus GnuPG ID: 44019B60