Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add iOS security provider for SSL (to be returned by SSLContext.getInstance()). #679

Closed
gistya opened this issue Dec 11, 2015 · 5 comments
Labels

Comments

@gistya
Copy link

@gistya gistya commented Dec 11, 2015

In SSLContext.H, the method JavaxNetSslSSLContext_getInstanceWithNSString_: fails with the JavaSecurityNoSuchAlgorithmException for "TLS" and "TSLv1.2" strings, which should be supported, on iOS 9.2. Anybody know why? The stack trace has JavaSecurityNoSuchAlgorithmException with OrgApacheHarmonySecurityFortressEngine_notFoundWithNSString_withNSString_ at the top.

@tomball

This comment has been minimized.

Copy link
Collaborator

@tomball tomball commented Dec 11, 2015

There needs to be an iOS security provider for SSL, which hasn't been implemented. The problem is that the unimplemented providers all depend on each other, so it's a huge wad of code that must work perfectly on the first draft.

If anyone has security experience, we'd love help on this -- the actual security support is in the iOS Security Framework, so it's a matter of correctly mapping Java's requirements to the Security Framework's capabilities.

@gistya

This comment has been minimized.

Copy link
Author

@gistya gistya commented Dec 11, 2015

Maybe there's a way to do this, but it would have to be done at a low level, and I'm not sure how to approach that yet. One of the problems is that Java's API for SSL over HTTP allows for some security exceptions (like ignoring hostname mismatch) that cannot be done on iOS with NSURLSession due to Apple's tighter security restrictions. So I don't know that a direct mapping is even possible without relying on Core Foundation HTTP methods, which are now deprecated. There are a lot of problems caused by these new restrictions for people networking with devices over LANs (where they are just using Ethernet as, essentially, a glorified serial port, but they have to use HTTPS to be PCI-compliant, etc.). Apple's Application Transport Security restrictions on iOS 9 by default require forward secrecy and hostname matching etc., and there's no way to programmatically get around that. ATS has to be disabled in the app's info.plist.

I'm going to have to solve it one way or the other, though, so if my solution is something I can make a pull request out of for you, then I will :D

@tomball

This comment has been minimized.

Copy link
Collaborator

@tomball tomball commented Dec 11, 2015

I suggest asking on StackOverflow, as this sounds like an iOS issue independent of what language the app is written in. A J2ObjC hack isn't an option here, as we can't offer a weaker security model that what Apple provides. My guess is you aren't the first developer affected by these new restrictions, though, so hopefully workarounds are starting to surface or Apple will soon realize the error of their ways.

@tomball tomball changed the title JavaxNetSslSSLContext_getInstanceWithNSString_ fails Add iOS security provider for SSL (to be returned by SSLContext.getInstance()). Feb 17, 2016
@tomball tomball added the enhancement label Feb 17, 2016
@alexander-larsson

This comment has been minimized.

Copy link

@alexander-larsson alexander-larsson commented Dec 22, 2016

I saw this issue and I thought that it is probably the best place to ask this question.

I'm working on an app that constantly throws NoSuchAlgorithmException on every single call to the API. But it seems like that does not matter since if I run the app on the emulator and check the traffic in WireShark it is all sent using TLSv1.2. How is this possible?

I can just comment out all the code (in the generated Obj-C) related to this call and it still works. If you do the same on Android (in the Java source), it fails. Is there som kind of "quick fix" involved that makes this work?

I'm still using J2ObjC 1.1 if that matters.

@antonio-cortes-perez

This comment has been minimized.

Copy link
Member

@antonio-cortes-perez antonio-cortes-perez commented Nov 27, 2018

A basic SSL socket client was implemented in version J2ObjC 2.3. Please open a new issue if more functionality is required. Also, please consider contributing to this effort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.