I am using the MIP SDK to try to decrypt rpmsg files. I have this working in my environment, but I cannot get it to work in my customer's environment. At this stage, the call to create a file handler fails with this log trace:
Error 2022-04-28 11:11:08.849 http_director_impl.cpp:258 LinkWorksite (2960) "HTTP operation failed Failed with: [AccessDeniedError: 'The service didn't accept the auth token. Challenge:['Bearer realm=""api.rms.rest.com"", authorization=""https://adfs.rrrrrrr.com/adfs/oauth2/authorize""']']" mipns::HttpDirectorImpl::OnHttpOperationFailed 4660
Error 2022-04-28 11:11:08.849 protection_engine_impl.cpp:797 LinkWorksite (2960) "Failed API call: protection_engine_create_consuming_protection_handler Failed with: [AccessDeniedError: 'The service didn't accept the auth token. Challenge:['Bearer realm=""api.rms.rest.com"", authorization=""https://adfs.rrrrrrr.com/adfs/oauth2/authorize""'], CorrelationId=c824d818-37ad-4309-b327-051da5e2f477, CorrelationId.Description=ProtectionEngine']" mipns::ProtectionEngineImpl::CreateProtectionHandlerForConsumption 4660
Warning 2022-04-28 11:11:08.849 common/api_utils.h:249 LinkWorksite (2960) "Start calling error callback for API: protection_engine_create_consuming_protection_handler" mipns::TryExecuteFailureCallback::<lambda_ee801bdedc20f37e6b5feb9b736714ff>::operator () 4660
Warning 2022-04-28 11:11:08.849 common/api_utils.h:251 LinkWorksite (2960) "Ended calling error callback for API: protection_engine_create_consuming_protection_handler" mipns::TryExecuteFailureCallback::<lambda_ee801bdedc20f37e6b5feb9b736714ff>::operator () 4660
Trace 2022-04-28 11:11:08.849 oneds_telemetry_delegate.cpp:40 LinkWorksite (2960) "OneDSTelemetryDelegate::WriteEvent(protection_engine_create_consuming_protection_handler)" mipns::OneDSTelemetryDelegate::WriteEvent 4660
Trace 2022-04-28 11:11:08.849 oneds_helper.cpp:293 LinkWorksite (2960) "OneDsHelper::WriteEvent(protection_engine_create_consuming_protection_handler)" mipns::OneDSHelper::WriteTelemetryEvent 4660
Info 2022-04-28 11:11:08.849 diagnostic_utils.cpp:73 LinkWorksite (2960) "Send Telemetry. Event Name : [protection_engine_create_consuming_protection_handler]
App.ApplicationId: [adfasefas-9023-4a44-9a5e-9369d10bdbb5], Pii: [None]
App.ApplicationName: [Link Documents MIP Integration], Pii: [None]
App.ApplicationVersion: [2.1.1], Pii: [None]
App.SessionId: [], Pii: [None]
Engine.SessionId: [], Pii: [None]
Event.CorrelationId: [c824d818-37ad-4309-b327-051da5e2f477], Pii: [None]
Event.CorrelationIdDescription: [ProtectionEngine], Pii: [None]
Event.Duration: [0.569734], Pii: [None]
Event.ErrorType: [AccessDeniedError], Pii: [None]
Event.Failed.File: [src\protection\api_impl\protection_engine_impl.cpp], Pii: [None]
Event.Failed.Func: [mipns::ProtectionEngineImpl::CreateProtectionHandlerForConsumption::<lambda_a8fc66003c9962d3cc715d8ff0880d0a>::operator ()], Pii: [None]
Event.Failed.Line: [727], Pii: [None]
Event.Failed.Message: [Failed to create protection handler. Failed with: [AccessDeniedError: 'The service didn't accept the auth token. Challenge:['Bearer realm=""api.rms.rest.com"", authorization=""https://adfs.rrrrrrr.com/adfs/oauth2/authorize""'], CorrelationId=c824d818-37ad-4309-b327-051da5e2f477, CorrelationId.Description=ProtectionEngine']], Pii: [None]
Event.ParentCorrelationId: [50c0b566-3e8c-4308-8518-6b0ee17ac510], Pii: [None]
Event.ParentCorrelationIdDescription: [ProtectionProfile], Pii: [None]
Event.UniqueId: [7805865d-bd65-4e0c-8097-5e36ca195739], Pii: [None]
EventInfo.Level: [10], Pii: [None]
EventInfo.PrivTags: [33554432], Pii: [None]
MIP.Version: [1.11.64], Pii: [None]
PL.KeyType: [Single], Pii: [None]
iKey: [ce9aa5fb5a414ecebb15af10715bd8ff-831d197e-fc97-4df6-b998-c8c13a0fc3ce-6768], Pii: [None]
" mipns::WriteTelemetryEventToLog 4660
Info 2022-04-28 11:11:08.849 protection_engine_impl.cpp:797 LinkWorksite (2960) "Ended API call: protection_engine_create_consuming_protection_handler" mipns::ProtectionEngineImpl::CreateProtectionHandlerForConsumption 4660
At first glance, it appears that the AD FS setup must be incorrect. However, I have gone back and forth through the documentation without any clear idea how this could happen. Any advice or experience with this issue and how to resolve it would be very helpful.
It turns out that the problem here was an expired "Trusted User Domain" certificate. Take a look here for a full explanation:
https://social.technet.microsoft.com/wiki/contents/articles/33666.expired-adrms-tud-including-live-id-support-may-cause-mobile-device-support-to-fail.aspx
Related
My goal is to route and record the traffic from an Android phone (Chrome or my own app) over a proxy. I would like to use this one: https://github.com/joeferner/node-http-mitm-proxy
After configuring my phone's wifi settings (IP and port of desktop machine), and trying to load a page in the mobile chrome, I am now facing a "Your connection is not private" dialog. On the desktop my proxy displays following:
HTTPS_CLIENT_ERROR on : [Error: 8190125312:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46
] {
library: 'SSL routines',
function: 'ssl3_read_bytes',
reason: 'sslv3 alert certificate unknown',
code: 'ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN'
}
HTTPS_CLIENT_ERROR on : [Error: 8190125312:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46
] {
library: 'SSL routines',
function: 'ssl3_read_bytes',
reason: 'sslv3 alert certificate unknown',
code: 'ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN'
}
HTTPS_CLIENT_ERROR on : [Error: 8190125312:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46
] {
library: 'SSL routines',
function: 'ssl3_read_bytes',
reason: 'sslv3 alert certificate unknown',
code: 'ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN'
}
HTTPS_CLIENT_ERROR on : [Error: 8190125312:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46
] {
library: 'SSL routines',
function: 'ssl3_read_bytes',
reason: 'sslv3 alert certificate unknown',
code: 'ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN'
}
HTTPS_CLIENT_ERROR on : [Error: 8190125312:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46
] {
library: 'SSL routines',
function: 'ssl3_read_bytes',
reason: 'sslv3 alert certificate unknown',
code: 'ERR_SSL_SSLV3_ALERT_CERTIFICATE_UNKNOWN'
}
I guess this is somehow related to certificates, but can someone point me into the right direction of how to solve this issue?
This is how it's done for Charles Proxy: https://stackoverflow.com/a/39227880/457059 I am just clueless about which certificate to install on the Android side in case of using node-http-mitm-proxy
I can't keep myself logged in to the admin panel.
I can login in admin panel, but after click in any thongs link of menu, this action redirect me to logoff of the admin panel.
This logs var/log/debug
LOCKED_RECORD_INFO_BLOCK
[2020-06-17 18:13:56] main.DEBUG: cache_invalidate: {"method":"POST","url":"http://local.com.br/adminadmin/admin/index/index/key/0097129e6ac9734d9df46986f7e4229af69b1fa4fda4fe22fdb4d810c4a45b6c/","invalidateInfo":{"tags":["BACKEND_MAINMENU"],"mode":"matchingAnyTag"}} []
[2020-06-17 18:13:56] main.DEBUG: Request validation failed for action "Magento\Backend\Controller\Adminhtml\Index\Index\Interceptor" {"exception":"[object] (Magento\\Framework\\App\\Request\\InvalidRequestException(code: 0): Invalid request received at /var/www/vendor/magento/module-backend/App/Request/BackendValidator.php:176)"} []
[2020-06-17 18:13:57] main.DEBUG: cache_invalidate: {"method":"GET","url":"http://local/adminadmin/admin/dashboard/index/key/ff3cb02e431b818aeb20d66951f6996550eca2fd529e1b408c603949be756da0/","invalidateInfo":{"identifier":"LOCKED_RECORD_INFO_BLOCK_c2d0e379ddf3cdab54f7ae12e1857228ed047058"}} []
[2020-06-17 18:13:58] main.ERROR: Unable to resolve the source file for 'adminhtml/Magento/backend/pt_BR/tinymce.js' [] []
[2020-06-17 18:13:58] main.CRITICAL: Unable to resolve the source file for 'adminhtml/Magento/backend/pt_BR/tinymce.js' [] []
I am working on application in Xamarin forms for Android and iOS. App is getting data from Rest Api and It was working fine till yesterday but today some SSL issues was fixed from the server admin. Now Rest Api is working fine from Chrome browser and we are getting data. Even it is working on Visual Studio for Mac and working fine on simulator.
But on Android it is not working. I have checked the domain with https://www.digicert.com/help/ and it gives the OK result as "Congratulations! This certificate is correctly installed.".
I am using the below code:
var response = client.GetAsync(urlCategories).Result;
string content = "";
if (response.IsSuccessStatusCode)
{
var responseContent = response.Content;
content = responseContent.ReadAsStringAsync().Result;
}
Below is the complete stack trace of the error:
{Javax.Net.Ssl.SSLHandshakeException:
Chain validation failed ---> Java.Security.Cert.CertificateException:
Chain validation failed ---> Java.Security.Cert.CertPathValidatorException:
OCSP response does not include a response for a certificate supplied in the OCSP request ---> Java.Security.Cert.CertPathValidatorException:
OCSP response does not include a response for a certificate supplied in the OCSP request
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Java.Interop.JniEnvironment+InstanceMethods.CallVoidMethod (Java.Interop.JniObjectReference instance, Java.Interop.JniMethodInfo method, Java.Interop.JniArgumentValue* args) [0x00069] in <42dc777b518744fdae9988e94489a4a0>:0
at Java.Interop.JniPeerMembers+JniInstanceMethods.InvokeAbstractVoidMethod (System.String encodedMember, Java.Interop.IJavaPeerable self, Java.Interop.JniArgumentValue* parameters) [0x00014] in <42dc777b518744fdae9988e94489a4a0>:0
at Javax.Net.Ssl.HttpsURLConnectionInvoker.Connect () [0x0000a] in <1219ce5aae934ab095dc0e05b2110050>:0
at Xamarin.Android.Net.AndroidClientHandler+<>c__DisplayClass43_0.<ConnectAsync>b__0 () [0x0005a] in <1219ce5aae934ab095dc0e05b2110050>:0
at System.Threading.Tasks.Task.InnerInvoke () [0x0000f] in <d4a23bbd2f544c30a48c44dd622ce09f>:0
at System.Threading.Tasks.Task.Execute () [0x00000] in <d4a23bbd2f544c30a48c44dd622ce09f>:0
--- End of stack trace from previous location where exception was thrown ---
at Xamarin.Android.Net.AndroidClientHandler+<DoProcessRequest>d__45.MoveNext () [0x0012e] in <1219ce5aae934ab095dc0e05b2110050>:0
--- End of stack trace from previous location where exception was thrown ---
at Xamarin.Android.Net.AndroidClientHandler+<SendAsync>d__40.MoveNext () [0x00230] in <1219ce5aae934ab095dc0e05b2110050>:0
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Http.HttpClient+<SendAsyncWorker>d__49.MoveNext () [0x000ca] in <25ebe1083eaf4329b5adfdd5bbb7aa57>:0
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Http.HttpClient+<GetStringAsync>d__54.MoveNext () [0x0007d] in <25ebe1083eaf4329b5adfdd5bbb7aa57>:0
--- End of stack trace from previous location where exception was thrown ---
at Guldasta.Gen+<GetMenuItems>d__86.MoveNext () [0x00045] in E:\05_Xamarin_Projects\GuldastaApp\Guldasta\Guldasta\Guldasta\General\Gen.cs:62
