Broken API certificate since AWS move
52 views
Skip to first unread message
Brian Smith
Mar 6, 2017, 10:31:14 AM3/6/17
to meetu...@googlegroups.com
I got a report yesterday morning about OAuth problems after the move to
the AWS servers. Today, I had a chance to debug it and found that the
Android HTTPS stack was giving the error "No peer certificate" when trying
to get the request token (first step of the OAuth 1.0a sequence).
When trying to connect using the OpenSSL s_client command, I get the
following certificate chain:
0 s:/C=US/ST=California/L=San Francisco/O=Fastly,
Inc./CN=c.sni.fastly.net
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Maybe the "No peer certificate" message is triggered by the domain
mismatch on the certificate being given? There obviously is one there, but
it doesn't even remotely match "api.meetup.com".
the AWS servers. Today, I had a chance to debug it and found that the
Android HTTPS stack was giving the error "No peer certificate" when trying
to get the request token (first step of the OAuth 1.0a sequence).
When trying to connect using the OpenSSL s_client command, I get the
following certificate chain:
0 s:/C=US/ST=California/L=San Francisco/O=Fastly,
Inc./CN=c.sni.fastly.net
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Maybe the "No peer certificate" message is triggered by the domain
mismatch on the certificate being given? There obviously is one there, but
it doesn't even remotely match "api.meetup.com".
Doug Tangren
Mar 7, 2017, 1:08:45 PM3/7/17
to meetu...@googlegroups.com
Hi Brian,
Sorry to hear about the troubles.
Our new certificates may only be supported for clients which suppprt SNI, https://en.m.wikipedia.org/wiki/Server_Name_Indication.
What version of Android are you using?
Joe Lippeatt
Mar 7, 2017, 3:02:45 PM3/7/17
to meetu...@googlegroups.com
My lightroom plugin uses lua scripts and has worked great for several years until now. Is this something that will be repaired on Meetup's servers?
Joe
--
--
You received this message because you are subscribed to the Google
Groups "Meetup API" group.
To unsubscribe from this group, send email to
meetup-api+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/meetup-api?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "Meetup API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetup-api+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Brian
Mar 7, 2017, 3:15:27 PM3/7/17
to Meetup API
4.1.2
Looking at that page, though, it looks like I need to do something to my app to account for it.
Brian
Mar 7, 2017, 4:39:50 PM3/7/17
to Meetup API
I've made enough changes now to test, and now I'm getting "Connection closed by peer" when it tries to do the initial SSL handshake.
Brian
Mar 13, 2017, 11:25:36 PM3/13/17
to Meetup API
No more SSL issues since making sure TLS 1.2 is enabled in my app, but now I'm getting a lot of "invalid oauth_signature" errors. Aside from having to migrate to HttpsURLConnection, my OAuth 1.0a client code hasn't changed in quite some time. The interesting part is that the only call I'm apparently not getting the error on so far is when I pull the list of events for my member ID. Everything else fails..
Doug Tangren
Mar 13, 2017, 11:43:10 PM3/13/17
to meetup-api
On Mar 13, 2017 11:25 PM, "Brian" <aval...@caerleon.us> wrote:
No more SSL issues since making sure TLS 1.2 is enabled in my app, but now I'm getting a lot of "invalid oauth_signature" errors. Aside from having to migrate to HttpsURLConnection, my OAuth 1.0a client code hasn't changed in quite some time. The interesting part is that the only call I'm apparently not getting the error on so far is when I pull the list of events for my member ID. Everything else fails..
Update on this. We've decided to rollback some of the recent changes that forced the upgrade to tls 1.2. While older versions of tls are generally deemed less secure, the rollout of the change was not as transparent as it should have.
It is recommended for futurizing client code that you still migrate to tls 1.2 as we will likely start requiring this again in the future but when we do, it will be much better communicated.
As for the oauth1 signature validation errors mentioned. My thoughts are that those were an artifact of the https url connection change perhaps affecting parameter encodings.
We have no current plans on the road map to remove it but depending on your use case, you may find our oauth2 support simpler to work with. There is an added overhead for checking token validity as these tokens expire over periods of time but the same validity checking should for oauth1 as members can revoke these tokens at anytime.
On Tuesday, March 7, 2017 at 1:08:45 PM UTC-5, Doug Tangren wrote:On Mar 6, 2017 10:31 AM, "Brian Smith" <aval...@caerleon.us> wrote:I got a report yesterday morning about OAuth problems after the move to
the AWS servers. Today, I had a chance to debug it and found that the
Android HTTPS stack was giving the error "No peer certificate" when trying
to get the request token (first step of the OAuth 1.0a sequence).
When trying to connect using the OpenSSL s_client command, I get the
following certificate chain:
0 s:/C=US/ST=California/L=San Francisco/O=Fastly,
Inc./CN=c.sni.fastly.net
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Maybe the "No peer certificate" message is triggered by the domain
mismatch on the certificate being given? There obviously is one there, but
it doesn't even remotely match "api.meetup.com".Hi Brian,Sorry to hear about the troubles.Our new certificates may only be supported for clients which suppprt SNI, https://en.m.wikipedia.org/wiki/Server_Name_Indication.What version of Android are you using?
Brian
Mar 15, 2017, 11:45:38 AM3/15/17
to Meetup API
It looks like the signature issues are due to my trying to use HTTP (not HTTPS) for API requests, which I started doing a while ago thanks to another SSL issue. I'm currently testing things after changing that back, and so far so good...
I'll look into OAuth 2 for later. It is simpler to deal with compared to computing signatures and hoping the server agrees, but not so simple when trying to migrate an existing program.
For more options, visit this group at
http://groups.google.com/group/meetup-api?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "Meetup API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetup-api+...@googlegroups.com.
Doug Tangren
Mar 15, 2017, 1:25:08 PM3/15/17
to meetu...@googlegroups.com
On Wed, Mar 15, 2017 at 11:45 AM, Brian <aval...@caerleon.us> wrote:
It looks like the signature issues are due to my trying to use HTTP (not HTTPS) for API requests, which I started doing a while ago thanks to another SSL issue. I'm currently testing things after changing that back, and so far so good...
Good to hear. It is of course recommended, but not required that you use https for all communication with the Meetup API. That is something we'd like to change to a requirement, but in the same spirit, we'll definitely communicate that before we do.
For more options, visit this group at
http://groups.google.com/group/meetup-api?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "Meetup API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetup-api+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages