weixin_39838829
weixin_39838829
2020-11-28 13:56

CLEARTEXT communication not enabled by client

Hi,

I am hosting a matrix homeserver in an Tor onion service, and I cannot log in to it with Riot Android v0.8.12 (I believe I started to have problems after installing v0.8.11). A toast is shown, with the message "CLEARTEXT communication not enabled by client".

The desktop client works correctly.

Thanks

该提问来源于开源项目:vector-im/riot-android

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

16条回答

  • weixin_39747334 weixin_39747334 5月前

    I've re-enabled CLEARTEXT communication when URL starts with http:// for the next release of Riot to fix all observed issues.

    点赞 评论 复制链接分享
  • weixin_39747334 weixin_39747334 5月前

    Hello ,

    Yes, CLEARTEXT communication has been disabled (here: https://github.com/matrix-org/matrix-android-sdk/pull/293/). Your home server is not hosted on a https server?

    Benoît

    点赞 评论 复制链接分享
  • weixin_39838829 weixin_39838829 5月前

    Hi , thanks for the response,

    Tor onion services work over TLS encrypted channels and their URLs are self authenticated, so HTTPS is not needed.

    I will see if I can get a .onion certificate from letsencrypt, though. There is no preference in Riot Android to disable this protection, is there?

    Thanks,

    Rafa

    点赞 评论 复制链接分享
  • weixin_39838829 weixin_39838829 5月前
    点赞 评论 复制链接分享
  • weixin_39747334 weixin_39747334 5月前

    No, there is no preference in Riot to enable CLEARTEXT communication

    点赞 评论 复制链接分享
  • weixin_39838829 weixin_39838829 5月前

    I don't know if it is too much of a narrow case, but would it be possible to allow cleartext communication only for .onion domains?

    点赞 评论 复制链接分享
  • weixin_39838829 weixin_39838829 5月前

    ping, any thoughts on my latest suggestion? Allowing cleartext communication only for .onion domains?

    点赞 评论 复制链接分享
  • weixin_39747334 weixin_39747334 5月前

    Hi, I do not think it is a good idea to add an exception like this... Maybe the best solution will be to re-enable CLEARTEXT communication... can you have a quick look on this issue pls? Thanks

    点赞 评论 复制链接分享
  • weixin_39838829 weixin_39838829 5月前

    Why do you think it is better to re-enable cleartext communication?

    I think it is a good idea to disable it for normal use cases. The problem with onion services is that they are a corner case, as they effectively are NOT cleartext channels but the signal is not HTTPS but the .onion domain. TLS is in both places, and in 2018 requiring TLS for a system like Matrix that tries to be as secure as possible makes total sense.

    点赞 评论 复制链接分享
  • weixin_39747334 weixin_39747334 5月前

    If we add an exception for onion services, maybe tomorrow we will add an exception for carrot and for tomato services (just kidding)... I do not like hard-coded exception... But I agree to the fact that re-enabling CLEARTEXT is not safe (note that it has been disabled only a few weeks ago...)

    点赞 评论 复制链接分享
  • weixin_39838829 weixin_39838829 5月前

    I see your point. The real fix would be to check if TLS is being used in the communications, rather than just assuming all TLS is HTTPS. I don't know if that's possible, though. Network captures are clear about that, they show TLS packets, but from the application layer...

    点赞 评论 复制链接分享
  • weixin_39747334 weixin_39747334 5月前

    Note that it's maybe not the end of the world to add an exception here: https://github.com/matrix-org/matrix-android-sdk/blob/develop/matrix-sdk/src/main/java/org/matrix/androidsdk/ssl/CertUtil.java#L257

    点赞 评论 复制链接分享
  • weixin_39731782 weixin_39731782 5月前

    My Riot is connected to my Synapse instance through a VPN, with no need for HTTPS. I cannot use Riot on my Android phone anymore.

    I see other cases where forcing HTTPS isn't suitable, like when hosting a private internal instance of Synapse or using any kind of VPN.

    Would it be possible to re-allow communication over HTTP? The user would always have to explicitly enter a homeserver URL starting with HTTP on the first login. A warning message could show up at that time.

    点赞 评论 复制链接分享
  • weixin_39731782 weixin_39731782 5月前

    Please also note that forbidding cleat text communication broke existing (already configured) instances of Riot Android, without showing any error to the user. The app would simply endlessly attempt to load messages.

    I had to root my phone and dive into the log in /data/data/im.vector.alpha/cache/logs to actually see the stack trace and the error causing this. The error toast is only shown on the log-in screen, but not afterwards if the user is already logged-in.

    点赞 评论 复制链接分享
  • weixin_39731782 weixin_39731782 5月前

    Changing the shared preferences to use an HTTPS endpoint with a self-signed certificate doesn't work either.

    No error is displayed to the user, the app just shows a loading indicator that runs forever. The logs clearly show that the certificate is invalid, but no option is offered to the user to accept/reject and pin the certificate. For reference, K-9 mail shows an alert dialog like this.

    点赞 评论 复制链接分享
  • weixin_39664136 weixin_39664136 5月前

    Perhaps you can import the self-signed certificate (or a custom CA if necessary) via your Android settings.

    Yeah, it's work, I know. It's probably going to be faster than waiting for this to be resolved though.

    点赞 评论 复制链接分享

相关推荐