Hi,
I have a titanium app that uses createHTTPClient to initiate a call to the server.
var xhr = Ti.Network.createHTTPClient({ timeout : 30000 });everything is fine.
when the server was configured to protect against the POODLE vulnerability and removed support for SSL2/3 resulting in my code now breaks on Android, while iOS works fine.
it seems titanium is still trying to use SSL on Android while using TLS1 for iOS (which works).
I need to be able to tell titanium to use TLS on Android too but can't find a way to do so.
this is the error I see on logcat
I/System.out( 472): TiHttpClient-4 calls detatch() E/TiHttpClient( 472): (TiHttpClient-4) [6,3498] HTTP Error (javax.net.ssl.SSLPeerUnverifiedException): No peer certificate E/TiHttpClient( 472): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate E/TiHttpClient( 472): at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146) E/TiHttpClient( 472): at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93) E/TiHttpClient( 472): at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388) E/TiHttpClient( 472): at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:191) E/TiHttpClient( 472): at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:167) E/TiHttpClient( 472): at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) E/TiHttpClient( 472): at org.apache.http.impl.client.DefaultRequestDirector.executeOriginal(DefaultRequestDirector.java:1179) E/TiHttpClient( 472): at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:644) E/TiHttpClient( 472): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555) E/TiHttpClient( 472): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:653) E/TiHttpClient( 472): at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:637) E/TiHttpClient( 472): at ti.modules.titanium.network.TiHTTPClient$ClientRunnable.run(TiHTTPClient.java:1271) E/TiHttpClient( 472): at java.lang.Thread.run(Thread.java:841)when trying from the command line this
openssl s_client -connect api.education.i-in.co.il:443 -state -debugreturns
SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read server hello A 42464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s3_pkt.c:1125:SSL alert number 40 42464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s3_pkt.c:546:while
openssl s_client -connect api.education.i-in.co.il:443 -state -debug -tls1succeeds
I guess most servers have been or will be protected the same way, which will break SSL2/3 based apps.
what can I do?
thanks