Why is the auth dialog useful?

Hi everyone,

I'm digging into ODK Collect's code, trying to fix a problem experienced
with SSL certificates issued by https://letsencrypt.org/ . The current http
API seems to be incompatible with the let's encrypt for some unknown (to
me) reasons. Using the more up-to-do HttpURLConnection API, there is no
problem with letsencrypt.

Anyway, the current code path for requesting a list of blank forms from an
ODKAggregate server that require authentification (Anonymous user has no
rights whatsoever) is going like this :

  • try to get the forms : WebUtils.getXmlDocument (it fails)
  • open a AUTH_DIALOG and populate it with the credential info from the
    settings
  • try to get the forms again
  • works

I'm probably missing something, but in what situation should ODK ask
through the AUTH_DIALOG different credentials than the ones set in the
application settings ? Shouldn't ODK resolve the credentials purely on the
app settings ?

Many thanks !

The confirmation of the credentials was the workflow Carl and Yaw created.

Hopefully they can provide some perspective?

··· On Thu, Dec 17, 2015 at 2:48 AM, Charles Flèche wrote:

Hi everyone,

I'm digging into ODK Collect's code, trying to fix a problem experienced
with SSL certificates issued by https://letsencrypt.org/ . The current
http API seems to be incompatible with the let's encrypt for some unknown
(to me) reasons. Using the more up-to-do HttpURLConnection API, there is no
problem with letsencrypt.

Anyway, the current code path for requesting a list of blank forms from an
ODKAggregate server that require authentification (Anonymous user has no
rights whatsoever) is going like this :

  • try to get the forms : WebUtils.getXmlDocument (it fails)
  • open a AUTH_DIALOG and populate it with the credential info from the
    settings
  • try to get the forms again
  • works

I'm probably missing something, but in what situation should ODK ask
through the AUTH_DIALOG different credentials than the ones set in the
application settings ? Shouldn't ODK resolve the credentials purely on the
app settings ?

Many thanks !

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Hi Charles,
The credentials in the settings are an optional default to make things more
convenient for single-user devices. Some organizations have multiple people
using the same device, so they each need to enter their own credentials to
either get blank or upload completed forms.

It would be a valid approach to try the credentials in settings first, then
only show a dialog on fail. Our thinking was that we wanted to make it
clear to the user of the device that the server they were connecting to
required authentication, and let them verify their information before
attempting to connect.

It sounds like the most important thing for you is that we need to update
the library with HttpURLConnection to get rid of the SSL problems.
Thanks!
-Carl

··· On Thu, Dec 17, 2015 at 2:48 AM, Charles Flèche wrote:

Hi everyone,

I'm digging into ODK Collect's code, trying to fix a problem experienced
with SSL certificates issued by https://letsencrypt.org/ . The current
http API seems to be incompatible with the let's encrypt for some unknown
(to me) reasons. Using the more up-to-do HttpURLConnection API, there is no
problem with letsencrypt.

Anyway, the current code path for requesting a list of blank forms from an
ODKAggregate server that require authentification (Anonymous user has no
rights whatsoever) is going like this :

  • try to get the forms : WebUtils.getXmlDocument (it fails)
  • open a AUTH_DIALOG and populate it with the credential info from the
    settings
  • try to get the forms again
  • works

I'm probably missing something, but in what situation should ODK ask
through the AUTH_DIALOG different credentials than the ones set in the
application settings ? Shouldn't ODK resolve the credentials purely on the
app settings ?

Many thanks !

