"We should consider KitKat 'abandoned'" w.r.t. the media plugin, not Cordova...
On Tue, Jun 19, 2018 at 11:47 PM Shazron <shaz...@gmail.com> wrote: > Using http might fix the test, for sure - but I think we should move on to > testing https only, as the new normal. > > Although this is through one major browser vendor (which dwarfs all others > at 60% market share) -- the coming https-pocalypse later this year (see > https://techcrunch.com/2018/02/08/chrome-will-soon-mark-all-unencrypted-pages-as-not-secure/) > is the hammer coming for most sites. These sites will not want to lose any > Google juice and it will be the new reality (sites might not want to > change, but customers leaving will make that choice for them). > > Even if we keep testing for http, most sites will eventually redirect to > https, and we would be back to square one with the failing tests. We should > consider KitKat 'abandoned' since Google definitely won't be updating it > with the latest security standard. > > Filed and resolved: https://issues.apache.org/jira/browse/CB-14146 > > > > > On Tue, Jun 19, 2018 at 5:43 PM julio cesar sanchez < > jcesarmob...@gmail.com> wrote: > >> Why don't we just use http instead of https? shouldn't that fix the >> problems too? or https is required in other platforms? >> >> 2018-06-19 11:32 GMT+02:00 Ken Naito <k...@monaca.io>: >> >>> Hi Shazron, >>> >>> Thanks for the advice! >>> I sent a new commit of PR, which removes some tests for Android 4.4. >>> >>> Ken Naito. >>> >>> On 2018/06/19 13:35, Shazron wrote: >>> >>>> Thanks Ken! >>>> I think we should go for the simpler option, and log this as a new >>>> issue that is known and out of our control. Android 4.4 (even though 10% of >>>> the market) should not be a priority for us. >>>> >>>> On Tue, Jun 19, 2018 at 12:30 PM Ken Naito <k...@monaca.io <mailto: >>>> k...@monaca.io>> wrote: >>>> >>>> >>>> I have investigated the test failure for Android 4.4. For >>>> cordova-plugin-media, the cause of the failure may be the SSL >>>> handshake. >>>> >>>> The MediaPlayer in Android 4.4 can not connect to a modern SSL >>>> server. >>>> For example: >>>> https://cordova.apache.org/downloads/BlueZedEx.mp3 >>>> >>>> https://cordova-develop.github.io/cordova-plugin-media/res/BlueZedEx.mp3 >>>> >>>> On the other hand, the MediaPlayer can connect to a standard SSL >>>> server >>>> like: >>>> https://www.asial.co.jp/data_knaito/BlueZedEx.mp3 >>>> >>>> I have checked the packet, and the available cipher suites of >>>> Android >>>> 4.4 are as follows: >>>> >>>> ECDHE-RSA-AES256-CBC-SHA >>>> ECDHE-ECDSA-AES256-CBC-SHA >>>> SRP-SHA-DSS-AES256-CBC-SHA >>>> SRP-SHA-RSA-AES256-CBC-SHA >>>> DHE-RSA-AES256-CBC-SHA >>>> DHE-DSS-AES256-CBC-SHA >>>> ECDH-RSA-AES256-CBC-SHA >>>> ECDH-ECDSA-AES256-CBC-SHA >>>> RSA-AES256-CBC-SHA >>>> ECDHE-RSA-3DES-EDE-CBC-SHA >>>> ECDHE-ECDSA-3DES-EDE-CBC-SHA >>>> SRP-SHA-DSS-3DES-EDE-CBC-SHA >>>> SRP-SHA-RSA-3DES-EDE-CBC-SHA >>>> DHE-RSA-3DES-EDE-CBC-SHA >>>> DHE-DSS-3DES-EDE-CBC-SHA >>>> ECDH-RSA-3DES-EDE-CBC-SHA >>>> ECDH-ECDSA-3DES-EDE-CBC-SHA >>>> RSA-3DES-EDE-CBC-SHA >>>> ECDHE-RSA-AES128-CBC-SHA >>>> ECDHE-ECDSA-AES128-CBC-SHA >>>> SRP-SHA-DSS-AES128-CBC-SHA >>>> SRP-SHA-RSA-AES128-CBC-SHA >>>> DHE-RSA-AES128-CBC-SHA >>>> DHE-DSS-AES128-CBC-SHA >>>> ECDH-RSA-AES128-CBC-SHA >>>> ECDH-ECDSA-AES128-CBC-SHA >>>> RSA-AES128-CBC-SHA >>>> ECDHE-RSA-RC4-SHA >>>> ECDHE-ECDSA-RC4-SHA >>>> ECDH-RSA-RC4-SHA >>>> ECDH-ECDSA-RC4-SHA >>>> RSA-RC4-SHA >>>> RSA-RC4-MD5 >>>> >>>> Modern SSL servers may refuse these cipher suites. >>>> >>>> In order to resolve this issue, the mp3 file should be downloaded in >>>> another way and then be played by MediaPlayer. >>>> One way of downloading is using the okhttp library with a custom ssl >>>> socket factory. >>>> >>>> However, the okhttp library is not included in the latest >>>> cordova-android, and cordova-plugin-okhttp >>>> (https://github.com/MobileChromeApps/cordova-plugin-okhttp) is too >>>> old >>>> and not maintained. >>>> >>>> I think that a new okhttp plugin should be created, and >>>> cordova-plugin-media should depend on the new okhttp plugin in >>>> order to >>>> connect to a modern SSL server. >>>> >>>> Or, a more simple option is to specify that the MediaPlayer can not >>>> connect modern SSL servers for Android 4.4, and remove the test of >>>> playing streams for Android 4.4. >>>> >>>> >>>> On 2018/06/18 13:02, Shazron wrote: >>>> > We keep seeing this failed Media test on Android 4.4: >>>> > https://github.com/apache/cordova-plugin-media/pull/166 >>>> > >>>> > I'm not sure of the state of our Android support, especially >>>> 4.4. Does >>>> > anyone have any pointers? Thanks >>>> > >>>> >>>> >>> >>
