SUMMARY *** The KDE Itinerary application does not display the indoor map of train stations due to an SSL handshake failure *** STEPS TO REPRODUCE 1. Open KDE Itinerary. 2. Search for a train station with indoor mapping available. 3. Attempt to access the indoor map. OBSERVED RESULT An SSL handshake failure occurs, preventing the indoor map from loading. The error message displayed is as follows: "SSL handshake failed." EXPECTED RESULT The indoor map of the train station should be displayed without any issues. SOFTWARE/OS VERSIONS KDE_Itinerary Version: 23.11.70 ADDITIONAL INFORMATION Please note that this issue only occurs when trying to access the indoor train station map and does not affect other features of the KDE Itinerary application. I kindly request that this issue be addressed in a future update to ensure a seamless user experience when accessing indoor maps within the application. Thank you for your attention to this matter, and I look forward to the resolution of this bug.
Do any other network operations work within Itinerary (e.g. searching for train connections)?
yes, any other network operations are working
(In reply to reportthebug from comment #2) > yes, any other network operations are working the same error occurs as well in the KDE OSM Indoor Map - app: also "SSL handshake failed." and no display of the map
Git commit c51060a1a4c3fcdfdb5eb5f67693ba3faca3a4dd by Volker Krause. Committed on 03/08/2023 at 17:25. Pushed by vkrause into branch 'master'. Improve diagnostics for SSL errors M +11 -1 src/map/loader/tilecache.cpp https://invent.kde.org/libraries/kosmindoormap/-/commit/c51060a1a4c3fcdfdb5eb5f67693ba3faca3a4dd
Does opening https://maps.kde.org in the browser work without SSL errors? As you seem to be using the nightly build, within the next 24h there should be an update that should show additional details as part of that error message.
(In reply to Volker Krause from comment #4) > Git commit c51060a1a4c3fcdfdb5eb5f67693ba3faca3a4dd by Volker Krause. > Committed on 03/08/2023 at 17:25. > Pushed by vkrause into branch 'master'. > > Improve diagnostics for SSL errors > > M +11 -1 src/map/loader/tilecache.cpp > > https://invent.kde.org/libraries/kosmindoormap/-/commit/ > c51060a1a4c3fcdfdb5eb5f67693ba3faca3a4dd Now the error is: "SSL handshake failed (The issuer certificate of a locally looked up certificate could not be found)"
(In reply to Volker Krause from comment #5) > Does opening https://maps.kde.org in the browser work without SSL errors? This is opening without SSL errors > As you seem to be using the nightly build, within the next 24h there should > be an update that should show additional details as part of that error > message.
Hm, that sounds like the device CA certificate chain is incomplete, and for Android <= 7 and Let's Encrypt certificates that isn't even entirely implausible. Can you check if your device has the "Internet Security Research Group (ISRG) X1" certificate installed? Here this is under Settings > Security & privacy > Encryption & credentials > Trusted credentials, but this can of course vary from one Android version to the next.
(In reply to Volker Krause from comment #8) > Hm, that sounds like the device CA certificate chain is incomplete, and for > Android <= 7 and Let's Encrypt certificates that isn't even entirely > implausible. > > Can you check if your device has the "Internet Security Research Group > (ISRG) X1" certificate installed? Here this is under Settings > Security & > privacy > Encryption & credentials > Trusted credentials, but this can of > course vary from one Android version to the next. The mentioned certificate is not installed.
Ok, that is likely the cause of this problem then. And this is not limited to the indoor map, but would affect any API use on a server using Let's Encrypt certificates. There are three possible options I can think of: (1) You manually install the ISRG X1 certificate from https://letsencrypt.org/certificates/, assuming that is possible on Android at all. (2) We bundle an updated CA certificate set with all our network-using apps (which is presumably what your browser does). That isn't hard technically, but it's substantial compliance work to ensure we don't make things worse by shipping a not trustworthy certificate. (3) We add an option to ignore the error. That opens the door for accidentally compromising security even for people with correct CA certificates though.
(In reply to Volker Krause from comment #10) > Ok, that is likely the cause of this problem then. And this is not limited > to the indoor map, but would affect any API use on a server using Let's > Encrypt certificates. > > There are three possible options I can think of: > (1) You manually install the ISRG X1 certificate from > https://letsencrypt.org/certificates/, assuming that is possible on Android > at all. I installed the Self- and Cross-signed variant of ISRG Root X1 and also OCSP X1, but the error still occurs. > (2) We bundle an updated CA certificate set with all our network-using apps > (which is presumably what your browser does). That isn't hard technically, > but it's substantial compliance work to ensure we don't make things worse by > shipping a not trustworthy certificate. This does sound like the best option. Also, the error still occurs on my older phone, it works fine on my newer one. But it may be happening to other users who have phone configurations like my older phone, so a fix would be helpful. > (3) We add an option to ignore the error. That opens the door for > accidentally compromising security even for people with correct CA > certificates though.