Getting intermittent HTTP 500 errors in HABDroid

Apps & Services Android App
1

I’m facing a weird issue that I find hard to reliably reproduce. When I’m home, connected to my home WiFi, and it’s been at least a couple hours since I last used the Android app, when I start the app, 3 out of 4 times I get a 500 error. If I try connecting again, it always works, and doesn’t come up again, until I quit the app and wait a few hours. This issue doesn’t occur when connecting to the remote address. Neither does it occur when I access openHAB using a web browser from the internal network.

My network setup is as follows:

Internal access:
Client → nginx running as reverse proxy on openHAB box on port 443 → forward traffic to Jetty on localhost port 8080

The nginx reverse proxy requires the client to authenticate using an SSL certificate.

External access:
Client → nginx reverse proxy on a server other than openHAB on port 443 → nginx reverse proxy on openHAB box on port 444 → forward traffic to Jetty on localhost port 8080

The first nginx reverse proxy requires the client to authenticate using both an SSL certificate and Basic authentication. The second nginx does not require authentication.

When this issue occurs, there are absolutely no events logged in either the access or the error in nginx, so it looks like the HTTP request never reached the server.

I have attached both a log from HABDroid, and the port 443 site configuration from the nginx running on the openHAB server. In the HABDroid log, you can see the 500 error just before line 500, on line 496. :smiley:
Also, just before that there is an SSL error in the log, but since nginx didn’t mention this error anywhere, I suspect that it never reached nginx.

habdroid_log.txt (70.6 KB)
nginx-site.conf.txt (2.2 KB)

Any ideas on how to investigate this issue further are welcome. I’m completely lost.

2

Do the servers use self signed certificates or official and which TLS version is used?

These lines seem interesting:

02-25 22:11:56.043 30212 30212 E MainActivity: Error: org.openhab.habdroid.util.HttpClient$HttpException: javax.net.ssl.SSLProtocolException: Read error: ssl=0x76ebf6c748: Failure in SSL library, usually a protocol error
02-25 22:11:56.043 30212 30212 E MainActivity: error:100003fc:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_RECORD_MAC (external/boringssl/src/ssl/tls_record.cc:587 0x76ebc22cc8:0x00000001)
02-25 22:11:56.043 30212 30212 E MainActivity: org.openhab.habdroid.util.HttpClient$HttpException: javax.net.ssl.SSLProtocolException: Read error: ssl=0x76ebf6c748: Failure in SSL library, usually a protocol error
02-25 22:11:56.043 30212 30212 E MainActivity: error:100003fc:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_RECORD_MAC (external/boringssl/src/ssl/tls_record.cc:587 0x76ebc22cc8:0x00000001)
3

Thanks for your response. To answer your question, I’m not using public certificates, but they’re not self-signed, either. I have a private certification authority that issues both the web server certificates, and the client certificates. Both the root CA cert and the intermediate CA cert are trusted by my phone.

In the meantime, I might have solved the issue. Originally, I had SSL 3.0 disabled on nginx, and TLS 1.0 through 1.3 enabled.
In addition to SSL 3.0, I have also disabled TLS 1.0 and 1.1, leaving only 1.2 and 1.3 enabled. Along with that, I have also specified a narrow list of strong ciphers to be used, and set up DH params. Since I made these changes, I haven’t run into this issue.

1 Like