Secure connection to Stadtbibliothek Würzburg failed about opacclient HOT 17 CLOSED

I sent out another mail with a request regarding the configuration (although I feel a bit weird about this since I didn't receive a reply to my last one). I'll keep this updated.

from opacclient.

maybe this helps? opacapp/opacapp-config-files@9c8d548
(-> "update library data" in app settings)

from opacclient.

Could you please give an answer when you tested it? Thanks.
Same problem here with Stadtbibliothek Würzburg.

from opacclient.

from opacclient.

Hm, strange. Unfortunately I will not be able to help further as the library does not have a support contract with us.
(see https://opac.app/de/support-policy/ for details)

from opacclient.

If the trust anchor is missing, it might be that customssl does fix it, but only with google play services, not in the self-built assmbleFoss/fdroid one.

from opacclient.

from opacclient.

In the google play services build, we use Google's SSL provider to improve lots of these issues, especially on older devies.
https://developer.android.com/training/articles/security-gms-provider

As Johan said, though, we won't spend resources on digging into library-specific issues much deeper without a support contract :)

from opacclient.

see also:
#559
But if you added the certificate to the app's own trust store, that should also be used without Google Play.

from opacclient.

Thanks for the information. I understand the lack of support contract problem.

For completeness, I tried calling openssl with the option to accept TLS1 connections:

$ openssl s_client -tls1 -CAfile opac-stadt-wuerzburg-de.pem  -servername opac.stadt.wuerzburg.de -connect opac.stadt.wuerzburg.de:443
CONNECTED(00000003)
depth=0 CN = opac.stadt.wuerzburg.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = opac.stadt.wuerzburg.de
verify error:num=21:unable to verify the first certificate
verify return:1
140436286379136:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
---
Certificate chain
 0 s:CN = opac.stadt.wuerzburg.de
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
subject=CN = opac.stadt.wuerzburg.de

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
---
SSL handshake has read 2232 bytes and written 143 bytes
Verification error: unable to verify the first certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1594147957
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---

And ssllabs test:
https://www.ssllabs.com/ssltest/analyze.html?d=opac.stadt.wuerzburg.de

Looks rather like a server configuration problem to me (?), so I'll wait for a reply to my mail to the library.

from opacclient.

Addendum: The connection fails with the Google Play Store version and most recent library data as well. (Android 8, Google Play Services present)

07-08 21:21:11.954 16053 16502 W System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-08 21:21:11.954 16053 16502 W System.err: 	at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(:com.google.android.gms@[email protected] (040304-316502805):25)
...

from opacclient.

It appears like the library updated its server configuration to support TLS1.2. However, the app still complains about " Trust anchor for certification path not found.".

According to ssllabs, the server doesn't send the intermediate certificate.

Does it make sense to include the intermediate certificate in the trust store?

from opacclient.

Yes, adding the intermediate certificate to the trust store does make the library connection work again.

Would you accept a pull request with the intermediate certificate being added to the trust store?

from opacclient.

The better solution would be if the library server actually sent the intermediate certificate as part of the certificate chain, as the TLS spec requires. Most modern web browsers download missing intermediate certificates automatically, but this is not a behavior that the site operator should expect. For example, curl also can't connect:

$ curl https://opac.stadt.wuerzburg.de/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If the library refuses fixing their configuration, we would accept a PR adding the intermediate certificate to the trust store.

from opacclient.

Got a reply from the library:

[...]
vielen Dank für Ihren Hinweis! Die von Ihnen genannte App ist ohne
unser Zutun entstanden, wir wurden vom Entwickler niemals über die
Aufnahme informiert. Deshalb werden wir auch keine Anpassungen dafür
vornehmen. Stattdessen gibt es von unserem Bildschirmkatalog eine eigene
Mobilversion ( https://wuerzburg.bibdia-mobil.de/) , die fehlerfrei läuft.
[...]

Tl;dr: The webserver config won't be fixed, they're referring to their mobile OPAC.

from opacclient.

Well, as I said, the config being wrong is not specific to the app, it probably also doesn't work on older systems/browsers that don't automatically fetch the intermediate certificates. But okay, in this case, adding the intermediate cert to the app's keystore is fine as well.

from opacclient.

PR #593 is merged, so it should work in the next update of the app.

from opacclient.