PI64093: APPS ON ANDROID VERSIONS 4.4.2 AND EARLIER CANNOT CONNECT TO SERVER USING HTTPS IF ONLY TLS 1.2 IS ENABLED

APAR status

• Closed as program error.

Error description

• A MobileFirst Platform application running on an Android device
  that uses Android 4.4.2 or earlier can not connect to the
  MobileFirst Platform Server using HTTPS if the server only
  offers TLS 1.2 as an SSL transport protocol.  When this problem
  occurs, an error such as the following may be observed in the
  logcat log from the Android device:
  
  05-02 10:44:16.514: W/System.err(1895):
  javax.net.ssl.SSLHandshakeException:
  javax.net.ssl.SSLProtocolException: SSL handshake aborted:
  ssl=0xb8f16100: Failure in SSL library, usually a protocol error
  05-02 10:44:16.524: W/System.err(1895): error:14077410:SSL
  routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
  (external/openssl/ssl/s23_clnt.c:744 0xa8e77926:0x00000000)
  05-02 10:44:16.524: W/System.err(1895):         at
  com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenS
  SLSocketImpl.java:449)
  05-02 10:44:16.524: W/System.err(1895):         at
  android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertif
  icateSocketFactory.java:190)
  05-02 10:44:16.524: W/System.err(1895):         at
  android.net.SSLCertificateSocketFactory.createSocket(SSLCertific
  ateSocketFactory.java:435)
  05-02 10:44:16.524: W/System.err(1895):         at
  org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocket
  Factory.java:382)
  05-02 10:44:16.524: W/System.err(1895):         at
  org.apache.http.impl.conn.DefaultClientConnectionOperator.openCo
  nnection(DefaultClientConnectionOperator.java:165)
  05-02 10:44:16.534: W/System.err(1895):         at
  org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEnt
  ry.java:164)
  05-02 10:44:16.534: W/System.err(1895):         at
  org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abstrac
  tPooledConnAdapter.java:119)
  05-02 10:44:16.534: W/System.err(1895):         at
  org.apache.http.impl.client.DefaultRequestDirector.execute(Defau
  ltRequestDirector.java:360)
  05-02 10:44:16.534: W/System.err(1895):         at
  org.apache.http.impl.client.AbstractHttpClient.execute(AbstractH
  ttpClient.java:555)
  05-02 10:44:16.534: W/System.err(1895):         at
  org.apache.http.impl.client.AbstractHttpClient.execute(AbstractH
  ttpClient.java:487)
  05-02 10:44:16.534: W/System.err(1895):         at
  com.worklight.wlclient.WLRequestSender.run(WLRequestSender.java:
  47)
  05-02 10:44:16.534: W/System.err(1895):         at
  java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
  utor.java:1112)
  05-02 10:44:16.534: W/System.err(1895):         at
  java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
  cutor.java:587)
  05-02 10:44:16.534: W/System.err(1895):         at
  java.lang.Thread.run(Thread.java:841)
  05-02 10:44:16.534: W/System.err(1895): Caused by:
  javax.net.ssl.SSLProtocolException: SSL handshake aborted:
  ssl=0xb8f16100: Failure in SSL library, usually a protocol error
  05-02 10:44:16.534: W/System.err(1895): error:14077410:SSL
  routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
  (external/openssl/ssl/s23_clnt.c:744 0xa8e77926:0x00000000)
  05-02 10:44:16.534: W/System.err(1895):         at
  com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native
  Method)
  05-02 10:44:16.534: W/System.err(1895):         at
  com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenS
  SLSocketImpl.java:406)
  05-02 10:44:16.534: W/System.err(1895):         ... 13 more
  

Local fix

• In the native Android code of the MobileFirst Platform hybrid
  application, in the "onCreate()" method in the application's
  main activity, it is possible to replace the default
  SSLSocketFactory provided by Android with one that enables TLS
  1.2, immediately after the call to "WL.createInstance(this)",
  in order to accommodate the use of TLS 1.2 with Android
  versions 4.4.2 and earlier.  Specific steps and code to
  accomplish this are beyond the scope of this APAR.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * All users on 6.2 to 8.0 using TLS on Android                 *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * When trying to connect to a server enabled with TLS1.2 from  *
  * an Android device with OS 4.2 the application fails to       *
  * connect. The reason for the issue is because by default      *
  * TLS1.2 is not enabled on Android devices with OS 4.2 and     *
  * lower.                                                       *
  ****************************************************************
  * RECOMMENDATION:                                              *
  * -                                                            *
  ****************************************************************
  

Problem conclusion

• The issue is resolved by programmatically enabling TLS on
  Android devices with OS <4.2.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  MOBILE1ST PLATF

• Fixed component ID

  5725I4301

Applicable component levels

• R620 PSY

     UP

• R630 PSY

     UP

• R700 PSY

     UP

• R710 PSY

     UP

• R800 PSY

     UP