Elliptic curve ciphers not available on Android 7



  • Hi,

    Problem description:

    • I am using DAVdroid 1.3.3.1 on Android 7.0 (on a Nexus 6P). I am not able to connect to my Cal/CardDAV server. I got a "service not found" error. Here are the logs: http://paste.fedoraproject.org/460205/2636147/
    • I have tried many links for the URL: base URL (https://baikal.alela.fr) (well-known URLs are well configured), principals address and calendar address. With these configurations, DAVdroid did not find Cal/CardDAV service.
    • I tried to re-install DAVdroid. This not solved the problem.

    Environment description:

    • server: baikal 0.4.6.
    • My Baikal server is used with other clients without problems: Lightning on Thunderbird (works well on 3 different computers), InfCloud, another Android phone with DAVdroid (not my phone, I do not know the Android version or DAVdroid version).
    • Example of calendar link: https://baikal.alela.fr/dav.php/calendars/alela/perso/

    The logs show a SSL problem, but I am pretty sure it is well configured on my server. I am using a Let's Encrypt certificate. SSL Labs website shows that my server is well configured for Android 7.0.

    Thanks for your help


  • developer

    Hello,

    It's surely a TLS problem:

            Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
                    ... 38 more
            Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x753f0f21c0: Failure in SSL library, usually a protocol error
    error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x753f0344a0:0x00000001)
    error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x753cac2f76:0x00000000)
                    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
                    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
                    ... 37 more
    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x753f0f21c0: Failure in SSL library, usually a protocol error
    error:1000043e:SSL routines:OPENSSL_internal:TLSV1_ALERT_INAPPROPRIATE_FALLBACK (external/boringssl/src/ssl/s3_pkt.c:610 0x753f0344a0:0x00000001)
            at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
            at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
            ... 37 more
    

    Unfortunately, I can't reproduce that with our testing devices.

    How do you connect to the server? WiFi/mobile? Did you try another connection?

    Can you access the URL with your Android device's browser?

    What do the Web server logs say?



  • Hello,

    I tried mobile and many WiFi connections.
    I can access to the URL with my Android device's browser (for instance https://baikal.alela.fr/dav.php). Only DAVdroid is not able to connect to my server.
    It seems that the web server does not log ssl errors.

    Thanks to you, I finally found the problem. In my nginx configuration, I forced the elliptic curve to be secp384r1 which is supported by Android 7.0 according to https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=7.0&key=139.
    It seems that it is not supported by whatever DAVdroid uses to make a secured connection. I change the nginx configuration to ssl_ecdh_curve auto; and now I can connect to my server with DAVdroid.


  • developer

    @Alela It seems that the SSLLabs Android ciphers refer to the default browser (Chrome?) on those platforms, which has a separate TLS stack which is not the system stack.

    DAVdroid can only use the system stack. You can find a list of cipher which is supported by the Android default TLS stack in the SDK docs: SSLEngine (Default configuration for different Android versions).


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.