Error on certificate validation on the last few days

[SandroMachado]

My certificate is about to expire and and on the last few days, some instances of my application are having problems connecting to the server. They just don't connect. Even on the same device, sometimes after installing the app it works fine, other times it just doesn't connect.

Digging in I discovered that removing this library fixes the issue. Any tip on how to fix this?

Or any ideas why this is happening?

[sheungon]

Same issue happened to me few days ago. I had to disable CT to get my app work again.

[mattmook]

Hi @SandroMachado I don't suppose you know what value was returned by the library?

I'm thinking this may be linked to issue #28

[pavlospt]

@mattmook are there any news regarding this? We started noticing similar behaviour today in our app :)

[SandroMachado]

Same here.

[jclaudino]

Same

[barnhill]

Noticing same here

[maxkohne]

We are experiencing this as well

[eramirez01]

Same Here!!!

[pavlospt]

Okay this sounds like something is certainly going on. Just to add more info here, our iOS colleagues were able to use CT fine the whole day, while we had those issues! So i guess it is not infrastructure related.

[mattmook]

Has anyone managed to capture a log from when this happens? I suspect it could be something like the log list being out of sync with the signature, which we have seen happen once before.

[pavlospt]

Hey @mattmook , I do not happen to have a log, but the behavior of failing to verify the signatures was like consistently inconsistent. At some it would fail to verify and then would work again. I am not sure if it has something to do with the last days of the month and an issue is going on with Date validations, but we have not seen it happen afterwards.

Just for future reference and in order to help you debug it more effectively, what would you like from us to capture? Just the raw loglist response?

[mattmook]

When creating the certificateTransparencyInterceptor you can provide a logger, an instance of CTLogger - it might be worth recording any instances when log is called with an instance of VerificationResult.Failure.

[pavlospt]

Yeap, we are already using that and it was outputting something along the lines of:
SSLHandshakeException: Certificate transparency failed: LogServerSignatureResult.Invalid.SignatureFailed I can get the exact log next time it happens 😄

[jclaudino]

Any updates on this issue?

Are others still experiencing this?

[pavlospt]

Haven't experienced it since the last days of January. Will wait to check it on February as well!

[pavlospt]

We had this logged in production today as well. Unfortunately we do not have any logs to share apart from:

javax.net.ssl.SSLPeerUnverifiedException: Certificate transparency failed at com.babylon.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor.intercept(CertificateTransparencyInterceptor.kt:59)

[maxkohne]

Yeah, we actually disabled this library since we cannot afford to have these issues happen randomly. Our security team understands but would really like this to be solved / looked into.

I wrote about how we are remotely toggled this library in another issue: #28 (comment)

[pavlospt]

@mattmook based on this comment: #28 (comment) could we please have an update that uses the correct casing for the Signature name SHA256withRSA https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#Signature and prepare a new release?

Also since more people mentioned issues with the last days of a month, I really tend to believe something shady is going on there.

[vivascu]

There are some interesting findings I mentioned here: #28 (comment)

[mattmook]

Fix released in version 0.3.0