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi Carl,
Thanks for your answer. And you are totally right, the dialog question
was more to satisfy my own curiosity. I took a look at the
HttpURLConnection library and changed the code accordingly in a
private branch. However it seems like this newer API doesn't support
DIGEST auth, which ODK Aggregate requires. Java is little bit out of
my expertise : what are the other options for a newer Https lib that
would support DIGEST ?
Thanks,
Charles

··· On Wed, Dec 23, 2015 at 8:03 PM, Carl Hartung wrote: > Hi Charles, > The credentials in the settings are an optional default to make things more > convenient for single-user devices. Some organizations have multiple people > using the same device, so they each need to enter their own credentials to > either get blank or upload completed forms. > > It would be a valid approach to try the credentials in settings first, then > only show a dialog on fail. Our thinking was that we wanted to make it clear > to the user of the device that the server they were connecting to required > authentication, and let them verify their information before attempting to > connect. > > It sounds like the most important thing for you is that we need to update > the library with HttpURLConnection to get rid of the SSL problems. > Thanks! > -Carl > > > > On Thu, Dec 17, 2015 at 2:48 AM, Charles Flèche wrote: >> >> Hi everyone, >> >> I'm digging into ODK Collect's code, trying to fix a problem experienced >> with SSL certificates issued by https://letsencrypt.org/ . The current http >> API seems to be incompatible with the let's encrypt for some unknown (to me) >> reasons. Using the more up-to-do HttpURLConnection API, there is no problem >> with letsencrypt. >> >> Anyway, the current code path for requesting a list of blank forms from an >> ODKAggregate server that require authentification (Anonymous user has no >> rights whatsoever) is going like this : >> - try to get the forms : WebUtils.getXmlDocument (it fails) >> - open a AUTH_DIALOG and populate it with the credential info from the >> settings >> - try to get the forms again >> - works >> >> I'm probably missing something, but in what situation should ODK ask >> through the AUTH_DIALOG different credentials than the ones set in the >> application settings ? Shouldn't ODK resolve the credentials purely on the >> app settings ? >> >> Many thanks ! >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "ODK Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to opendatakit-developers+unsubscribe@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to a topic in the > Google Groups "ODK Developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > opendatakit-developers+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/d/optout.

Charles,

Perhaps you can do that search for an appropriate library and suggest
that to the community. Doesn't require Java knowledge...

Yaw

··· -- Need ODK consultants? Nafundi provides form design, server setup, in-field training, and software development for ODK. Go to https://nafundi.com to get started.

On Thu, Dec 31, 2015 at 9:51 AM, Charles Flèche charles.fleche@gmail.com wrote:

Hi Carl,
Thanks for your answer. And you are totally right, the dialog question
was more to satisfy my own curiosity. I took a look at the
HttpURLConnection library and changed the code accordingly in a
private branch. However it seems like this newer API doesn't support
DIGEST auth, which ODK Aggregate requires. Java is little bit out of
my expertise : what are the other options for a newer Https lib that
would support DIGEST ?
Thanks,
Charles

On Wed, Dec 23, 2015 at 8:03 PM, Carl Hartung chartung@nafundi.com wrote:

Hi Charles,
The credentials in the settings are an optional default to make things more
convenient for single-user devices. Some organizations have multiple people
using the same device, so they each need to enter their own credentials to
either get blank or upload completed forms.

It would be a valid approach to try the credentials in settings first, then
only show a dialog on fail. Our thinking was that we wanted to make it clear
to the user of the device that the server they were connecting to required
authentication, and let them verify their information before attempting to
connect.

It sounds like the most important thing for you is that we need to update
the library with HttpURLConnection to get rid of the SSL problems.
Thanks!
-Carl

On Thu, Dec 17, 2015 at 2:48 AM, Charles Flèche charles.fleche@gmail.com wrote:

Hi everyone,

I'm digging into ODK Collect's code, trying to fix a problem experienced
with SSL certificates issued by https://letsencrypt.org/ . The current http
API seems to be incompatible with the let's encrypt for some unknown (to me)
reasons. Using the more up-to-do HttpURLConnection API, there is no problem
with letsencrypt.

