-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure connection to Stadtbibliothek Würzburg failed #582
Comments
maybe this helps? opacapp/opacapp-config-files@9c8d548 |
Could you please give an answer when you tested it? Thanks. |
Updating the library data via app settings didn't help.
The problem also occurs with Android 8.
I also wrote a mail to the library regarding their web server setup.
|
Hm, strange. Unfortunately I will not be able to help further as the library does not have a support contract with us. |
If the trust anchor is missing, it might be that |
@raphaelm
Can you provide some info / links? How comes Google Play Services would help? (I have microg installed)
I also tried adding the root certificate to the Android certificate store via the device settings previously, which didn't really help either (I could get the connection to work once with that if I remember correctly, only after a device reboot, but that doesn't make any sense to me)
|
In the google play services build, we use Google's SSL provider to improve lots of these issues, especially on older devies. As Johan said, though, we won't spend resources on digging into library-specific issues much deeper without a support contract :) |
see also: |
Thanks for the information. I understand the lack of support contract problem. For completeness, I tried calling openssl with the option to accept TLS1 connections:
And ssllabs test: Looks rather like a server configuration problem to me (?), so I'll wait for a reply to my mail to the library. |
Addendum: The connection fails with the Google Play Store version and most recent library data as well. (Android 8, Google Play Services present)
|
It appears like the library updated its server configuration to support TLS1.2. However, the app still complains about " Trust anchor for certification path not found.". According to ssllabs, the server doesn't send the intermediate certificate. Does it make sense to include the intermediate certificate in the trust store? |
Yes, adding the intermediate certificate to the trust store does make the library connection work again. Would you accept a pull request with the intermediate certificate being added to the trust store? |
The better solution would be if the library server actually sent the intermediate certificate as part of the certificate chain, as the TLS spec requires. Most modern web browsers download missing intermediate certificates automatically, but this is not a behavior that the site operator should expect. For example,
If the library refuses fixing their configuration, we would accept a PR adding the intermediate certificate to the trust store. |
I sent out another mail with a request regarding the configuration (although I feel a bit weird about this since I didn't receive a reply to my last one). I'll keep this updated. |
Got a reply from the library:
Tl;dr: The webserver config won't be fixed, they're referring to their mobile OPAC. |
Well, as I said, the config being wrong is not specific to the app, it probably also doesn't work on older systems/browsers that don't automatically fetch the intermediate certificates. But okay, in this case, adding the intermediate cert to the app's keystore is fine as well. |
PR #593 is merged, so it should work in the next update of the app. |
See also issue #577
Same issue as in this ticket.
Stadtbibliothek Würzburg uses the same Root Certificate, so I thought the linked issue fixed this.
I added the root certificate as mentioned in the linked issue anyway. The outut said:
However, I'm still getting the error message.
I deleted all app data and re-added the library, didn't change the behavior.
adb logcat says
Also, both Firefox 78 and openssl 1.1.1d complain about an old TLS version when visiting the URLhttps://opac.stadt.wuerzburg.de) - is this related?
(This also means I had to save the root certificate via Firefox, and change the add_certificate script accordingly, since openssl wouldn't accept it)
opacapp:assembleFossRelease
The text was updated successfully, but these errors were encountered: