Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apollo client error Android 7.0 #3571

Closed
alumichael opened this issue Nov 18, 2021 · 19 comments
Closed

Apollo client error Android 7.0 #3571

alumichael opened this issue Nov 18, 2021 · 19 comments
Labels
⌛ Waiting for info More information is required ❓ Type: Question

Comments

@alumichael
Copy link

Summary
Hello everyone, I observed the apollo client library is not working for android 7.0

Version
using apollo library version 2.5.10

Description
On installing the app on android 7.0, doing a query, I got this error below
I/System.out: close [socket][/192.168.43.21:59851]
I/ApollosError: Failed to execute http call for operation 'GetAllFeedEntries'
D/NativeCrypto: ssl=0xaaf2c1c0 NativeCrypto_SSL_interrupt

Please, what can I do?
@martinbonnin
Copy link
Contributor

Hi 👋! Thanks for reaching out! That looks like a SSL error? Can you share the full stacktrace from the error?

Also, it looks like you're trying to connect to a local server at IP 192.168.43.21? Maybe this server uses a self-signed certificate? If that's the case, you will need to configure OkHttp to accept your self-signed certificate. There's more info here for an example: https://www.baeldung.com/okhttp-self-signed-cert

@alumichael
Copy link
Author

Thanks, below are the detail..

2021-11-18 11:59:58.476 1712-5755/com.techvibe.studylabteacher D/libc-netbsd: getaddrinfo: sites.techvibesltd.com get result from proxy gai_error = 0
2021-11-18 11:59:58.478 1712-5755/com.techvibe.studylabteacher I/System.out: [socket][7] connection sites.techvibesltd.com/69.167.190.92:443;LocalPort=-1(10000)
2021-11-18 12:00:00.165 1712-1804/com.techvibe.studylabteacher D/GraphicBuffer: register, handle(0xa4b22fd0) (w:480 h:854 s:480 f:0x1 u:0x000f02)
2021-11-18 12:00:00.211 1712-5755/com.techvibe.studylabteacher I/System.out: [socket][/192.168.43.21:59934] connected
2021-11-18 12:00:00.217 1712-5755/com.techvibe.studylabteacher D/NativeCrypto: ssl=0x9619f2c0 NativeCrypto_SSL_do_handshake fd=0x93272130 shc=0x93272134 timeout_millis=10000 client_mode=1 npn=0x0
2021-11-18 12:00:00.217 1712-5755/com.techvibe.studylabteacher D/NativeCrypto: ssl=0x9619f2c0 info_callback calling handshakeCompleted
2021-11-18 12:00:02.686 1712-5755/com.techvibe.studylabteacher D/NativeCrypto: ssl=0x9619f2c0 cert_verify_callback => 0
2021-11-18 12:00:02.686 1712-5755/com.techvibe.studylabteacher D/OpenSSLLib: OpensslErr:Module:16(125:); file:external/boringssl/src/ssl/s3_clnt.c ;Line:2089;Function:ssl3_verify_server_cert
2021-11-18 12:00:02.687 1712-5755/com.techvibe.studylabteacher D/NativeCrypto: ssl=0x9619f2c0 NativeCrypto_SSL_do_handshake exception => 0
2021-11-18 12:00:02.688 1712-5755/com.techvibe.studylabteacher I/System.out: close [socket][/192.168.43.21:59934]
2021-11-18 12:00:02.691 1712-1712/com.techvibe.studylabteacher I/ApollosError: Failed to execute http call for operation 'GetAllFeedEntries'

@alumichael
Copy link
Author

still on this, i don't know if this looks like local server

@alumichael
Copy link
Author

Here is my client method and header
fun apolloClient(context: Context): ApolloClient {
return ApolloClient.builder()
.serverUrl("https://sites.techvibesltd.com/web/api/")
.okHttpClient(OkHttpClient.Builder()
.addInterceptor(AuthorizationInterceptor(context))
.build()
)
.build()
}

private class AuthorizationInterceptor(val context: Context): Interceptor {
    override fun intercept(chain: Interceptor.Chain): Response {
        val request = chain.request().newBuilder()
            .addHeader("Authorization", "XXXXXXXXX" ?: "")
            .build()

        return chain.proceed(request)
    }
}

@alumichael
Copy link
Author

Hi 👋! Thanks for reaching out! That looks like a SSL error? Can you share the full stacktrace from the error?

Also, it looks like you're trying to connect to a local server at IP 192.168.43.21? Maybe this server uses a self-signed certificate? If that's the case, you will need to configure OkHttp to accept your self-signed certificate. There's more info here for an example: https://www.baeldung.com/okhttp-self-signed-cert

THis works on other android API like 8,10....

@martinbonnin
Copy link
Contributor

THis works on other android API like 8,10....

That sounds awfully like square/okhttp#2372

Another option would be to update your security provider in case a root certificate is not present on this device?https://developer.android.com/training/articles/security-gms-provider?authuser=1 ?

@martinbonnin
Copy link
Contributor

martinbonnin commented Nov 18, 2021
edited
Loading

Dumping the connection info shows TLS1.2 indeed:

$ openssl s_client -servername sites.techvibesltd.com -connect sites.techvibesltd.com:443 

---
SSL handshake has read 3188 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: CB0500006E4E8FA3734E44FCCCAA9B0251F7AEC85599D685C9DDCB8A385A4B1D
    Session-ID-ctx: 
    Master-Key: 3B3FDC4D7385C14ABB1D55C3A49796998A5DB1865661DA3FB9C404C3BEF4735FB7ABFBA6DC1F390F5E8990ECF790604B
    Start Time: 1637234627
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

I'm not too well versed in the SSL/TLS details but that's another thing pointing at older versions of Android not supporting TLS1.2 by default. There are a number of suggestions in that other issue worth trying. Maybe try this one ?

@alumichael
Copy link
Author

Thanks so much @martinbonnin , but this API version is still very much higher than lollipop (v5.0), the solution above addresses pre-lollipop.

@alumichael
Copy link
Author

Another thing I have observed was that this same device can successfully make retrofit okhttp calls.

@alumichael
Copy link
Author

Screen Shot 2021-11-18 at 1 05 37 PM

I think this api version(API 25) support TLSv1.2

@alumichael
Copy link
Author

https://developer.android.com/reference/javax/net/ssl/SSLEngine

@martinbonnin
Copy link
Contributor

martinbonnin commented Nov 18, 2021
edited
Loading

Trying to run a query against https://sites.techvibesltd.com/web/api/ on a apiLevel=24 emulator, I get the following stacktrace:

com.apollographql.apollo.exception.ApolloNetworkException: Failed to execute http call for operation 'GetPing'
    at com.apollographql.apollo.internal.interceptor.ApolloServerInterceptor$executeHttpCall$1.onFailure(ApolloServerInterceptor.kt:107)
    at okhttp3.RealCall$AsyncCall.execute(RealCall.java:211)
    at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
    at java.lang.Thread.run(Thread.java:761)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:320)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:284)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:169)
    at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:258)
    at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
    at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:127)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:257)
    at okhttp3.RealCall$AsyncCall.execute(RealCall.java:201)
	... 4 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:549)
    at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508)
    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:401)
    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:375)
    at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:304)
    at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
    at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
    at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:178)
    at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596)
    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
	... 23 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
	... 34 more

So I'd bet for a missing root certificate somewhere although the fact that retrofit is running would contradict that. Is retrofit using the same url (https://sites.techvibesltd.com/web/api/) ? If yes, can you try passing the exact same okHttpClient to both Apollo and Retrofit?

@alumichael
Copy link
Author

alumichael commented Nov 18, 2021 via email

@alumichael
Copy link
Author

I will relate this to my team mates, or what exactly can I do?

@martinbonnin
Copy link
Contributor

Did you try updating your security provider as described there: https://developer.android.com/training/articles/security-gms-provider?authuser=1 ?

ProviderInstaller.installIfNeeded(context)

@martinbonnin martinbonnin added the ⌛ Waiting for info More information is required label Nov 19, 2021
@alumichael
Copy link
Author

alumichael commented Nov 19, 2021 via email

@martinbonnin
Copy link
Contributor

Hi 👋 How did that meeting go? Were you able to fix this issue?

@martinbonnin
Copy link
Contributor

@alumichael Did you end up finding a solution for this?

@rafaneri
Copy link

@alumichael Did you end up finding a solution for this?

Change the hostnameVerifier

OkHttpClient.Builder()
            .addInterceptor(AuthorizationInterceptor())
            .hostnameVerifier { hostname, session -> true }
            .build()

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
⌛ Waiting for info More information is required ❓ Type: Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@martinbonnin @rafaneri @alumichael