Anyway, the current code path for requesting a list of blank forms from an
ODKAggregate server that require authentification (Anonymous user has no
rights whatsoever) is going like this :

  • try to get the forms : WebUtils.getXmlDocument (it fails)
  • open a AUTH_DIALOG and populate it with the credential info from the
    settings
  • try to get the forms again
  • works

I'm probably missing something, but in what situation should ODK ask
through the AUTH_DIALOG different credentials than the ones set in the
application settings ? Shouldn't ODK resolve the credentials purely on the
app settings ?

Many thanks !

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the
Google Groups "ODK Developers" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi all,
Has anyone had any success in working around this problem?

I recently enabled TLS/HTTPS on my server with letsencrypt. The relevant ODK Aggregate server is accessed via an NGINX reverse proxy, which manages all the TLS connections.

On my mobile devices (and on desktops), I can access the ODK Aggregate with a web browser without incident, but ODK Collect throws a javax.net.ssl.SSLHandshakeException when I try to pull the form list. Any ideas?

Sean

··· On Thursday, December 31, 2015 at 10:22:00 AM UTC-5, Yaw Anokwa wrote: > Charles, > > Perhaps you can do that search for an appropriate library and suggest > that to the community. Doesn't require Java knowledge... > > Yaw > -- > Need ODK consultants? Nafundi provides form design, server setup, > in-field training, and software development for ODK. Go to > https://nafundi.com to get started. > > On Thu, Dec 31, 2015 at 9:51 AM, Charles Flèche wrote: > > Hi Carl, > > Thanks for your answer. And you are totally right, the dialog question > > was more to satisfy my own curiosity. I took a look at the > > HttpURLConnection library and changed the code accordingly in a > > private branch. However it seems like this newer API doesn't support > > DIGEST auth, which ODK Aggregate requires. Java is little bit out of > > my expertise : what are the other options for a newer Https lib that > > would support DIGEST ? > > Thanks, > > Charles > > > > On Wed, Dec 23, 2015 at 8:03 PM, Carl Hartung wrote: > >> Hi Charles, > >> The credentials in the settings are an optional default to make things more > >> convenient for single-user devices. Some organizations have multiple people > >> using the same device, so they each need to enter their own credentials to > >> either get blank or upload completed forms. > >> > >> It would be a valid approach to try the credentials in settings first, then > >> only show a dialog on fail. Our thinking was that we wanted to make it clear > >> to the user of the device that the server they were connecting to required > >> authentication, and let them verify their information before attempting to > >> connect. > >> > >> It sounds like the most important thing for you is that we need to update > >> the library with HttpURLConnection to get rid of the SSL problems. > >> Thanks! > >> -Carl > >> > >> > >> > >> On Thu, Dec 17, 2015 at 2:48 AM, Charles Flèche wrote: > >>> > >>> Hi everyone, > >>> > >>> I'm digging into ODK Collect's code, trying to fix a problem experienced > >>> with SSL certificates issued by https://letsencrypt.org/ . The current http > >>> API seems to be incompatible with the let's encrypt for some unknown (to me) > >>> reasons. Using the more up-to-do HttpURLConnection API, there is no problem > >>> with letsencrypt. > >>> > >>> Anyway, the current code path for requesting a list of blank forms from an > >>> ODKAggregate server that require authentification (Anonymous user has no > >>> rights whatsoever) is going like this : > >>> - try to get the forms : WebUtils.getXmlDocument (it fails) > >>> - open a AUTH_DIALOG and populate it with the credential info from the > >>> settings > >>> - try to get the forms again > >>> - works > >>> > >>> I'm probably missing something, but in what situation should ODK ask > >>> through the AUTH_DIALOG different credentials than the ones set in the > >>> application settings ? Shouldn't ODK resolve the credentials purely on the > >>> app settings ? > >>> > >>> Many thanks ! > >>> > >>> > >>> -- > >>> You received this message because you are subscribed to the Google Groups > >>> "ODK Developers" group. > >>> To unsubscribe from this group and stop receiving emails from it, send an > >>> email to opendatakit-developers+unsubscribe@googlegroups.com. > >>> For more options, visit https://groups.google.com/d/optout. > >> > >> > >> -- > >> You received this message because you are subscribed to a topic in the > >> Google Groups "ODK Developers" group. > >> To unsubscribe from this topic, visit > >> https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe. > >> To unsubscribe from this group and all its topics, send an email to > >> opendatakit-developers+unsubscribe@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > > > > -- > > You received this message because you are subscribed to the Google Groups "ODK Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit-developers+unsubscribe@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout.

We found a way. I'm checking with our system guys and will get back to
you, Sean.

··· On Fri, Jan 22, 2016 at 7:59 PM, wrote: > Hi all, > Has anyone had any success in working around this problem? > > I recently enabled TLS/HTTPS on my server with letsencrypt. The relevant ODK Aggregate server is accessed via an NGINX reverse proxy, which manages all the TLS connections. > > On my mobile devices (and on desktops), I can access the ODK Aggregate with a web browser without incident, but ODK Collect throws a javax.net.ssl.SSLHandshakeException when I try to pull the form list. Any ideas? > > Sean > > On Thursday, December 31, 2015 at 10:22:00 AM UTC-5, Yaw Anokwa wrote: >> Charles, >> >> Perhaps you can do that search for an appropriate library and suggest >> that to the community. Doesn't require Java knowledge... >> >> Yaw >> -- >> Need ODK consultants? Nafundi provides form design, server setup, >> in-field training, and software development for ODK. Go to >> https://nafundi.com to get started. >> >> On Thu, Dec 31, 2015 at 9:51 AM, Charles Flèche wrote: >> > Hi Carl, >> > Thanks for your answer. And you are totally right, the dialog question >> > was more to satisfy my own curiosity. I took a look at the >> > HttpURLConnection library and changed the code accordingly in a >> > private branch. However it seems like this newer API doesn't support >> > DIGEST auth, which ODK Aggregate requires. Java is little bit out of >> > my expertise : what are the other options for a newer Https lib that >> > would support DIGEST ? >> > Thanks, >> > Charles >> > >> > On Wed, Dec 23, 2015 at 8:03 PM, Carl Hartung wrote: >> >> Hi Charles, >> >> The credentials in the settings are an optional default to make things more >> >> convenient for single-user devices. Some organizations have multiple people >> >> using the same device, so they each need to enter their own credentials to >> >> either get blank or upload completed forms. >> >> >> >> It would be a valid approach to try the credentials in settings first, then >> >> only show a dialog on fail. Our thinking was that we wanted to make it clear >> >> to the user of the device that the server they were connecting to required >> >> authentication, and let them verify their information before attempting to >> >> connect. >> >> >> >> It sounds like the most important thing for you is that we need to update >> >> the library with HttpURLConnection to get rid of the SSL problems. >> >> Thanks! >> >> -Carl >> >> >> >> >> >> >> >> On Thu, Dec 17, 2015 at 2:48 AM, Charles Flèche wrote: >> >>> >> >>> Hi everyone, >> >>> >> >>> I'm digging into ODK Collect's code, trying to fix a problem experienced >> >>> with SSL certificates issued by https://letsencrypt.org/ . The current http >> >>> API seems to be incompatible with the let's encrypt for some unknown (to me) >> >>> reasons. Using the more up-to-do HttpURLConnection API, there is no problem >> >>> with letsencrypt. >> >>> >> >>> Anyway, the current code path for requesting a list of blank forms from an >> >>> ODKAggregate server that require authentification (Anonymous user has no >> >>> rights whatsoever) is going like this : >> >>> - try to get the forms : WebUtils.getXmlDocument (it fails) >> >>> - open a AUTH_DIALOG and populate it with the credential info from the >> >>> settings >> >>> - try to get the forms again >> >>> - works >> >>> >> >>> I'm probably missing something, but in what situation should ODK ask >> >>> through the AUTH_DIALOG different credentials than the ones set in the >> >>> application settings ? Shouldn't ODK resolve the credentials purely on the >> >>> app settings ? >> >>> >> >>> Many thanks ! >> >>> >> >>> >> >>> -- >> >>> You received this message because you are subscribed to the Google Groups >> >>> "ODK Developers" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send an >> >>> email to opendatakit-developers+unsubscribe@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ODK Developers" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> opendatakit-developers+unsubscribe@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > You received this message because you are subscribed to the Google Groups "ODK Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit-developers+unsubscribe@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to a topic in the Google Groups "ODK Developers" group. > To unsubscribe from this topic, visit https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe. > To unsubscribe from this group and all its topics, send an email to opendatakit-developers+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/d/optout.

