Problem Description
we received a reporting from customer, the CMB bank, that our CSDK ver 3.6.1.0 is NOT verify hostname when establish HTTPS connection. As analyzed by customer developer team, CSDK is accepting any hostname when receiving identity cert from server side, which is recognized as a vulnerability. Customer suggested an article for reference, "http://pingguohe.net/2016/02/26/Android-App-secure-ssl.html"

The Topology
CSDK is embed into customer mobile App to provide WebRTC based voice communication, after requesting AAWG Token service in UAT system, or customer provided token service in production system, CSDK send HTTPS to SBC, and then to Breeze to save related call info to CS, then AAWG set up voice channel through SIP with participant of SBC/SM, then CSDK can talk with SBC.

Suggestion from Customer
Customer is suggesting Avaya to double check the “com/avaya/ocs/Base/Rest/NullHostNameVerifier” , and the article linked in above URL, to understand what they identified.

Thanks for your query!

Do you have any logs available so that we can verify where is the issue?

The link provided ("http://pingguohe.net/2016/02/26/Android-App-secure-ssl.html") is in Chinese, do you have any other link which can explain the issue better in English?


Thanks,
Avaya DevConnect Team

May I know if the client log is necessary for troubleshooting. Customer uses certain security tool to scan our SDK, and find such issue.

dear support,

I made a HTTP call through CSDK 3.6.1.0, attached pls find the log file.

Hi,

Thanks for the logs!

Looks like host name validation is working properly as per below logs:

04-28 10:05:13.787 D/AvayaClientServices( 7652): AndroidHostnameValidator.validateHostname() Looking for SubjectAltName in CN=*.cdcc.cmbchina.com,O=China Merchants Bank Co.\, Ltd,L=Shenzhen,ST=Guangdong Province,C=CN
04-28 10:05:13.789 D/AvayaClientServices( 7652): AndroidCertificateProviderJNI::MapOSErrorCodesToCSDKErrorCodes(): Certificate validation failed due to CertificateIdentityValidationException.
04-28 10:05:13.789 D/AvayaClientServices( 7652): Hostname avavoice.cdcc.cmbchina.com was successfully matched with *.cdcc.cmbchina.com
04-28 10:05:13.789 I/AvayaClientServices( 7652): [SECURITY] INFO AndroidCertificateProviderJNI::InternalEvaluateTrust(): [Request id = 2] Hostname validation is successful after applying wildcard matching rules.
04-28 10:05:13.789 D/AvayaClientServices( 7652): Ending thread 547481031760 (Certificate Validation Thread)
04-28 10:05:13.791 D/AvayaClientServices( 7652): CAppCertificateManager::OnCertificateValidationResult()
04-28 10:05:13.791 I/AvayaClientServices( 7652): [SECURITY] INFO CCertificateManagerSecurityLogger::LogCertificateValidationResult(): [Request id = 2] Certificate validation passed.

Could please elaborate more on:
1. What steps user doing to reproduce the issue?
2. What tool/software user is using to verify the problem?
3. What error is seen by the user? whether it is in the logs?

Also, the Client SDK version you are using is 4.4 which is too old. Please use the latest Client SDK version and check if the issue is seen.

Thanks,
Sagar

Customer noticed "NullHostNameVerifier" in our SDK, wants to know if and how this "NullHostNameVerifier" will be used, and in which scenario it will be used?
Thanks!

dear support,

In the SDK log, you can see the "NullHostNameVerifier" actually been used during the HTTPS session, please find the details in attahced picture.

Customer wants to know the reason and what "NullHostNameVerifier" actually did.

Thanks!

Hi,

Thanks for the details!

04-28 10:05:25.086 D/NullHostNameVerifier( 7652): Approving certificate for avavoice.cdcc.cmbchina.com
04-28 10:05:25.086 D/NullHostNameVerifier( 7652): Session TLSv1.2 avavoice.cdcc.cmbchina.com

It does not look like a CSDK code. An application trying something to verify hostname in the CSDK context.

We recommend checking the application code.

Thanks,
Avaya DevConnect Team

dear support,

this is a log file downloaded from Avaya Refrence Client, not customer application, we found the "NullHostNameVerifier" in the Ref Client log. I don't know how to explain to customer it does not belongs to CSDK code.

May I trouble you again? and identify if our CSDK has "NullHostNameVerifier" code?

Thanks!

dear support,

May I have your answer on this query? This is a critical question from the biggest commercial bank of GC. Thanks!

Hi,

I have forwarded the query to the Reference Client Team and they are looking into it.
Will get back to you once we hear something from the Reference Client team.



Thanks,
Avaya DevConnect Team.

dear support,

any feedback from Ref Client team? Thanks!

Hi Patrick,
From the logs, it seems that you are not using ClientSDK directly but using WebRTCConnect SDK previously known as Oceana WebRTC Voice and Video SDK. Can you please let us know the version that you are using for the library ?

Regards,
Avaya DevConnect Team

dera support,

It's Reference Client version 3.6.1.0-2

Hello Patrick,
We will provide a fix on that issue in our next release. Please note that the version you are using is quite old and no longer being maintained. Request you to setup your project using SDK provided here in the meanwhile:
https://www.devconnectprogram.com/site/global/products_resources/webrtc_connect/overview/index.gsp
We will be giving a fix on top of the version 4.0.1
Regards,
Avaya DevConnect Team