Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom https-cert causes infinite hang at startup #2067

Open
brad2014 opened this issue Mar 7, 2024 · 2 comments
Open

Custom https-cert causes infinite hang at startup #2067

brad2014 opened this issue Mar 7, 2024 · 2 comments

Comments

@brad2014
Copy link

brad2014 commented Mar 7, 2024
edited
Loading

I have set the syncthing web gui listen address to 0.0.0.0:8384 and imported a custom https-cert.pem / https-key.pem with CN=myphone.mydomain.com signed by my home lab's CA.

With the most recent App version, this causes syncthing to go into an infinite hang upon startup. It appears that PollWebGuiAvailTask throws an error if the certificate does not validate (maybe because it doesn't detect my home lab root CA cert in the Android trust store, or the CN/SNI of the certificate is not what is required?).

Expected behavior

Any of these (roughly in order of usability):

  • accept the certificate (which makes sense since the phone owner put it there, which is the ultimate assertion of its validity)
  • when the local app is connecting to the local web server, do not attempt or validate https (so no certificate is required for local use), and only offer the certificate to remote web clients. Makes sense since the native app talking to the native web GUI is secure without SSL. Demote "unverified https-cert" from an error to a warning.
  • show an error message instead of hanging (perhaps with an option to replace the unacceptable certificates with generated ones in order to continue).

Actual behavior

Upon startup, the app hangs with a spinner in an infinite loop. Logcat continuously repeats this error:

03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: Unexpected error while polling web gui
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: error:1a000064:ECDSA routines:OPENSSL_internal:BAD_SIGNATURE
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.volley.toolbox.NetworkUtility.shouldRetryException(NetworkUtility.java:173)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:145)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:132)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:111)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:90)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: Caused by: javax.net.ssl.SSLHandshakeException: error:1a000064:ECDSA routines:OPENSSL_internal:BAD_SIGNATURE
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:356)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:896)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:236)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:218)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:196)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:153)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:116)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:186)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:128)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:97)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:289)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:232)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:465)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:411)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:542)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:106)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:30)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.volley.toolbox.HurlStack.executeRequest(HurlStack.java:91)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:104)
03-07 12:34:20.421 24771 24771 W PollWebGuiAvailableTask: 	... 3 more

Version Information

App Version: 1.27.3
Syncthing Version: 1.27.3
Android Version: Android 14

Workaround

Open to ideas. Goal is to present the syncthing web gui as a trusted site in my domain.
@imsodin
Copy link
Member

imsodin commented Mar 10, 2024

Open to ideas. Goal is to present the syncthing web gui as a trusted site in my domain.

I tink you can add CAs to the android's system store. So you could add your home-labs CA there, which should help if it's the missing root cert that's the issue here.

@brad2014
Copy link
Author

brad2014 commented Mar 10, 2024
edited
Loading

So you could add your home-labs CA there

Sorry if unclear - when I said, "it doesn't detect my home lab root CA cert in the Android trust store," I meant that my CA was already added when the error occurred.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brad2014 @imsodin