Skip to main content
bartv87537168
Inspiring
August 31, 2018
Answered

TLS1.2 problem with Flashplayer in Google Chrome

  • August 31, 2018
  • 1 reply
  • 1734 views

Hi there,

I'm working on a Flash-application which connects to a server using the TLS1.2 protocol, i've used the SecureSocket-class to setup the connection. According to the documentation, i've setup my certificate chain using the addBinaryChainBuildingCertificate() method.

I tested my application with the standalone flashplayer and in 3 different browsers (Google Chrome / Internet Explorer / Mozilla Firefox) and it is working fine in the standalone flashplayer and in IE and Firefox, but the TLS1.2 connection isn't working in Chrome. According to the wireshark logs my application suddenly drops the connection after the TLS handshake is completed.

The flash debug log says an IOErrorEvent occurred with code #2031 and the servercertificateStatus = Invalid. I'm assuming something went wrong with validating the certificate, but why? Is Chrome handling the validation differently than IE / Firefox?

I'm using Flash player 30.0.0.154 and Google Chrome 68.0.3440.106.

I'm hoping someone can help me out here..

Thanks in advance!

    This topic has been closed for replies.
    Correct answer bartv87537168

    Running content from the local filesystem introduces another level of complexity.

    As a test, you might try running it from a local webserver (MAMP/XAMPP/etc offer super easy solutions).  Do you see the policy file requests at that point?


    Yes we are running it from a local webserver. We implemented the policy file on the same port as which the connection is made, but this fails in Chrome because the policy file request is also using a TLS connection, which fails ofcourse.

    Can i get in contact via mail or PM? I want to distribute our chain of trust and the IP of our server which is handling the TLS-connection with the client.

    Edit: Resolved! The SAN (Subject Alternative Name)  in our certificate was configured to secure a certain Domain. For testing-purposes i was running the server locally on my PC. So i configured the windows-hosts file to resolve that Domain in to -> 127.0.0.1, and let our Flash-application connect to that domain.

    Apparently Chrome doesn't accept this, because I configured the server on an other PC and editted the hosts-file to resolve the domain to the ip where the server is running now. It is connecting properly now

    Thanks for your assistance!

    1 reply

    jeromiec83223024
    Inspiring
    August 31, 2018

    Everything in Chrome is mediated, so where we would have used a native network stack to make those connections in NPAPI and ActiveX, we're asking PPAPI to make those connections on our behalf.  Chrome also has it's own TLS library called BoringSSL, so you're not using the system's SSL support or OpenSSL under the hood.

    Chrome changed the way that they do the TLS handshake on sockets a few years ago.  I don't remember the exact specifics, but I remember there being an additional step.  We ended up rewriting the test socket server to accommodate it, but we went from using a Java-based socket server that someone had written in the early 2000s to using Python.  I think the change was really that Python was just using a more current SSL library than what was compiled into the Java applet.

    I'm not sure if that's helpful. I don't have enough specifics to give you any precision recommendations beyond acknowledging that Chrome is a unique beast, and to maybe check out the Security tab in Chrome to see if you get anything useful.  We don't have great logging for this, so we'd probably have to reproduce it under a C++ debugger to really understand where it's falling apart.  I'm not sure that I'd put a whole lot of weight into the accuracy of that error.

    If your certificate chain validates elsewhere, it *might* be that Chrome is more strict for some reason, but you should be able to confirm that it's not the chain by throwing up a trivial socket listener with Python or Node to see if you get different results.

    bartv87537168
    Inspiring
    September 3, 2018

    The security tab isn't providing any information. I thought maybe chrome isn't detecting the TLS connection because it is executed in flash. So i've set up a webserver to make a https connection with the same certificate, to test if i can get some usefull information in the security tab. The security tab says the connection failed because the root certificate wasn't installed, so i installed it and the https connection is working fine now.

    So i was hoping that was the solution but it didn't have any effect for the TLS connection in flash. Does the method addBinaryChainBuildingCertificate() actually work under Chrome? Or is Chrome just using the certificates which are installed under settings (the same that IE is using).

    I'm pretty much at a dead end right now. The available logging is insufficient to give me enough info to find out what is going wrong..

    jeromiec83223024
    Inspiring
    September 4, 2018

    In theory, it should work, but the browsers are constantly moving targets.  The addBinaryChainBuildingCertificate() method is in mature code, so I doubt that it broke, but the world may have moved on. 

    I'd need to reproduce it under a debugger to fully understand the reality of the situation.

    I assume you have a self-signed root certificate and/or one or more intermediate certificates?  Can you give me specifics on how to build a trust chain that mirrors your scenario?

    Also, what version of Windows are you using?  It seems like Chrome uses the Windows certificate manager.

    I'd also be curious to know if you had the same problem with the server configured to only accept TLS 1.0 or 1.1 connections.  If that resolves the problem, it gives me a really clear signal about why it's failing.