Copy link to clipboard
Copied
Hello,
I was the first yesterday in an unfortunately growing number of people who got an Android update which invalidated our Adobe Air app on Android only, not on iOS or the desktop as far as we can tell. I am not exactly sure what updated except I know there was a Google Play update which updated six apps and I believe my Android version which is now 5.0.2. Long story short, the app stopped working due to SharedObjects not working which are created using RTMPS, we get a generic "NetConnection.Connect.Failed" error code. This is not new code or new certificates - this has been working for a couple of months. I confirmed my certificates and all certificates in the chain did not expire. I reinstalled my app, tried different versions of the app, tried using different servers with different hosts and certificates, rebooted the device, reinstalled Adobe Air, upgraded my Air and Flex SDKs, upgraded Oracle Java (JDK) on the server to 1.7u80 and also tried 1.8u45 - nothing seems to fix this issue and we are concerned that the Android upgrade will outpace our ability to fix it. Since iOS and desktop apps work with RTMPS, we think the certificates are fine, but not sure. Also, HTTPS to the same server works fine from the app, just RTMPS is not working.
Today we took a perfectly working Android device (both devices mentioned are Samsung Galaxy tablets) on Android version 4.x.y, tested it (it worked), upgraded Android to 5.0.2, tested it, and it stopped working. So we know we are onto something with the new version breaking RTMPS.
Anyone have any ideas what to do? Downgrading to RTMP is not an option.
Thanks,
Danny
Copy link to clipboard
Copied
Hi,
Could you please share your sample project so that we can debug this issue in a better way?
-Piyush
Copy link to clipboard
Copied
Hello Piyush,
We have spent a lot of time debugging this and finally think we figured out what is wrong, but it appears to be beyond our control to fix. There are three areas of concern: Android Lollipop, Adobe Air, and Java. Any help is of course appreciated.
Android Lollipop - Android 5.0 Behavior Changes | Android Developers
See the link above, section, "TLS/SSL Default Configuration Changes". MD5, 3DES, export, and static key ECDH cipher suites are now disabled. Forward Secrecy cipher suites (ECDHE and DHE) are preferred.
Adobe Air - Adobe Flash Platform * Basics of networking and communication
Adobe Air supports SSLv3 and TLSv1. There is not enough supporting documentation to know which ciphers Adobe is using.
Java - https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
Java has explicit ciphers it supports and there are footnotes denoting the TLS compatibility for particular ciphers. The cipher we suspect Adobe Air is using is only compatible with TLSv1.2 in Java. Adobe Air is not stepped up to TLSv1.2, it is on TLSv1. We are not completely sure, but we think according to the Java security log, that Adobe is trying to use, "Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]". According to the Java link above, that cipher is not compatible with TLSv1.
How do we force Adobe Air to use a different cipher, even if we are limited to TLSv1 that are in the Java compatibility list and the Android Lollipop list?
Also, getting our project is slightly complicated, we require login credentials and an account. I can make that for you since you work for Adobe (this is not something we normally support), but you would have to contact me offline so I can create the credentials and share the project information.
Thanks,
Danny
Copy link to clipboard
Copied
Hi,
I have created a sample Project using RTMPS protocol and it is working fine on android Samsung s4(GT-I9500) 5.0.1 device.
Please check whether <SSLCypherSuite> tag in adapter.xml file is changed or not. The value that i have used is
<SSLCipherSuite>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</SSLCipherSuite>
Could you please check if you are facing the same issue on any other device having OS apart from 5.0.2?
Regards
Adobe AIR Team
Copy link to clipboard
Copied
Hi Piyush,
We really appreciate you trying to help us out, particularly with writing a test application. Unfortunately the suggestion did not work because the cipher that is chosen in the handshaking process is already within those parameters. We spent a couple of days debugging and here is what we came up with:
Since Adobe Air is supporting TLSv1.2 on iOS, is there a way to upgrade AIR to support TLSv1.2 on Android? Even though Android claims to still support TLSv1, it appears from this error that they are putting more attention into the more modern approaches of TLSv1.1 and TLS1.2 (as they allude to here Android 5.0 Behavior Changes | Android Developers). Is there a scheduled time when Adobe will step up to TLSv1.2 (it's been 7 years since TLSv1.2 has been released, and TLSv1 is from 1999)?
