I decided to put up some non-public WordPress sites for creating content. My assumption was that due to its popularity, the available mobile app support should be top notch. So I took WordPress – Website & Blog Builder by Automattic for a spin.
A nginx+mysql+php site up, certs from Let’s Encrypt. I wasn’t into putting this WordPress site publicly available, so I set up client certification check. I doubted the Android app supported those though.
Here we are. The blog opens nicely on all my mobile browsers but the Android app doesn’t find a blog.
After downgrading client cert to HTTP basic auth and then switching basic auth to simple IP limitation and doing lots of double checking, I got to see the same error numerous times. Why there’s access log entry with mobile browser but no access or error log entries from the app? Is there some cache preventing further attempts to site with unsupported auth scheme? Maybe not as packet capture shows that there’s TCP flying even though there’s no log entries. It must be a handshake error, then.
Wireshark shows the error is fatal and it has “Description: Handshake Failure (40)”
Internet shows TLS error 40 has to do with client and server having no shared ciphers. My nginx conf’s TLS settings were inspired by Raymii.org’s Strong SSL Security on nginx for getting good grades from Qualys’s SSL Test. Relaxing the configuration a bit for this site did the trick. Finally.
- The Android app seems to come some non-fantastic TLS library built-in
- I hoped everything is top-notch with a popular platform, ended up solving this with tcpdump+Wireshark
- I was figuring this out at Assembly 2018. I knew I was going to do some hacking at asm. Just didn’t know it was going to be installing and using WordPress.