This is a migrated thread and some comments may be shown as answers.

Okta Mobile App

3 Answers 339 Views
Mobile
This is a migrated thread and some comments may be shown as answers.
John
Top achievements
Rank 1
John asked on 19 Nov 2019, 08:14 PM

My sanity is being tested...

We are trying to troubleshoot an issue with the Okta Single-Sign-On app on iOS (13.+).  It worked in August with Fiddler, and now does not.  iOS update?  Okta update?  Who knows.  Below are what I feel are relevant log entries from Fiddler.

Basically, when the Fiddler proxy is active you can't authenticate with the Okta iOS app ('Sign in failed!').  The Okta web portal works fine.  The App store also doesn't work, if that helps.

I keep seeing references to Certificate Pinning.  Not sure if that's what's happening or if there is any way around it.

15:00:15:1955 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.crashlytics.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
15:00:17:0550 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
15:00:17:0930 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.crashlytics.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
15:00:17:1220 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
15:00:17:1591 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.crashlytics.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
15:00:18:6217 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
15:00:18:7449 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.okta.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
15:00:18:7769 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
15:00:18:8480 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.okta.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
15:00:19:3274 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
15:00:19:3605 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.crashlytics.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
15:00:19:3885 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
15:00:19:4214 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.crashlytics.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)

15:00:21:8030 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

15:00:21:8531 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.crashlytics.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
15:00:23:4728 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
15:00:23:5238 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.crashlytics.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
15:00:24:0954 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance
15:00:24:1735 !SecureClientPipeDirect failed: System.IO.IOException Authentication failed because the remote party has closed the transport stream. for pipe (CN=*.crashlytics.com, O=DO_NOT_TRUST_BC, OU=Created by http://www.fiddler2.com)
15:00:31:5667 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. https://github.com/ssllabs/research/wiki/Long-Handshake-Intolerance

Thank you!

3 Answers, 1 is accepted

Sort by
0
Boby
Telerik team
answered on 20 Nov 2019, 07:17 AM

Hi John,

The error message indicates that the Fiddler certificate is not trusted on the iOS device. Ensure that the Fiddler certificate is installed there, or just repeat the steps for configuring Fiddler as a proxy for iOS device, where this step is included.

Regards,
Boby
Progress Telerik

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
John
Top achievements
Rank 1
answered on 20 Nov 2019, 01:27 PM

Thank you for the reply.  I have done the certificate trust process several times on multiple devices using multiple Fiddler hosts.  The cert works fine on secure web sites using iOS Safari, so it must be trusted, correct?  I can even perform authentication with Okta through their web site (using Safari) with Fiddler active.  The issue only occurs when using the Okta mobile app (and also using the Apple App Store - Related?  Expected?)

Thank you.

0
Boby
Telerik team
answered on 25 Nov 2019, 12:53 PM

Hi John,

After re-reading your post and consulting with other team members, I believe that certificate pinning, as you mentioned, is the issue in this case.

The problem and possible (very hacky) solutions are described in CertPinning wiki, but the essence is some apps are hardcoded to accept only one an only certificate and doesn't trust the certificates trusted on the machine. Also, Okta is indeed using certificate pinning in their mobile apps.

Regards,
Boby
Progress Telerik

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Tags
Mobile
Asked by
John
Top achievements
Rank 1
Answers by
Boby
Telerik team
John
Top achievements
Rank 1
Share this question
or