--- End of managed Javax.Net.Ssl.SSLHandshakeException stack trace ---
javax.net.ssl.SSLHandshakeException: Chain validation failed
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:1477)
at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:1423)
at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:1367)
at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:219)
at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:142)
at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:104)
at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:392)
at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:325)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:489)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:131)
at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.connect(DelegatingHttpsURLConnection.java:89)
at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect(Unknown Source:0)
Caused by: java.security.cert.CertificateException: Chain validation failed
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:788)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:612)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:633)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:678)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:499)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:422)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:343)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:203)
at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:607)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
... 12 more
Caused by: java.security.cert.CertPathValidatorException: OCSP response does not include a response for a certificate supplied in the OCSP request
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:225)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at com.android.org.conscrypt.DelegatingCertPathValidator.engineValidate(DelegatingCertPathValidator.java:44)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:301)
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:784)
... 24 more
Caused by: java.security.cert.CertPathValidatorException: OCSP response does not include a response for a certificate supplied in the OCSP request
at sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:416)
at sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:709)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:363)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 30 more
Suppressed: java.security.cert.CertPathValidatorException: Could not determine revocation status
at sun.security.provider.certpath.RevocationChecker.buildToNewKey(RevocationChecker.java:1092)
at sun.security.provider.certpath.RevocationChecker.verifyWithSeparateSigningKey(RevocationChecker.java:910)
at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:577)
at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:465)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:394)
... 32 more
Do anyone have the idea how can solve this issue?
This works for Android:
//Code for disabling SSL certificate
internal class BypassHostnameVerifier : Java.Lang.Object, IHostnameVerifier
{
public bool Verify(string hostname, ISSLSession session)
{
return true;
}
}
internal class BypassSslValidationClientHandler : Xamarin.Android.Net.AndroidClientHandler
{
protected override SSLSocketFactory ConfigureCustomSSLSocketFactory(HttpsURLConnection connection)
{
return Android.Net.SSLCertificateSocketFactory.GetInsecure(1000, null);
}
protected override IHostnameVerifier GetSSLHostnameVerifier(HttpsURLConnection connection)
{
return new BypassHostnameVerifier();
}
}
var handler = new BypassSslValidationClientHandler();
using (HttpClient client = new HttpClient(handler))
using this handler in HTTP request
Note: this is the temporary workaround you should fix this issue on the server side. (API side)
I'm working on a Xamarin.Forms app that requires to consume some data exposed in an ASP.NET Core 2.1 API, I'm developing the service and the Xamarin app so everything is running local on MAC OS.
The problem I'm facing is happening when sending a request to the ASP.NET Core API, it seems to be related to the HTTPS protocol enabled by default in ASP.NET Core 2.1, when I run the api it's enabling by default the URL https://localhost:5001 so that is the URL I'm targeting in the Xamarin App.
