Please login or register to access secure site features.

Note: By continuing to use DevConnect Program Services you agree to our latest Registered Member Terms.

Sign in using DevConnect ID

Forgot password?

Trouble logging in?

Submit a ticket for Registration Support.

I have an SSO ID

?
sign in

Don't have a DevConnect or SSO ID ?

Create a DevConnect account or join the program.

register now
^
Forum Index » Avaya Client SDK - General » Client SDK 3.6.1.0 does not verify hostname in HTTPS session   XML
 
Author Message
PatrickZhang



Joined: 24/03/2020 12:57:11
Messages: 14
Offline

Problem Description
we received a reporting from customer, the CMB bank, that our CSDK ver 3.6.1.0 is NOT verify hostname when establish HTTPS connection. As analyzed by customer developer team, CSDK is accepting any hostname when receiving identity cert from server side, which is recognized as a vulnerability. Customer suggested an article for reference, "http://pingguohe.net/2016/02/26/Android-App-secure-ssl.html"

The Topology
CSDK is embed into customer mobile App to provide WebRTC based voice communication, after requesting AAWG Token service in UAT system, or customer provided token service in production system, CSDK send HTTPS to SBC, and then to Breeze to save related call info to CS, then AAWG set up voice channel through SIP with participant of SBC/SM, then CSDK can talk with SBC.

Suggestion from Customer
Customer is suggesting Avaya to double check the “com/avaya/ocs/Base/Rest/NullHostNameVerifier” , and the article linked in above URL, to understand what they identified.

ware16.avaya.com



Joined: 23/09/2019 00:26:26
Messages: 73
Offline

Thanks for your query!

Do you have any logs available so that we can verify where is the issue?

The link provided ("http://pingguohe.net/2016/02/26/Android-App-secure-ssl.html") is in Chinese, do you have any other link which can explain the issue better in English?


Thanks,
Avaya DevConnect Team
PatrickZhang



Joined: 24/03/2020 12:57:11
Messages: 14
Offline

May I know if the client log is necessary for troubleshooting. Customer uses certain security tool to scan our SDK, and find such issue.

PatrickZhang



Joined: 24/03/2020 12:57:11
Messages: 14
Offline

dear support,

I made a HTTP call through CSDK 3.6.1.0, attached pls find the log file.
 Filename CrashLog-OceanaReferenceClient-2.log [Disk] Download
 Description log of CSDK 3.6.0.1
 Filesize 308 Kbytes
 Downloaded:  336 time(s)

ware16.avaya.com



Joined: 23/09/2019 00:26:26
Messages: 73
Offline

Hi,

Thanks for the logs!

Looks like host name validation is working properly as per below logs:

04-28 10:05:13.787 D/AvayaClientServices( 7652): AndroidHostnameValidator.validateHostname() Looking for SubjectAltName in CN=*.cdcc.cmbchina.com,O=China Merchants Bank Co.\, Ltd,L=Shenzhen,ST=Guangdong Province,C=CN
04-28 10:05:13.789 D/AvayaClientServices( 7652): AndroidCertificateProviderJNI::MapOSErrorCodesToCSDKErrorCodes(): Certificate validation failed due to CertificateIdentityValidationException.
04-28 10:05:13.789 D/AvayaClientServices( 7652): Hostname avavoice.cdcc.cmbchina.com was successfully matched with *.cdcc.cmbchina.com
04-28 10:05:13.789 I/AvayaClientServices( 7652): [SECURITY] INFO AndroidCertificateProviderJNI::InternalEvaluateTrust(): [Request id = 2] Hostname validation is successful after applying wildcard matching rules.
04-28 10:05:13.789 D/AvayaClientServices( 7652): Ending thread 547481031760 (Certificate Validation Thread)
04-28 10:05:13.791 D/AvayaClientServices( 7652): CAppCertificateManager::OnCertificateValidationResult()
04-28 10:05:13.791 I/AvayaClientServices( 7652): [SECURITY] INFO CCertificateManagerSecurityLogger::LogCertificateValidationResult(): [Request id = 2] Certificate validation passed.

