After Domain and SSL change, no connection (letsencrypt)
-
Hi, I have the following problem.
After a domain change and change to Letsencrypt, CalDav / CardDav no longer works, either in Thunderbird, or in DavDroid.
The Davdroid log is this:
2017-05-12 07:51:47 750 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><resourcetype /><displayname /><CARD:addressbook-description /><CARD:addressbook-home-set /><current-user-principal /></prop></propfind> 2017-05-12 07:51:47 750 [HttpClient$1] --> END PROPFIND (290-byte body) 2017-05-12 07:51:48 750 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] PROPFIND/OPTIONS on user-given URL failed EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238) at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149) at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192) at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185) at okhttp3.RealCall.execute(RealCall.java:69) at at.bitfire.dav4android.DavResource.propfind(DavResource.java:276) at at.bitfire.davdroid.ui.setup.DavResourceFinder.checkUserGivenURL(DavResourceFinder.java:179) at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:119) at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:90) at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:142) at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:125) at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:302) at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:57) at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:45) at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:776) Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x73b7fe2a80: Failure in SSL library, usually a protocol error error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x73cb596e20:0x00000001) error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x73cb802f76:0x00000000) at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357) ... 36 more ... 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] No principal found at user-given URL, trying to discover 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Looking up SRV records for _carddavs._tcp.nextcloud.BMK-Media.de 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Didn't find carddav service, trying at https://nextcloud.BMK-Media.de:443 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Trying to determine principal from initial context path=https://nextcloud.bmk-media.de/.well-known/carddav ... 2017-05-12 07:51:48 750 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind> 2017-05-12 07:51:48 750 [HttpClient$1] --> END PROPFIND (198-byte body) 2017-05-12 07:51:48 750 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] carddav service discovery failed EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238) at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149) at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192) at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185) at okhttp3.RealCall.execute(RealCall.java:69) at at.bitfire.dav4android.DavResource.propfind(DavResource.java:276) at at.bitfire.davdroid.ui.setup.DavResourceFinder.getCurrentUserPrincipal(DavResourceFinder.java:352) at at.bitfire.davdroid.ui.setup.DavResourceFinder.discoverPrincipalUrl(DavResourceFinder.java:334) at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:140) at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:90) at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:142) at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:125) at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:302) at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:57) at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:45) at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:776) Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x73b7fe2a80: Failure in SSL library, usually a protocol error error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x73b9c649c0:0x00000001) error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x73cb802f76:0x00000000) at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357) ... 37 more ... 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Finding initial caldav service configuration 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Checking user-given URL: https://nextcloud.bmk-media.de/nextcloud/remote.php/dav 2017-05-12 07:51:48 750 [HttpClient$1] --> PROPFIND https://nextcloud.bmk-media.de/nextcloud/remote.php/dav http/1.1 ... 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] No principal found at user-given URL, trying to discover 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Looking up SRV records for _caldavs._tcp.nextcloud.BMK-Media.de 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Didn't find caldav service, trying at https://nextcloud.BMK-Media.de:443 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] Trying to determine principal from initial context path=https://nextcloud.bmk-media.de/.well-known/caldav 2017-05-12 07:51:48 750 [HttpClient$1] --> PROPFIND https://nextcloud.bmk-media.de/.well-known/caldav http/1.1 ... 2017-05-12 07:51:48 750 [HttpClient$1] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind> 2017-05-12 07:51:48 750 [HttpClient$1] --> END PROPFIND (198-byte body) 2017-05-12 07:51:48 750 [HttpClient$1] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed 2017-05-12 07:51:48 750 [ui.setup.DavResourceFinder] caldav service discovery failed EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:238) at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:149) at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:192) at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:211) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185) at okhttp3.RealCall.execute(RealCall.java:69) at at.bitfire.dav4android.DavResource.propfind(DavResource.java:276) at at.bitfire.davdroid.ui.setup.DavResourceFinder.getCurrentUserPrincipal(DavResourceFinder.java:352) at at.bitfire.davdroid.ui.setup.DavResourceFinder.discoverPrincipalUrl(DavResourceFinder.java:334) at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:140) at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.java:91) at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:142) at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.java:125) at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:302) at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:57) at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:45) at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:776) Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x73b7fe2a80: Failure in SSL library, usually a protocol error error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x73b9c64780:0x00000001) error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x73cb802f76:0x00000000) at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357) ... 37 moreCan someone help me, what is it and how I fix it?
Nextcloud 11.0.3 (stable)
letsecrypt 0.14.0 - 2017-05-04Nginx config:
ssl on; ssl_certificate /etc/letsencrypt/live/nextcloud.bmk-media.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/nextcloud.bmk-media.de/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/nextcloud.bmk-media.de/fullchain.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128'; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8; ssl_session_timeout 24h; ssl_session_cache shared:SSL:50m; ssl_session_tickets off;
-
Edit ciphers is change to:
EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;Here is the link to the SSL-Labs report:
https://www.ssllabs.com/ssltest/analyze.html?d=nextcloud.bmk-media.de&hideResults=on1
-
Can no one really help me?
The full Debug File here.
-
Did you have a look at https://forums.bitfire.at/topic/1242/elliptic-curve-ciphers-not-available-on-android-7? You can find a link with a list of ciphers supported by various Android versions there.
-
Thank you, that was the solution.
This works best for me, better than auto.
ssl_ecdh_curve secp384r1:prime256v1;
