Android app on Android 4.x and older cannot connect to Hipchat Server 2.0.4 or 2.0.7+ with Unable to reach server domain
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
This is for an outdated version of Hipchat Server
This article applies to a version of Hipchat Server which will be deprecated soon. After that period the version will no longer be supported.
You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes.
Problem
On Android 4.x and older, the Android Hipchat app cannot connect to Hipchat Server 2.0.4 or 2.0.7+. A popup with Unable to reach server domain is shown:
Diagnosis
Run an openssl check against your Hipchat Server instance by forcing the protocol to TLSv1:
openssl s_client -connect hipchat.example.com:443 -tls1
If you're running Hipchat Server 2.0.4 or 2.0.7+ and didn't make any SSL-related changes to the Chef or Nginx configurations, you should still have TLSv1 disabled and see this output:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1482236176
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Cause
- TLSv1.1 and TLSv1.2 were enabled by default in Android 5.0. Thus, any older version will use TLSv1. We have a feature request raised to enable/enforce TLS 1.2 on future Android mobile client: - HCPUB-2762Getting issue details... STATUS
- Connections over TLS v1.0 are no longer supported in Hipchat Server v2.0.4 and newer. Note that due to a regression, TLS v1.0 support was enabled back in versions 2.0.5 and 2.0.6 of Hipchat Server and became unsupported again in 2.0.7.
Workaround
TLSv1 is no longer supported as an industry standard cryptographic protocol and is considered to be unsafe, especially if your server is exposed to the Internet. Please reach out to your security team before taking any steps as Atlassian will not be responsible for any security issues resulting from this change. Our recommendation is to upgrade the Android devices to Android 5+ to support TLSv1.1 and TLSv1.2.
If an upgrade of the Android devices to version 5+ is not possible, TLSv1 can be enabled back on Hipchat Server by running the following steps:
- Upload the attached
enable_tlsv1
script to /tmp on your server- If using Hipchat Server version 2.2.1 (or higher) instead use: wget --output-document enable_tlsv1 https://s3.amazonaws.com/hipchat-server-stable/utils/221-enable_tlsv1
- If using Hipchat Server version 2.2.1 (or higher) instead use: wget --output-document enable_tlsv1 https://s3.amazonaws.com/hipchat-server-stable/utils/221-enable_tlsv1
Switch to root:
sudo dont-blame-hipchat
Copy the script to /home/admin/startup_scripts/ so the changes it applies persist over upgrades and reboots:
cp /tmp/enable_tlsv1 /home/admin/startup_scripts/ chmod +x /home/admin/startup_scripts/enable_tlsv1
Run the script manually as admin:
exit /home/admin/startup_scripts/enable_tlsv1
Run a full services restart, note this will disconnect users for about 5 minutes:
hipchat upgrade --restart