Skip to content

Use NetCipher for handling TLS compatibility #7175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mqus wants to merge 1 commit into from
Closed

Use NetCipher for handling TLS compatibility #7175

mqus wants to merge 1 commit into from

Conversation

@mqus
Copy link
Contributor

@mqus mqus commented Sep 26, 2021
edited
Loading

What is it?

  • Bugfix (user facing)
  • Feature (user facing)
  • Codebase improvement (dev facing)
  • Meta improvement to the project (dev facing)

Description of the changes in your PR

This (somewhat) fixes #2898 by using netcipher(https://guardianproject.info/code/netcipher/) for handling TLS connections. It has the nice benefit that we can remove a lot of code on our side for handling Android Kitkat.

A small downside is that Netcipher keeps TLS1.1 and 1.0 enabled for Android 19-23 at the moment while 1.0 was disabled for kitkat before, but I don't think this is a showstopper.

You may ask why I did not use the okhttp integration of netcipher: Would be far more complex to implement (we need a Context and an Intent which is only used for Tor integration inside netcipher)

APK testing

app-debug.zip

These changes should be tested on all possible devices and versions as it impacts the whole connectivity on all platforms.
How to test? Check if the following things still work:

  • Browsing/searching youtube, media.ccc.de, framatube, soundcloud (there should be no connection error)
  • Viewing/hearing media from youtube, media.ccc.de, framatube, soundcloud (should load and display as before)
  • Downloading media/subtitles (as applicable) from all providers. (should download as before)

Due diligence

@mqus mqus force-pushed the netcipher-2nd-try branch from 52d05bb to cdead50 Compare September 26, 2021 17:13
@mqus mqus marked this pull request as draft September 26, 2021 17:13
@mqus mqus force-pushed the netcipher-2nd-try branch from cdead50 to 5b9025a Compare September 26, 2021 17:27
@mqus mqus force-pushed the netcipher-2nd-try branch from 5b9025a to 75bd5dc Compare September 26, 2021 18:25
@Redirion
Copy link
Member

Redirion commented Sep 27, 2021
edited by opusforlife2
Loading

NewPipe doesn't start on my device (Pixel 4a, Android 11).
From the name of the exception I would guess that NetCipher doesn't work on Android10+

09-27 14:14:20.516  1704  1879 I ActivityManager: Start proc 23355:org.schabi.newpipe.debug.netcipher2ndtry:acra/u0a395 for service {org.schabi.newpipe.debug.netcipher2ndtry/org.acra.sender.JobSenderService}
09-27 14:14:21.498 23355 23355 E AndroidRuntime: FATAL EXCEPTION: main
09-27 14:14:21.498 23355 23355 E AndroidRuntime: Process: org.schabi.newpipe.debug.netcipher2ndtry:acra, PID: 23355
09-27 14:14:21.498 23355 23355 E AndroidRuntime: java.lang.RuntimeException: Unable to create application org.schabi.newpipe.DebugApp: java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class info.guardianproject.netcipher.client.TlsOnlySocketFactory
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6724)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at android.app.ActivityThread.access$1300(ActivityThread.java:237)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1913)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:106)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:223)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at android.app.ActivityThread.main(ActivityThread.java:7664)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at java.lang.reflect.Method.invoke(Native Method)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:592)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:947)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: Caused by: java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class info.guardianproject.netcipher.client.TlsOnlySocketFactory
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at okhttp3.internal.platform.Platform.buildCertificateChainCleaner(Platform.java:182)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at okhttp3.OkHttpClient$Builder.sslSocketFactory(OkHttpClient.java:768)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at org.schabi.newpipe.DownloaderImpl.<init>(DownloaderImpl.java:43)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at org.schabi.newpipe.DownloaderImpl.init(DownloaderImpl.java:59)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at org.schabi.newpipe.DebugApp.getDownloader(DebugApp.kt:30)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at org.schabi.newpipe.App.onCreate(App.java:100)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at org.schabi.newpipe.DebugApp.onCreate(DebugApp.kt:13)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1192)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6719)
09-27 14:14:21.498 23355 23355 E AndroidRuntime: 	... 8 more

@mqus
Copy link
Contributor Author

mqus commented Sep 30, 2021

I actually get the same error on Kitkat, so I still have work to do :D. I just did not came around to logcat the error until now.

@Redirion Redirion mentioned this pull request Oct 1, 2021
Closed
1 task
@litetex litetex added the waiting for author If the author doesn't respond, the issue will be auto-closed. Otherwise the label will be removed. label Oct 20, 2021
@litetex
Copy link
Member

litetex commented Oct 20, 2021
edited
Loading

Added the "wait-for-author" label since there is no progress since >=3 weeks.
And there are conflicts...

This was referenced Nov 4, 2021
Closed
Closed
@litetex
Copy link
Member

litetex commented Nov 15, 2021

Superseded by #7372

@litetex litetex closed this Nov 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

waiting for author If the author doesn't respond, the issue will be auto-closed. Otherwise the label will be removed.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Deprecate TLS 1.1

3 participants

@mqus @Redirion @litetex