Elliptic curve ciphers not available on Android 7
Alela last edited by rfc2822
- I am using DAVdroid 220.127.116.11 on Android 7.0 (on a Nexus 6P). I am not able to connect to my Cal/CardDAV server. I got a "service not found" error. Here are the logs: http://paste.fedoraproject.org/460205/2636147/
- I have tried many links for the URL: base URL (https://baikal.alela.fr) (well-known URLs are well configured), principals address and calendar address. With these configurations, DAVdroid did not find Cal/CardDAV service.
- I tried to re-install DAVdroid. This not solved the problem.
- server: baikal 0.4.6.
- My Baikal server is used with other clients without problems: Lightning on Thunderbird (works well on 3 different computers), InfCloud, another Android phone with DAVdroid (not my phone, I do not know the Android version or DAVdroid version).
- Example of calendar link: https://baikal.alela.fr/dav.php/calendars/alela/perso/
The logs show a SSL problem, but I am pretty sure it is well configured on my server. I am using a Let's Encrypt certificate. SSL Labs website shows that my server is well configured for Android 7.0.
Thanks for your help
It's surely a TLS problem:
Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed ... 38 more Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x753f0f21c0: Failure in SSL library, usually a protocol error error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x753f0344a0:0x00000001) error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x753cac2f76:0x00000000) at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357) ... 37 more Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x753f0f21c0: Failure in SSL library, usually a protocol error error:1000043e:SSL routines:OPENSSL_internal:TLSV1_ALERT_INAPPROPRIATE_FALLBACK (external/boringssl/src/ssl/s3_pkt.c:610 0x753f0344a0:0x00000001) at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357) ... 37 more
Unfortunately, I can't reproduce that with our testing devices.
How do you connect to the server? WiFi/mobile? Did you try another connection?
Can you access the URL with your Android device's browser?
What do the Web server logs say?
Alela last edited by
I tried mobile and many WiFi connections.
I can access to the URL with my Android device's browser (for instance https://baikal.alela.fr/dav.php). Only DAVdroid is not able to connect to my server.
It seems that the web server does not log ssl errors.
Thanks to you, I finally found the problem. In my nginx configuration, I forced the elliptic curve to be secp384r1 which is supported by Android 7.0 according to https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=7.0&key=139.
It seems that it is not supported by whatever DAVdroid uses to make a secured connection. I change the nginx configuration to
ssl_ecdh_curve auto;and now I can connect to my server with DAVdroid.
@Alela It seems that the SSLLabs Android ciphers refer to the default browser (Chrome?) on those platforms, which has a separate TLS stack which is not the system stack.
DAVdroid can only use the system stack. You can find a list of cipher which is supported by the Android default TLS stack in the SDK docs: SSLEngine (Default configuration for different Android versions).