Skip SSL Verification?

aliensnative · November 16, 2020, 7:55am

I am building a messaging app for android (and hopefully for IOS soon).
While testing it on my local network (localhost), it worked fine. However, after I created a site to test it and changed the source code so it will make requests to the test site instead, the requests failed.

Here are the error logs from the simulator and the an android emulator I used:

Simulator

16:49:57.705  table: 09606430 {
16:49:57.705    [responseType] => "text"
16:49:57.705    [phase] => "ended"
16:49:57.705    [bytesEstimated] => 0
16:49:57.705    [response] => "Certificate required"
16:49:57.705    [name] => "networkRequest"
16:49:57.705    [bytesTransferred] => 0
16:49:57.705    [status] => -1
16:49:57.705    [url] => "https://pinged.ml/engine/v0.5/rest.php/login"
16:49:57.705    [isError] => true
16:49:57.705    [requestId] => userdata: 09604418
16:49:57.705  }

Android Logcat

I/Corona  ( 4322): table: 0xb87cb960 {
I/Corona  ( 4322):   [responseType] => "text"
I/Corona  ( 4322):   [phase] => "ended"
I/Corona  ( 4322):   [bytesEstimated] => 0
I/Corona  ( 4322):   [response] => "javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb88070c0: Failure in SSL library, usually a protocol error"
I/Corona  ( 4322): "error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x8c27a990:0x00000000): https://pinged.ml/engine/v0.5/rest.php/login"
I/Corona  ( 4322):   [name] => "networkRequest"
I/Corona  ( 4322):   [bytesTransferred] => 0
I/Corona  ( 4322):   [status] => -1
I/Corona  ( 4322):   [url] => "https://pinged.ml/engine/v0.5/rest.php/login"
I/Corona  ( 4322):   [isError] => true
I/Corona  ( 4322):   [requestId] => false
I/Corona  ( 4322): }

I am guessing it has something to do with the SSL certificate. On my local machine I was the CA so I could install the certificates myself and get rid of any warnings but on the test site, I used Let’s Encrypt.

Now, my question is, is there any way to tell the network.request() API to ignore certificate verification?

XeduR · November 16, 2020, 9:22am

I may be completely misunderstanding the question, but if you don’t want the certificates to come into play, then shouldn’t you just try to make unsecure connections via http and not https?

anon63346430 · November 16, 2020, 10:47am

@XeduR I am not sure advising using http for anything these days is the correct advice - let alone to POST to a log in script.

You will get a handshake error if the client doesn’t support the ciphers the server is wanting to use. A common problem with old Androids and TLS 1.2+ or modern androids and depreciated ciphers.

XeduR · November 16, 2020, 11:07am

Absolutely, there’s no reason to forego SSL. But, if I understood correctly, that’s what the OP asked and this is the only way that came to my mind for skipping SSL verification, i.e. not using it.

aliensnative · November 16, 2020, 5:36pm

Well @XeduR I would’ve done that if it didn’t work when I tested it on my local machine. I actually spent most of the time since I first posted this questing considering not using encryption since the app I’m making is for educational purposes and not intended to handle actual users. In the end, I decided that I wouldn’t be able to live with myself if I took the easy way out without at least trying to fix it for a day or two. But thanks - your suggestion is getting attractive with every hour and failed attempt I make to fix this.
Oh and thanks @anon63346430. It’s nice to know that not all errors are my fault. I guess this is one of the many things in life that is beyond my control eh?

anon63346430 · November 16, 2020, 6:13pm

Are you sure your entire certificate chain is correct? I use https exclusively in my games and have no issues. I block Android < 5 because they don’t understand proper encryption and fail on handshakes.

anon63346430 · November 16, 2020, 6:14pm

You can use this website to check your server config.

aliensnative · November 16, 2020, 6:29pm

Now that you mention it, I think it might have something to do with the certificate chain. I am using self-signed certificates to test it and I’m guessing that may be the whole root of the issue. That’s why I am not surprised when it got graded “B” (thanks for the link though).
I think I’ll just will purchase one from a trusted CA later and if the problem persists, I’ll just work on something new that doesn’t involve making your own REST api – like a card game.