In Android I can send the request to the API but once the response is sent back, the xamarin app throws the following exception:
Error in AppLoginViewModel.Login Javax.Net.Ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. ---> Java.Security.Cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. ---> Java.Security.Cert.CertPathValidatorException: Trust anchor for certification path not found.
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at Java.Interop.JniEnvironment+InstanceMethods.CallVoidMethod (Java.Interop.JniObjectReference instance, Java.Interop.JniMethodInfo method, Java.Interop.JniArgumentValue* args) [0x00069] in <fb2a9245146c43afbafe6628542c6726>:0
at Java.Interop.JniPeerMembers+JniInstanceMethods.InvokeAbstractVoidMethod (System.String encodedMember, Java.Interop.IJavaPeerable self, Java.Interop.JniArgumentValue* parameters) [0x00014] in <fb2a9245146c43afbafe6628542c6726>:0
at Javax.Net.Ssl.HttpsURLConnectionInvoker.Connect () [0x0000a] in <9c89490198b4401e89a0f0bf9e68c7be>:0
at Xamarin.Android.Net.AndroidClientHandler+<>c__DisplayClass43_0.<ConnectAsync>b__0 () [0x0005a] in <9c89490198b4401e89a0f0bf9e68c7be>:0
at System.Threading.Tasks.Task.InnerInvoke () [0x0000f] in <5b7c58d953774179ac771c086a8fa093>:0
at System.Threading.Tasks.Task.Execute () [0x00000] in <5b7c58d953774179ac771c086a8fa093>:0
--- End of stack trace from previous location where exception was thrown ---
at Xamarin.Android.Net.AndroidClientHandler+<DoProcessRequest>d__45.MoveNext () [0x0012e] in <9c89490198b4401e89a0f0bf9e68c7be>:0
--- End of stack trace from previous location where exception was thrown ---
at Xamarin.Android.Net.AndroidClientHandler+<SendAsync>d__40.MoveNext () [0x00230] in <9c89490198b4401e89a0f0bf9e68c7be>:0
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Http.HttpClient+<SendAsyncWorker>d__49.MoveNext () [0x000ca] in <006b95df38b04983b2ec7f1bf1c32608>:0
--- End of stack trace from previous location where exception was thrown ---
at AuditoriasCiudadanas.Mobile.Core.Services.RestService+<Seguridad_ValidarEmailAuditorAsync>d__16.MoveNext () [0x00184] in /Users/jorgeramirez/VSProjects/AuditoriasCiudadanas.Mobile/src/AuditoriasCiudadanas.Mobile.Core/Services/RestService.cs:242
--- End of stack trace from previous location where exception was thrown ---
at AuditoriasCiudadanas.Mobile.Core.Services.AuthService+<ValidarEmailAuditor>d__6.MoveNext () [0x0002b] in /Users/jorgeramirez/VSProjects/AuditoriasCiudadanas.Mobile/src/AuditoriasCiudadanas.Mobile.Core/Services/AuthService.cs:28
--- End of stack trace from previous location where exception was thrown ---
at AuditoriasCiudadanas.Mobile.Core.ViewModels.AppForgotPasswordViewModel+<ValidarEmail>d__27.MoveNext () [0x0006f] in /Users/jorgeramirez/VSProjects/AuditoriasCiudadanas.Mobile/src/AuditoriasCiudadanas.Mobile.Core/ViewModels/AppForgotPasswordViewModel.cs:82
--- End of managed Javax.Net.Ssl.SSLHandshakeException stack trace ---
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:229)
at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:192)
at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)
at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)
at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)
at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)
at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)
at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:281)
at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:224)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:461)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:127)
at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.connect(DelegatingHttpsURLConnection.java:89)
at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:26)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:661)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:539)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:495)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:418)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:339)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:208)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