We found a way. I'm checking with our system guys and will get back to
you, Sean.

Hi all,
Has anyone had any success in working around this problem?

I recently enabled TLS/HTTPS on my server with letsencrypt. The relevant ODK Aggregate server is accessed via an NGINX reverse proxy, which manages all the TLS connections.

On my mobile devices (and on desktops), I can access the ODK Aggregate with a web browser without incident, but ODK Collect throws a javax.net.ssl.SSLHandshakeException when I try to pull the form list. Any ideas?

Sean

Charles,

Perhaps you can do that search for an appropriate library and suggest
that to the community. Doesn't require Java knowledge...

Yaw

Need ODK consultants? Nafundi provides form design, server setup,
in-field training, and software development for ODK. Go to
https://nafundi.com to get started.

Hi Carl,
Thanks for your answer. And you are totally right, the dialog question
was more to satisfy my own curiosity. I took a look at the
HttpURLConnection library and changed the code accordingly in a
private branch. However it seems like this newer API doesn't support
DIGEST auth, which ODK Aggregate requires. Java is little bit out of
my expertise : what are the other options for a newer Https lib that
would support DIGEST ?
Thanks,
Charles

Hi Charles,
The credentials in the settings are an optional default to make things more
convenient for single-user devices. Some organizations have multiple people
using the same device, so they each need to enter their own credentials to
either get blank or upload completed forms.

It would be a valid approach to try the credentials in settings first, then
only show a dialog on fail. Our thinking was that we wanted to make it clear
to the user of the device that the server they were connecting to required
authentication, and let them verify their information before attempting to
connect.

It sounds like the most important thing for you is that we need to update
the library with HttpURLConnection to get rid of the SSL problems.
Thanks!
-Carl

Hi everyone,

I'm digging into ODK Collect's code, trying to fix a problem experienced
with SSL certificates issued by https://letsencrypt.org/ . The current http
API seems to be incompatible with the let's encrypt for some unknown (to me)
reasons. Using the more up-to-do HttpURLConnection API, there is no problem
with letsencrypt.

Anyway, the current code path for requesting a list of blank forms from an
ODKAggregate server that require authentification (Anonymous user has no
rights whatsoever) is going like this :

  • try to get the forms : WebUtils.getXmlDocument (it fails)
  • open a AUTH_DIALOG and populate it with the credential info from the
    settings
  • try to get the forms again
  • works

I'm probably missing something, but in what situation should ODK ask
through the AUTH_DIALOG different credentials than the ones set in the
application settings ? Shouldn't ODK resolve the credentials purely on the
app settings ?

Many thanks !

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the
Google Groups "ODK Developers" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "ODK Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

On further inspection, letsencrypt was not the source of my problem afterall. I also happen to be hosting my ODK Aggregate server (and supporting servers) behind a Cloudflare CDN, with Cloudflare's strict SSL setting enabled (https://support.cloudflare.com/hc/en-us/articles/204144518-SSL-FAQ). I believe this meant that NGINX was encrypting the traffic between my server and Cloudflare, and Cloudflare was re-encrypting the traffic between itself and the client (e.g., ODK Collect) using their own key/cert. Judging from threads elsewhere in this community, Cloudflare's SSL configuration has compatibility problems with ODK Collect.

https://groups.google.com/forum/#!searchin/opendatakit-developers/ssl$20cloudflare/opendatakit-developers/O141Fnm4wYI/bWR820WiWWEJ

I switched off Cloudflare's management of my ODK domain, and ODK Collect is successfully grabbing the form listing. I will follow up on the Cloudflare issue elsewhere.