Could please elaborate more on:
1. What steps user doing to reproduce the issue?
2. What tool/software user is using to verify the problem?
3. What error is seen by the user? whether it is in the logs?

Also, the Client SDK version you are using is 4.4 which is too old. Please use the latest Client SDK version and check if the issue is seen.

Thanks,
Sagar
PatrickZhang



Joined: 24/03/2020 12:57:11
Messages: 14
Offline

Customer noticed "NullHostNameVerifier" in our SDK, wants to know if and how this "NullHostNameVerifier" will be used, and in which scenario it will be used?
Thanks!
PatrickZhang



Joined: 24/03/2020 12:57:11
Messages: 14
Offline

dear support,

In the SDK log, you can see the "NullHostNameVerifier" actually been used during the HTTPS session, please find the details in attahced picture.

Customer wants to know the reason and what "NullHostNameVerifier" actually did.

Thanks!
[Thumb - WechatIMG19.png]
 Filename WechatIMG19.png [Disk] Download
 Description No description given
 Filesize 855 Kbytes
 Downloaded:  513 time(s)

ware16.avaya.com



Joined: 23/09/2019 00:26:26
Messages: 73
Offline

Hi,

Thanks for the details!

04-28 10:05:25.086 D/NullHostNameVerifier( 7652): Approving certificate for avavoice.cdcc.cmbchina.com
04-28 10:05:25.086 D/NullHostNameVerifier( 7652): Session TLSv1.2 avavoice.cdcc.cmbchina.com

It does not look like a CSDK code. An application trying something to verify hostname in the CSDK context.

We recommend checking the application code.

Thanks,
Avaya DevConnect Team
PatrickZhang



Joined: 24/03/2020 12:57:11
Messages: 14
Offline

dear support,

this is a log file downloaded from Avaya Refrence Client, not customer application, we found the "NullHostNameVerifier" in the Ref Client log. I don't know how to explain to customer it does not belongs to CSDK code.

May I trouble you again? and identify if our CSDK has "NullHostNameVerifier" code?

Thanks!
PatrickZhang



Joined: 24/03/2020 12:57:11
Messages: 14
Offline

dear support,

May I have your answer on this query? This is a critical question from the biggest commercial bank of GC. Thanks!
ware16.avaya.com



Joined: 23/09/2019 00:26:26
Messages: 73
Offline

Hi,

I have forwarded the query to the Reference Client Team and they are looking into it.
Will get back to you once we hear something from the Reference Client team.



Thanks,
Avaya DevConnect Team.
PatrickZhang



Joined: 24/03/2020 12:57:11
Messages: 14
Offline

dear support,

any feedback from Ref Client team? Thanks!
AlokKulkarni



Joined: 05/01/2017 04:31:26
Messages: 30
Offline

Hi Patrick,
From the logs, it seems that you are not using ClientSDK directly but using WebRTCConnect SDK previously known as Oceana WebRTC Voice and Video SDK. Can you please let us know the version that you are using for the library ?

Regards,
Avaya DevConnect Team

This message was edited 1 time. Last update was at 06/05/2021 02:27:23

PatrickZhang



Joined: 24/03/2020 12:57:11
Messages: 14
Offline

dera support,

It's Reference Client version 3.6.1.0-2
[Thumb - OceanaWebRTCRefClient.jpg]
 Filename OceanaWebRTCRefClient.jpg [Disk] Download
 Description No description given
 Filesize 61 Kbytes
 Downloaded:  473 time(s)

This message was edited 1 time. Last update was at 06/05/2021 04:22:33

AlokKulkarni



Joined: 05/01/2017 04:31:26
Messages: 30
Offline

Hello Patrick,
We will provide a fix on that issue in our next release. Please note that the version you are using is quite old and no longer being maintained. Request you to setup your project using SDK provided here in the meanwhile:
https://www.devconnectprogram.com/site/global/products_resources/webrtc_connect/overview/index.gsp
We will be giving a fix on top of the version 4.0.1
Regards,
Avaya DevConnect Team
 
 
Go to: