Search code examples
javascriptsslfirefox-os

Firefox OS TCPSocket API : SSL received a record that exceeded the maximum permissible length


Is it possible to turn off SSL cert verification in Firefox OS? I have Geeksphone dev preview and try to make IMAP client via TCPSocket API, but server cert is somehow invalid. I got this error:

SSL received a record that exceeded the maximum permissible length.
(Error Code: ssl_error_rx_record_too_long) 

My TCPSocket initializacion is as follows

var TCPSocket = navigator.mozTCPSocket.open(
        "mbp.telekom.de",
        993,
        {useSSL:'starttls'}
    );

When I try to connect to GMail or another account, everything works OK.

Is this really server cert error or is it something else?

Thanks


Solution

  • Turning off the certificate verification is generally a bad idea and unlikely to help. The error says ssl_error_rx_record_too_long, and record that is too long is just too long, whether you choose to accept any certificate or not. This type of error tends to be caused by a record that is "too long for SSL/TLS", that is, some message that isn't valid SSL/TLS at all.

    There are a few other problems here.

    • According to the documentation, TCPSocket takes a boolean for its useSSL parameter, not a string. It would seem fair to assume that somewhere in the code, there's an if (useSSL) {...}, so 'starttls' in your configuration counts as true.

    • Port 993 tends to be usable for IMAP over SSL (after an initial connection via SSL), not IMAP+STARTTLS on port 143 (where the same socket is upgraded to SSL/TLS after an initial plain-text connection).

    • The server at mbp.telekom.de doesn't accept SSL/TLS initial connections (like most IMAP servers would on that port), but accepts plain text IMAP connections upgradable to SSL/TLS via STARTTLS (which it should do on port 143 instead). This is likely to be a problem with the server configuration. This also explain why your connection works with imap.gmail.com (since it does support normal SSL/TLS connection that don't use STARTTLS on port 993, and since your {useSSL:'starttls'} in fact means {useSSL:true}).

    You could in principle implement your IMAP client to upgrade the connection to SSL/TLS after using the STARTTLS command, but you'd need to be able to upgrade the same socket to SSL/TLS. I can't see anything in the TCPSocket documentation that would allow this (in the same way as SSLSocketFactory.createSocket(Socket, ...) does in Java, for example).

    EDIT:

    After a quick look at the TCPSocket.js source code, it seems that it does support starttls indeed, but this only makes sense with the undocumented upgradeToSecure method.

    You might be able to implement IMAP+STARTTLS this way: initiate a plain IMAP connection, and then upgrade to SSL/TLS with the STARTTLS command, as described in RFC 2595. This is normally done on port 143, but since your server is (rather incorrectly) configured for this on port 993, it should work there too.