After Domain and SSL change, no connection (letsencrypt)



  • Hi, I have the following problem.

    After a domain change and change to Letsencrypt, CalDav / CardDav no longer works, either in Thunderbird, or in DavDroid.

    The Davdroid log is this:

    2017-05-12 07:51:47 750 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind>
    2017-05-12 07:51:47 750 [HttpClient$1] --> END PROPFIND (290-byte body)
    2017-05-12 07:51:48 750 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on user-given URL failed
    EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
    	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268)
    	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238)
    	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149)
    	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)
    	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
    	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
    	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)
    	at okhttp3.RealCall.execute(RealCall.java:69)
    	at at.bitfire.dav4android.DavResource.propfind(DavResource.java:276)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.checkUserGivenURL(DavResourceFinder.java:179)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:119)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:90)
    	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:142)
    	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:125)
    	at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:302)
    	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:57)
    	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:45)
    	at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138)
    	at java.util.concurrent.FutureTask.run(FutureTask.java:237)
    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
    	at java.lang.Thread.run(Thread.java:776)
    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x73b7fe2a80: Failure in SSL library, usually a protocol error
    error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x73cb596e20:0x00000001)
    error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x73cb802f76:0x00000000)
    	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
    	... 36 more
    
    ...	
    	
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] No principal found at user-given URL, trying to discover
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Looking up SRV records for _carddavs._tcp.nextcloud.BMK-Media.de
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Didn't find carddav service, trying at https://nextcloud.BMK-Media.de:443
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Trying to determine principal from initial context path=https://nextcloud.bmk-media.de/.well-known/carddav
    
    ...
    
    2017-05-12 07:51:48 750 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind>
    2017-05-12 07:51:48 750 [HttpClient$1] --> END PROPFIND (198-byte body)
    2017-05-12 07:51:48 750 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] carddav service discovery failed
    EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
    	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268)
    	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238)
    	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149)
    	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)
    	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
    	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
    	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)
    	at okhttp3.RealCall.execute(RealCall.java:69)
    	at at.bitfire.dav4android.DavResource.propfind(DavResource.java:276)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.getCurrentUserPrincipal(DavResourceFinder.java:352)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.discoverPrincipalUrl(DavResourceFinder.java:334)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:140)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:90)
    	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:142)
    	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:125)
    	at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:302)
    	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:57)
    	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:45)
    	at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138)
    	at java.util.concurrent.FutureTask.run(FutureTask.java:237)
    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
    	at java.lang.Thread.run(Thread.java:776)
    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x73b7fe2a80: Failure in SSL library, usually a protocol error
    error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x73b9c649c0:0x00000001)
    error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x73cb802f76:0x00000000)
    	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
    	... 37 more
    
    ...
    	
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Finding initial caldav service configuration
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Checking user-given URL: https://nextcloud.bmk-media.de/nextcloud/remote.php/dav
    2017-05-12 07:51:48 750 [HttpClient$1] --> PROPFIND https://nextcloud.bmk-media.de/nextcloud/remote.php/dav http/1.1
    
    ...
    
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] No principal found at user-given URL, trying to discover
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Looking up SRV records for _caldavs._tcp.nextcloud.BMK-Media.de
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Didn't find caldav service, trying at https://nextcloud.BMK-Media.de:443
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Trying to determine principal from initial context path=https://nextcloud.bmk-media.de/.well-known/caldav
    2017-05-12 07:51:48 750 [HttpClient$1] --> PROPFIND https://nextcloud.bmk-media.de/.well-known/caldav http/1.1
    
    ...
    
    2017-05-12 07:51:48 750 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind>
    2017-05-12 07:51:48 750 [HttpClient$1] --> END PROPFIND (198-byte body)
    2017-05-12 07:51:48 750 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed
    2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] caldav service discovery failed
    EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
    	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268)
    	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238)
    	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149)
    	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192)
    	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
    	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
    	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
    	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185)
    	at okhttp3.RealCall.execute(RealCall.java:69)
    	at at.bitfire.dav4android.DavResource.propfind(DavResource.java:276)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.getCurrentUserPrincipal(DavResourceFinder.java:352)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.discoverPrincipalUrl(DavResourceFinder.java:334)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:140)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:91)
    	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:142)
    	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:125)
    	at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:302)
    	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:57)
    	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:45)
    	at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138)
    	at java.util.concurrent.FutureTask.run(FutureTask.java:237)
    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
    	at java.lang.Thread.run(Thread.java:776)
    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x73b7fe2a80: Failure in SSL library, usually a protocol error
    error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x73b9c64780:0x00000001)
    error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x73cb802f76:0x00000000)
    	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
    	... 37 more
    

    Can someone help me, what is it and how I fix it?

    Nextcloud 11.0.3 (stable)
    letsecrypt 0.14.0 - 2017-05-04

    Nginx config:

    ssl on;
    ssl_certificate /etc/letsencrypt/live/nextcloud.bmk-media.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nextcloud.bmk-media.de/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.bmk-media.de/fullchain.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128';
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;
    ssl_session_timeout 24h;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;


  • Edit ciphers is change to:
    EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;

    Here is the link to the SSL-Labs report:
    https://www.ssllabs.com/ssltest/analyze.html?d=nextcloud.bmk-media.de&hideResults=on1



  • Can no one really help me?

    The full Debug File here.


  • developer

    Did you have a look at https://forums.bitfire.at/topic/1242/elliptic-curve-ciphers-not-available-on-android-7? You can find a link with a list of ciphers supported by various Android versions there.



  • Thank you, that was the solution.

    This works best for me, better than auto.

    ssl_ecdh_curve secp384r1:prime256v1;


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.