TiDownloadManager throws javax.net.ssl.SSLHandshakeException when module is used

[FokkeZB]

With the following code:

var win = Ti.UI.createWindow({backgroundColor: 'white'});
var img = Ti.UI.createImageView({image: 'https://www.house-battle.com/icon/342_300_1444294452_254697914.png'});

win.add(img);

win.addEventListener('click', function() {
    var xhr = Ti.Network.createHTTPClient();
    xhr.open('GET', 'https://www.house-battle.com/icon/342_300_1444294452_254697914.png');
    xhr.send();
});

win.open();

The HTTPClient always works, but the image does not when the eu.rebelcorp.parse module is included (not even used) in the project:

[ERROR] TiDownloadManager: (pool-7-thread-1) [356,356] Exception downloading https://www.house-battle.com/icon/342_300_1444294452_254697914.png
[ERROR] TiDownloadManager: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[ERROR] TiDownloadManager:  at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:322)
[ERROR] TiDownloadManager:  at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:196)
[ERROR] TiDownloadManager:  at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:441)
[ERROR] TiDownloadManager:  at com.android.okhttp.Connection.upgradeToTls(Connection.java:175)
[ERROR] TiDownloadManager:  at com.android.okhttp.Connection.connect(Connection.java:155)
[ERROR] TiDownloadManager:  at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:276)
[ERROR] TiDownloadManager:  at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:211)
[ERROR] TiDownloadManager:  at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:382)
[ERROR] TiDownloadManager:  at com.android.okhttp.internal.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:332)
[ERROR] TiDownloadManager:  at com.android.okhttp.internal.http.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:199)
[ERROR] TiDownloadManager:  at com.android.okhttp.internal.http.DelegatingHttpsURLConnection.getInputStream(DelegatingHttpsURLConnection.java:210)
[ERROR] TiDownloadManager:  at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:25)
[ERROR] TiDownloadManager:  at java.net.URL.openStream(URL.java:470)
[ERROR] TiDownloadManager:  at org.appcelerator.titanium.util.TiDownloadManager$DownloadJob.run(TiDownloadManager.java:135)
[ERROR] TiDownloadManager:  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
[ERROR] TiDownloadManager:  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
[ERROR] TiDownloadManager:  at java.lang.Thread.run(Thread.java:818)
[ERROR] TiDownloadManager: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[ERROR] TiDownloadManager:  at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
[ERROR] TiDownloadManager:  at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:219)
[ERROR] TiDownloadManager:  at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:114)
[ERROR] TiDownloadManager:  at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:550)
[ERROR] TiDownloadManager:  at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
[ERROR] TiDownloadManager:  at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318)
[ERROR] TiDownloadManager:  ... 16 more
[ERROR] TiDownloadManager: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
[ERROR] TiDownloadManager:  ... 22 more

[williamrijksen]

@FokkeZB This week I ran into the similar issue on a Native Android module. Please take a look at this thread on Stackoverflow: http://stackoverflow.com/a/29946540. Might this be related to this problem as well?

[timanrebel]

Looks like an incompatibility with the Parse SDK. Let me try updating the SDK to see if it solves the issue

[jvandijk]

Hey @FokkeZB have you ever been able to resolve this issue? I've most likely found the cause of it.

Somehow it seems that when you enable this module, the Titanium application is using different HTTP logic from Android 4.4 and up. Starting with that version OKHttp became available. If the SSL server has disabled SSLv3 and TLS1.0, which it SHOULD(!), then the execution fails.
I've tried to upgrade to the latest version from Bolts and Parse, but that does not solve the problem.

The problem seems related to tidev/titanium-sdk#6807, where a fix was applied. But the TiDownloadManager seems to be something that does not use this logic and tries to do the SSL handshake on SSLv3 and TLS1.0

Security wise this is old incorrect behaviour!

[jvandijk]

@FokkeZB As said, I've been able to drill down the issue to the use of OkHttp. I experience the same kind of problems which are gone by distributing the latest OkHttp library along with this module.
It's weird behavior that Appcelerator should look into though, because Android M supports OkHttp only.

Version 0.12.0 resolves this issue.