Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Quiver connection failure on Android #2619

Closed
bemasc opened this issue Jul 28, 2016 · 3 comments
Closed

Quiver connection failure on Android #2619

bemasc opened this issue Jul 28, 2016 · 3 comments
Assignees
@bemasc
Labels
P1

Comments

@bemasc
Copy link
Contributor

bemasc commented Jul 28, 2016
edited
Loading

On some servers, I'm seeing repeated timeouts leading to total connection failure, on Android. After some investigation, I've traced it to a specific error: "SSL handshake not completed", resultCode -148, when calling chrome.sockets.tcp.secure (provided by a CCA cordova plugin).

EDIT: After removing a lot of breakpoints, it looks like the deeper problem is actually that chrome.sockets.tcp.connect never calls its success or failure callback when connecting to the problematic domain.
@bemasc bemasc self-assigned this Jul 28, 2016
@bemasc
Copy link
Contributor Author

bemasc commented Jul 29, 2016

I've traced this into a reduced testcase in our Cordova plugin dependency: MobileChromeApps/cordova-plugin-chrome-apps-sockets-tcp#17

@bemasc
Copy link
Contributor Author

bemasc commented Aug 4, 2016

Using the reduced testcase, I've established that the CCA plugin for chrome.sockets.tcp doesn't support TLS-SNI. It appears that half of our front domains require SNI, while the other half do not. The domains that don't work all have similar DNS entries, suggesting that some common Cloudfront configuration (maybe the default) requires SNI.

The sockets plugin uses Java's SSLEngine API to implement SSL. This API has recently gained supported for SNI, but only starting in API 24 (Android N). Supporting SNI on earlier Android versions would be difficult. If supporting SNI on pre-N devices is necessary, our best option would seem to be writing a new Cordova plugin that provides the same sockets API but wraps a bundled native-code SSL library.

However, we can also rescue domain-fronting functionality by simply restricting the set of domains to ones that do not require SNI, and possibly along with some retry logic that changes the front domain.

bemasc added a commit to UWNetworksLab/freedom-social-quiver that referenced this issue Aug 4, 2016
@bemasc
Switch to front domains that don't require SNI.
ecd6b28 
If a connection fails when processing an invitation, retry with
a new front domain if possible.

Workaround for UWNetworksLab/uProxy-p2p#2619
@bemasc bemasc mentioned this issue Aug 4, 2016
Merged
bemasc added a commit to UWNetworksLab/freedom-social-quiver that referenced this issue Aug 10, 2016
@bemasc
Switch to front domains that don't require SNI. (#25)
51f27c1 
* Switch to front domains that don't require SNI.

If a connection fails when processing an invitation, retry with
a new front domain if possible.

Workaround for UWNetworksLab/uProxy-p2p#2619

* Improve alternate-front comments
@bemasc
Copy link
Contributor Author

bemasc commented Aug 11, 2016

This should be fixed by UWNetworksLab/freedom-social-quiver#25

@bemasc bemasc closed this as completed Aug 11, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bemasc bemasc

Labels
P1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bemasc