Comments (17)
I sent out another mail with a request regarding the configuration (although I feel a bit weird about this since I didn't receive a reply to my last one). I'll keep this updated.
from opacclient.
maybe this helps? opacapp/opacapp-config-files@9c8d548
(-> "update library data" in app settings)
from opacclient.
Could you please give an answer when you tested it? Thanks.
Same problem here with Stadtbibliothek Würzburg.
from opacclient.
from opacclient.
Hm, strange. Unfortunately I will not be able to help further as the library does not have a support contract with us.
(see https://opac.app/de/support-policy/ for details)
from opacclient.
If the trust anchor is missing, it might be that customssl
does fix it, but only with google play services, not in the self-built assmbleFoss/fdroid one.
from opacclient.
from opacclient.
In the google play services build, we use Google's SSL provider to improve lots of these issues, especially on older devies.
https://developer.android.com/training/articles/security-gms-provider
As Johan said, though, we won't spend resources on digging into library-specific issues much deeper without a support contract :)
from opacclient.
see also:
#559
But if you added the certificate to the app's own trust store, that should also be used without Google Play.
from opacclient.
Thanks for the information. I understand the lack of support contract problem.
For completeness, I tried calling openssl with the option to accept TLS1 connections:
$ openssl s_client -tls1 -CAfile opac-stadt-wuerzburg-de.pem -servername opac.stadt.wuerzburg.de -connect opac.stadt.wuerzburg.de:443
CONNECTED(00000003)
depth=0 CN = opac.stadt.wuerzburg.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = opac.stadt.wuerzburg.de
verify error:num=21:unable to verify the first certificate
verify return:1
140436286379136:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
---
Certificate chain
0 s:CN = opac.stadt.wuerzburg.de
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
subject=CN = opac.stadt.wuerzburg.de
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2232 bytes and written 143 bytes
Verification error: unable to verify the first certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1594147957
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
And ssllabs test:
https://www.ssllabs.com/ssltest/analyze.html?d=opac.stadt.wuerzburg.de
Looks rather like a server configuration problem to me (?), so I'll wait for a reply to my mail to the library.
from opacclient.
Addendum: The connection fails with the Google Play Store version and most recent library data as well. (Android 8, Google Play Services present)
07-08 21:21:11.954 16053 16502 W System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-08 21:21:11.954 16053 16502 W System.err: at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(:com.google.android.gms@[email protected] (040304-316502805):25)
...
from opacclient.
It appears like the library updated its server configuration to support TLS1.2. However, the app still complains about " Trust anchor for certification path not found.".
According to ssllabs, the server doesn't send the intermediate certificate.
Does it make sense to include the intermediate certificate in the trust store?
from opacclient.
Yes, adding the intermediate certificate to the trust store does make the library connection work again.
Would you accept a pull request with the intermediate certificate being added to the trust store?
from opacclient.
The better solution would be if the library server actually sent the intermediate certificate as part of the certificate chain, as the TLS spec requires. Most modern web browsers download missing intermediate certificates automatically, but this is not a behavior that the site operator should expect. For example, curl
also can't connect:
$ curl https://opac.stadt.wuerzburg.de/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
If the library refuses fixing their configuration, we would accept a PR adding the intermediate certificate to the trust store.
from opacclient.
Got a reply from the library:
[...]
vielen Dank für Ihren Hinweis! Die von Ihnen genannte App ist ohne
unser Zutun entstanden, wir wurden vom Entwickler niemals über die
Aufnahme informiert. Deshalb werden wir auch keine Anpassungen dafür
vornehmen. Stattdessen gibt es von unserem Bildschirmkatalog eine eigene
Mobilversion ( https://wuerzburg.bibdia-mobil.de/) , die fehlerfrei läuft.
[...]
Tl;dr: The webserver config won't be fixed, they're referring to their mobile OPAC.
from opacclient.
Well, as I said, the config being wrong is not specific to the app, it probably also doesn't work on older systems/browsers that don't automatically fetch the intermediate certificates. But okay, in this case, adding the intermediate cert to the app's keystore is fine as well.
from opacclient.
PR #593 is merged, so it should work in the next update of the app.
from opacclient.
Related Issues (20)
- Failed connection to Universitäts- und Landebibliothek (ULB) Bonn HOT 2
- New working "TH Nürnberg" json file HOT 1
- Stadtbücherei Heidelberg changed OPAC HOT 3
- Connect to Bibliothek Ellwangen has failed HOT 1
- Tiny survey about energy aware software practices. HOT 1
- Tiny survey about energy aware software practices.
- Änderung Link Ebersbach-Neugersdorf HOT 1
- SLUB API - pending items HOT 11
- Latest Release label not updated HOT 2
- SISIS: covers are downloaded irrespective of preference settings HOT 2
- Searchresult detail fragment doesn't scroll to end after device rotation HOT 1
- Allow OpacApi functions to return intermediate results
- Screenshots for F-Droid HOT 2
- F-Droid can't build
- WebView scroll position gets lost after device rotation
- Update of Mockito breaks SLUB and SISIS tests HOT 1
- Current version not available in F-Droid Store HOT 1
- Stadtbibliothek München - connection works, but media are missing HOT 3
- Bibliothek Würzburg changed provider to "Winbiap" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opacclient.