If you have any other ideas, we will certainly give them a try.
Thanks again,
Danny
Copy link to clipboard
Copied
Piyush,
I am writing to provide some additional information about us debugging this issue, but we have still not solved it.
If you or anyone reading this thread has any ideas, please let us know. Also, if there is a public RTMPS server out there, we can point our app or Broadcaster to that IP address to see if it works from an Android 5.0.2 device.
Hopefully this information helps, we will keep trying things.
Thanks,
Danny
Copy link to clipboard
Copied
Hi Dr.Danny,
Sorry for late reply, I have debug this issue on android 5.0.2 also and it is working fine at my end. Here are the steps which I follow:
a) Set up Adobe Media Server from Media server for streaming video | Adobe Media Server family and make it RTMPS enable.
b) Here is link of my sample project Dropbox - RTMPTEST.zip
It is working fine on all devices. Please let me know what are the changes required in this project.
Or you can share your project and credentials to me bagri@adobe.com .
Thanks
Piyush
Copy link to clipboard
Copied
Piyush,
Thanks again for helping out. We took a long time to respond because we really wanted to get it working, but cannot, and we wanted to try a bunch of different servers to see if it is our server configuration or not. We tried a lot of different things, I will mention what I think is useful for this thread:
Any advice?
Thanks,
Danny
Copy link to clipboard
Copied
Hello everyone,
Providing an update. Piyush and I coordinated offline to do a test where I setup a server and used a test driver to test. I will send Piyush instructions how to test with our server in a bit, but here are the results. The test driver uses an RTMPS stream but does not set proxyType to 'best' on the network connection, it uses the default proxyType 'none'. In this mode, HTTPS-based RTMP is used instead of RTMPS. The good news is that HTTPS-based RTMP is a secure protocol. The bad news is it did not perform well for our app. There are two problems: (1) the performance of the video FPS is slow and (2) the technique was not working cross platform for us. For example, if a Mac laptop would connect to an Android camera, the screen was black on the Mac of the Android's picture. If the Android connected to the Mac's camera, the video was visible for one second, but then the NetConnection would close after about one second. Because of these issues, we still feel it is necessary to get RTMPS working. When we set ProxyType to best in the test driver, newer Android 5.x Lollipop devices do not work (which is the original problem).
In the middle of all of this, we hired an expert consultant to help us out. His conclusion is that it appears that the Android Lollipop client is closing the connection. He could not tell if the problem is occurring from the Android OS or Adobe Air, but he knows the handshake is failing from that side of the connection based on the hex codes sent from the client during the handshake process. I showed him the link I posted above (Android 5.0 Behavior Changes | Android Developers) where Google claims that Android Lollipop will break "a small number" of older TLSv1 ciphers. We also ran 56 different cipher tests (only enabling one cipher at a time), hoping that one would work, but unfortunately none of the ciphers worked. The consultant wanted me to ask two questions in this thread:
Our CEO also wanted me to mention that we are developing a secure HIPPA compliant app, and in light of various Information Assurance issues in the industry, security is a top priority for us. We appreciate your help to date.
Thanks,
Danny
Copy link to clipboard
Copied
Hi Danny,
Just wanted to say I'm watching this thread with a lot of anticipation, as I've seen a similar issue with Android 5.0.2 (paired w/ Red5 1.0.5 in my case.) Web + Flash Player and Android 4.4.2 (Samsung Galaxy Tab 4) + AIR both work fine, but Android 5.0.2 (Moto G gen 2) sees the connection immediately close. If it helps, the negotiated cipher in both cases is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. I tried disabling ECDHE and DHE on the server but it has done no good, the problem seems independent of the cipher.
It's such a shame because native RTMPS is so much more performant than RTMPT over SSL, and I can't get RTMPE to work either.
Incidentally, we're also working on a HIPAA-compliant app
Dave
Copy link to clipboard
Copied
I have come across this same issue, is there any update or resolution?
Copy link to clipboard
Copied
We have the same issue also. Submitted a bug report back in April, but no-one has looked at it.
Bug#3977064 - RTMPS proxyType "best" not working in Android 5
Makes me wonder if SecureSocket works on Android 5 or 6