Thanks again for the help, and apologies for the misdirection.

Sean

··· On Friday, January 22, 2016 at 2:17:46 PM UTC-5, Charles Flèche wrote: > On Fri, Jan 22, 2016 at 7:59 PM, wrote: > > On Thursday, December 31, 2015 at 10:22:00 AM UTC-5, Yaw Anokwa wrote: > >> On Thu, Dec 31, 2015 at 9:51 AM, Charles Flèche wrote: > >> > On Wed, Dec 23, 2015 at 8:03 PM, Carl Hartung wrote: > >> >> On Thu, Dec 17, 2015 at 2:48 AM, Charles Flèche wrote:

The issue on our side was that Android's http library doesn't support
SNI : https://en.wikipedia.org/wiki/Server_Name_Indication

To overcome this issue we opened our firewall so requests to our
Aggregate server don't go through the reverse proxy.

··· On Fri, Jan 22, 2016 at 9:38 PM, wrote: > On Friday, January 22, 2016 at 2:17:46 PM UTC-5, Charles Flèche wrote: >> We found a way. I'm checking with our system guys and will get back to >> you, Sean. >> >> On Fri, Jan 22, 2016 at 7:59 PM, wrote: >> > Hi all, >> > Has anyone had any success in working around this problem? >> > >> > I recently enabled TLS/HTTPS on my server with letsencrypt. The relevant ODK Aggregate server is accessed via an NGINX reverse proxy, which manages all the TLS connections. >> > >> > On my mobile devices (and on desktops), I can access the ODK Aggregate with a web browser without incident, but ODK Collect throws a javax.net.ssl.SSLHandshakeException when I try to pull the form list. Any ideas? >> > >> > Sean >> > >> > On Thursday, December 31, 2015 at 10:22:00 AM UTC-5, Yaw Anokwa wrote: >> >> Charles, >> >> >> >> Perhaps you can do that search for an appropriate library and suggest >> >> that to the community. Doesn't require Java knowledge... >> >> >> >> Yaw >> >> -- >> >> Need ODK consultants? Nafundi provides form design, server setup, >> >> in-field training, and software development for ODK. Go to >> >> https://nafundi.com to get started. >> >> >> >> On Thu, Dec 31, 2015 at 9:51 AM, Charles Flèche wrote: >> >> > Hi Carl, >> >> > Thanks for your answer. And you are totally right, the dialog question >> >> > was more to satisfy my own curiosity. I took a look at the >> >> > HttpURLConnection library and changed the code accordingly in a >> >> > private branch. However it seems like this newer API doesn't support >> >> > DIGEST auth, which ODK Aggregate requires. Java is little bit out of >> >> > my expertise : what are the other options for a newer Https lib that >> >> > would support DIGEST ? >> >> > Thanks, >> >> > Charles >> >> > >> >> > On Wed, Dec 23, 2015 at 8:03 PM, Carl Hartung wrote: >> >> >> Hi Charles, >> >> >> The credentials in the settings are an optional default to make things more >> >> >> convenient for single-user devices. Some organizations have multiple people >> >> >> using the same device, so they each need to enter their own credentials to >> >> >> either get blank or upload completed forms. >> >> >> >> >> >> It would be a valid approach to try the credentials in settings first, then >> >> >> only show a dialog on fail. Our thinking was that we wanted to make it clear >> >> >> to the user of the device that the server they were connecting to required >> >> >> authentication, and let them verify their information before attempting to >> >> >> connect. >> >> >> >> >> >> It sounds like the most important thing for you is that we need to update >> >> >> the library with HttpURLConnection to get rid of the SSL problems. >> >> >> Thanks! >> >> >> -Carl >> >> >> >> >> >> >> >> >> >> >> >> On Thu, Dec 17, 2015 at 2:48 AM, Charles Flèche wrote: >> >> >>> >> >> >>> Hi everyone, >> >> >>> >> >> >>> I'm digging into ODK Collect's code, trying to fix a problem experienced >> >> >>> with SSL certificates issued by https://letsencrypt.org/ . The current http >> >> >>> API seems to be incompatible with the let's encrypt for some unknown (to me) >> >> >>> reasons. Using the more up-to-do HttpURLConnection API, there is no problem >> >> >>> with letsencrypt. >> >> >>> >> >> >>> Anyway, the current code path for requesting a list of blank forms from an >> >> >>> ODKAggregate server that require authentification (Anonymous user has no >> >> >>> rights whatsoever) is going like this : >> >> >>> - try to get the forms : WebUtils.getXmlDocument (it fails) >> >> >>> - open a AUTH_DIALOG and populate it with the credential info from the >> >> >>> settings >> >> >>> - try to get the forms again >> >> >>> - works >> >> >>> >> >> >>> I'm probably missing something, but in what situation should ODK ask >> >> >>> through the AUTH_DIALOG different credentials than the ones set in the >> >> >>> application settings ? Shouldn't ODK resolve the credentials purely on the >> >> >>> app settings ? >> >> >>> >> >> >>> Many thanks ! >> >> >>> >> >> >>> >> >> >>> -- >> >> >>> You received this message because you are subscribed to the Google Groups >> >> >>> "ODK Developers" group. >> >> >>> To unsubscribe from this group and stop receiving emails from it, send an >> >> >>> email to opendatakit-developers+unsubscribe@googlegroups.com. >> >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> >> -- >> >> >> You received this message because you are subscribed to a topic in the >> >> >> Google Groups "ODK Developers" group. >> >> >> To unsubscribe from this topic, visit >> >> >> https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe. >> >> >> To unsubscribe from this group and all its topics, send an email to >> >> >> opendatakit-developers+unsubscribe@googlegroups.com. >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google Groups "ODK Developers" group. >> >> > To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit-developers+unsubscribe@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > You received this message because you are subscribed to a topic in the Google Groups "ODK Developers" group. >> > To unsubscribe from this topic, visit https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe. >> > To unsubscribe from this group and all its topics, send an email to opendatakit-developers+unsubscribe@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > On further inspection, letsencrypt was not the source of my problem afterall. I also happen to be hosting my ODK Aggregate server (and supporting servers) behind a Cloudflare CDN, with Cloudflare's strict SSL setting enabled (https://support.cloudflare.com/hc/en-us/articles/204144518-SSL-FAQ). I believe this meant that NGINX was encrypting the traffic between my server and Cloudflare, and Cloudflare was re-encrypting the traffic between itself and the client (e.g., ODK Collect) using their own key/cert. Judging from threads elsewhere in this community, Cloudflare's SSL configuration has compatibility problems with ODK Collect. > > https://groups.google.com/forum/#!searchin/opendatakit-developers/ssl$20cloudflare/opendatakit-developers/O141Fnm4wYI/bWR820WiWWEJ > > I switched off Cloudflare's management of my ODK domain, and ODK Collect is successfully grabbing the form listing. I will follow up on the Cloudflare issue elsewhere. > > Thanks again for the help, and apologies for the misdirection. > > Sean > > -- > You received this message because you are subscribed to a topic in the Google Groups "ODK Developers" group. > To unsubscribe from this topic, visit https://groups.google.com/d/topic/opendatakit-developers/b9yzvG4pP9s/unsubscribe. > To unsubscribe from this group and all its topics, send an email to opendatakit-developers+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/d/optout.