Android app on Android 4.x and older cannot connect to Hipchat Server 2.0.4 or 2.0.7+ with Unable to reach server domain

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

This is for an outdated version of Hipchat Server

 This article applies to a version of Hipchat Server which will be deprecated soon. After that period the version will no longer be supported.

When will my version be deprecated?

The following versions have been deprecated:

  • Hipchat Server 1.3 (EOL Date: Aug 17, 2017)
  • Hipchat Server 2.0 (EOL Date: Jun 17, 2018)
  • Hipchat Server 2.1 (EOL Date: Dec 8, 2018)

The following version will be deprecated soon:

  • Hipchat Server 2.2 (EOL Date: May 30, 2019)

You can read more about Atlassian's End of Life policy here.

You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes.


Problem

On Android 4.x and older, the Android Hipchat app cannot connect to Hipchat Server 2.0.4 or 2.0.7+. A popup with Unable to reach server domain is shown: 
 

Diagnosis

Run an openssl check against your Hipchat Server instance by forcing the protocol to TLSv1: 

 openssl s_client -connect hipchat.example.com:443 -tls1 

If you're running Hipchat Server 2.0.4 or 2.0.7+ and didn't make any SSL-related changes to the Chef or Nginx configurations, you should still have TLSv1 disabled and see this output: 

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1482236176
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Cause

  • TLSv1.1 and TLSv1.2 were enabled by default in Android 5.0. Thus, any older version will use TLSv1. We have a feature request raised to enable/enforce TLS 1.2 on future Android mobile client:  HCPUB-2762 - Getting issue details... STATUS
  • Connections over TLS v1.0 are no longer supported in Hipchat Server v2.0.4 and newer. Note that due to a regression, TLS v1.0 support was enabled back in versions 2.0.5 and 2.0.6 of Hipchat Server and became unsupported again in 2.0.7.

Workaround

TLSv1 is no longer supported as an industry standard cryptographic protocol and is considered to be unsafe, especially if your server is exposed to the Internet. Please reach out to your security team before taking any steps as Atlassian will not be responsible for any security issues resulting from this change. Our recommendation is to upgrade the Android devices to Android 5+ to support TLSv1.1 and TLSv1.2.

If an upgrade of the Android devices to version 5+ is not possible, TLSv1 can be enabled back on Hipchat Server by running the following steps: 

  1. Upload the attached enable_tlsv1 script to /tmp on your server
    1. If using Hipchat Server version 2.2.1 (or higher) instead use: wget --output-document enable_tlsv1 https://s3.amazonaws.com/hipchat-server-stable/utils/221-enable_tlsv1
       
  2. Switch to root: 

    sudo dont-blame-hipchat
  3. Copy the script to /home/admin/startup_scripts/ so the changes it applies persist over upgrades and reboots:

    cp /tmp/enable_tlsv1 /home/admin/startup_scripts/
    chmod +x /home/admin/startup_scripts/enable_tlsv1
  4. Run the script manually as admin: 

    exit 
    /home/admin/startup_scripts/enable_tlsv1
  5. Run a full services restart, note this will disconnect users for about 5 minutes: 

    hipchat upgrade --restart 


Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.