... 12 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 24 more
In iOS the behavior is the same, the xamarin app throws an exception when receiving the response
Error in AppLoginViewModel.Login System.Net.WebException: An SSL error has occurred and a secure connection to the server cannot be made. ---> Foundation.NSErrorException: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x7fce57040e00) s: localhost i: localhost>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://localhost:5001/api/auth, NSErrorFailingURLStringKey=https://localhost:5001/api/auth NSUnderlyingError=0x600001fccc60 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x6000023ce400>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x7fce57040e00) s: localhost i: localhost>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <31AF1DE2-4C56-4480-9F1D-0E9B7C7B8D9A>.<1>"
), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <31AF1DE2-4C56-4480-9F1D-0E9B7C7B8D9A>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x6000023ce400>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}
--- End of inner exception stack trace ---
at System.Net.Http.NSUrlSessionHandler+<SendAsync>d__29.MoveNext () [0x001c3] in /Users/builder/jenkins/workspace/xamarin-macios/xamarin-macios/src/Foundation/NSUrlSessionHandler.cs:202
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Http.HttpClient+<SendAsyncWorker>d__48.MoveNext () [0x00080] in /Users/builder/jenkins/workspace/xamarin-macios/xamarin-macios/external/mono/mcs/class/System.Net.Http/System.Net.Http/HttpClient.cs:276
--- End of stack trace from previous location where exception was thrown ---
at AuditoriasCiudadanas.Mobile.Core.Services.RestService+<Seguridad_ValidarEmailAuditorAsync>d__16.MoveNext () [0x00184] in /Users/me/RestService.cs:242
--- End of stack trace from previous location where exception was thrown ---
at AuditoriasCiudadanas.Mobile.Core.Services.AuthService+<ValidarEmailAuditor>d__6.MoveNext () [0x0002b] in /Users/me/AuthService.cs:28
--- End of stack trace from previous location where exception was thrown ---
at AuditoriasCiudadanas.Mobile.Core.ViewModels.AppForgotPasswordViewModel+<ValidarEmail>d__27.MoveNext () [0x0006f] in /Users/me/AppForgotPasswordViewModel.cs:82
Is not possible to debug locally using HTTPS? What I need to change to be able to debug the mobile app and the api at the same time?
I will appreciate your help
I had the same problem.
I solved with the Conveyor extension (https://keyoti.com/products/conveyor/index.html?utm_source=conveyor&utm_medium=extension_moreinfo&utm_campaign=conveyor).
In netcore, disable SSL first (project property => debug)
I'm running a spring-boot v2.0.3 tomcat-embedded webserver 8.5.31, to Serve Spring Webflux REST services.
One of those REST services calls to another, external REST Webservice.
public Mono<ServerResponse> select(ServerRequest request) {
return request.principal().cast(Authentication.class)
.flatMap(principal ->
client.get().uri(f -> buildUri(request, principal, request.queryParams(), f))
.exchange())
.flatMap((ClientResponse mapper) ->
ServerResponse.status(mapper.statusCode())
.headers(c -> mapper.headers().asHttpHeaders().forEach(c::put))
.body(mapper.bodyToFlux(DataBuffer.class)
.delayElements(Duration.ofSeconds(10))
.doOnCancel(() -> log.error("Cancelled client"))
.doOnTerminate(() -> log.error("Terminated client")), DataBuffer.class))
.doOnTerminate(() -> log.error("Termination called"));
}
If a browser calls my REST-Service, and after a short while cancels the connection, I can see the outer "Termination called" event, and that the client was terminated also. But the client termination seems to trigger an error in tomcat:
2018-07-25 12:50:42.860 DEBUG 12084 --- [ elastic-3] org.example.search.security.UserManager : Authorizing org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken#809aec11: Principal: cn=dv dbsearch client, ou=dbsearch, o=example, l=eb, st=unknown, c=de; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities
2018-07-25 12:50:42.864 DEBUG 12084 --- [ elastic-3] org.example.search.security.UserManager : Successfully authorized: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken#c03925ec: Principal: org.springframework.security.core.userdetails.User#809aec0e: Username: cn=dv dbsearch client, ou=dbsearch, o=example, l=eb, st=unknown, c=de; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_ADMIN
2018-07-25 12:50:45.470 ERROR 12084 --- [ctor-http-nio-4] c.d.s.s.h.SolrSelectRequestHandler : Termination called
2018-07-25 12:51:15.562 ERROR 12084 --- [ parallel-3] c.d.s.s.h.SolrSelectRequestHandler : Terminated client
2018-07-25 12:51:15.625 ERROR 12084 --- [nio-8443-exec-2] o.s.w.s.adapter.HttpWebHandlerAdapter : Unhandled failure: Eine bestehende Verbindung wurde softwaregesteuert durch den Hostcomputer abgebrochen, response already set (status=200)
2018-07-25 12:51:15.628 WARN 12084 --- [nio-8443-exec-2] o.s.h.s.r.ServletHttpHandlerAdapter : Handling completed with error: Eine bestehende Verbindung wurde softwaregesteuert durch den Hostcomputer abgebrochen
2018-07-25 12:51:15.652 ERROR 12084 --- [nio-8443-exec-2] o.a.catalina.connector.CoyoteAdapter : Exception while processing an asynchronous request
java.lang.IllegalStateException: Calling [asyncError()] is not valid for a request with Async state [DISPATCHING]
at org.apache.coyote.AsyncStateMachine.asyncError(AsyncStateMachine.java:424)
at org.apache.coyote.AbstractProcessor.action(AbstractProcessor.java:470)
at org.apache.coyote.Request.action(Request.java:431)
at org.apache.catalina.core.AsyncContextImpl.setErrorState(AsyncContextImpl.java:388)
at org.apache.catalina.connector.CoyoteAdapter.asyncDispatch(CoyoteAdapter.java:176)
at org.apache.coyote.AbstractProcessor.dispatch(AbstractProcessor.java:232)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:53)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1468)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Sorry for the german errormessages, it means "client abortet connection".
I don't really have a problem with this errormessage per se, it's just, that my buffers in spring's Webclient don't seem to be cleared up (the log I did not reproduce locally, so it has diferent timestamps):
2018-07-23 08:44:36.892 ERROR 22707 — [reactor-http-nio-5] io.netty.util.ResourceLeakDetector : LEAK: ByteBuf.release() was not called before it's garbage-collected. See http://netty.io/wiki/reference-counted-objects.html for more information.
Recent access records:
Created at:
io.netty.buffer.PooledByteBufAllocator.newDirectBuffer(PooledByteBufAllocator.java:331) io.netty.buffer.AbstractByteBufAllocator.directBuffer(AbstractByteBufAllocator.java:185)
So here the question: How can I cleanly end the WebClient connection, when the request to my REST-Service is cancelled?
I can't really say for sure about that exception message, but I know Tomcat improved this in the 8.5.x generation. Which version are you using? If you can provide a consistent way to reproduce this with a minimal application, you could create a new issue in jira.spring.io on Spring Framework, or Tomcat itself if you managed to reproduce it without Spring (although it should be a hard one to reproduce).
Now about releasing DataBuffer instances - DataBuffer instances can be pooled, depending on the implementation. Here the WebClient is using Netty, which is pooling buffers. So they need to be released when they're no longer used.
Looking at your implementation, I think those unreleased buffers come from this:
the WebClient is fetching data from the remote endpoint and creating DataBuffer instances
various Reactor operators along the way are buffering those using internal queues (depending on the prefetching and the operators used, the amount of queued buffers can vary)
when the subscriber fails or cancels, those buffers sitting in internal queues are not released as they should.
Currently Reactor does not offer a hook point to reach those objects in those error cases. But this is a brand new feature that's been added in Reactor core 3.2.0. This will be leveraged internally by Spring Framework with SPR-17025. Please follow this issue - your use case might be handy when it comes to testing the fix.