ssl handshake error on galaxy j5



  • Hello,

    Thanks for the good software, it works really well.

    My setup is a radicale caldav/carddav server on raspberry py . All worked well until my wife change her phone for à galaxy J5.

    She can't setup her account on her phone, the debug log show à SSLV3_ALERT_HANDSHAKE_FAILURE.

    the same account works well on other phones (galaxy s4 mini and galaxy S4)

    when i use chrome browser from the phone there is no ssl problem.

    I have no clue why davdroid does not works on this specific phone.

    I don't know where to look from now.

    here is the end of debug log :

    
    2018-07-31 16:11:37 775 [ui.setup.DavResourceFinder] Trying to determine principal from initial context path=https://cloud.rebattu.fr/
    2018-07-31 16:11:37 775 [HttpClient] --> PROPFIND https://cloud.rebattu.fr/
    2018-07-31 16:11:37 775 [HttpClient] Content-Type: application/xml; charset=utf-8
    2018-07-31 16:11:37 775 [HttpClient] Content-Length: 198
    2018-07-31 16:11:37 775 [HttpClient] Depth: 0
    2018-07-31 16:11:37 775 [HttpClient] 
    2018-07-31 16:11:37 775 [HttpClient] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:params:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><current-user-principal /></prop></propfind>
    2018-07-31 16:11:37 775 [HttpClient] --> END PROPFIND (198-byte body)
    2018-07-31 16:11:37 775 [HttpClient] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed
    2018-07-31 16:11:37 775 [ui.setup.DavResourceFinder] No resource found
    EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:444)
    	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:302)
    	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:270)
    	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:162)
    	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257)
    	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
    	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
    	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
    	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
    	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
    	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
    	at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:213)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
    	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
    	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200)
    	at okhttp3.RealCall.execute(RealCall.java:77)
    	at at.bitfire.dav4android.DavResource.propfind(DavResource.kt:301)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.getCurrentUserPrincipal(DavResourceFinder.kt:356)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.discoverPrincipalUrl(DavResourceFinder.kt:338)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.kt:124)
    	at at.bitfire.davdroid.ui.setup.DavResourceFinder.findInitialConfiguration(DavResourceFinder.kt:75)
    	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.kt:139)
    	at at.bitfire.davdroid.ui.setup.DetectConfigurationFragment$ServerConfigurationLoader.loadInBackground(DetectConfigurationFragment.kt:120)
    	at android.support.v4.content.AsyncTaskLoader.onLoadInBackground(AsyncTaskLoader.java:306)
    	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:59)
    	at android.support.v4.content.AsyncTaskLoader$LoadTask.doInBackground(AsyncTaskLoader.java:47)
    	at android.support.v4.content.ModernAsyncTask$2.call(ModernAsyncTask.java:138)
    	at java.util.concurrent.FutureTask.run(FutureTask.java:237)
    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
    	at java.lang.Thread.run(Thread.java:762)
    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0xc726ed40: Failure in SSL library, usually a protocol error
    error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:641 0xc7479600:0x00000001)
    error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:800 0xdc23aa9f:0x00000000)
    	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:364)
    	... 37 more
    
    
    
    SOFTWARE INFORMATION
    Package: at.bitfire.davdroid
    Version: 1.11.5-ose (233) from 1 juil. 2018
    Installed from: com.google.android.packageinstaller
    JB Workaround installed: no
    
    CONNECTIVITY (at the moment)
    Active connection: mobile, CONNECTED
    
    CONFIGURATION
    Power saving disabled: no
    android.permission.READ_CONTACTS permission: denied
    android.permission.WRITE_CONTACTS permission: denied
    android.permission.READ_CALENDAR permission: denied
    android.permission.WRITE_CALENDAR permission: denied
    org.dmfs.permission.READ_TASKS permission: denied
    org.dmfs.permission.WRITE_TASKS permission: denied
    System-wide synchronization: automatically
    
    SQLITE DUMP
    android_metadata
    	|  locale |
    	|  fr_FR |
    ----------
    services
    	|  _id | accountName | service | principal |
    ----------
    sqlite_sequence
    	|  name | seq |
    ----------
    homesets
    	|  _id | serviceID | url |
    ----------
    collections
    	|  _id | serviceID | type | url | readOnly | forceReadOnly | displayName | description | color | timezone | supportsVEVENT | supportsVTODO | source | sync |
    ----------
    
    SYSTEM INFORMATION
    Android version: 7.0 (NRD90M.J530FXXU2ARC3)
    Device: samsung SM-J530F (j5y17lte)
    
    --- END DEBUG INFO ---
    

  • developer

    Hello,

    @yohann said in ssl handshake error on galaxy j5:

    when i use chrome browser from the phone there is no ssl problem.

    Large browsers come with their own TLS stack, while almost all other apps (including DAVdroid) use the system's TLS stack.

    You can only use protocol versions/ciphers which are available both on your server and your Android device. Does https://www.davdroid.com/manual/security/#c200 help?



  • thank you, it helps a lot, now i understand the problem.
    However, i'm really not a cipher specialist and i don't know how i can fix it.

    is there a way to install a new set of cipher on android system ?
    or is it easier to install a new set of cipher on the debian server ?


  • developer

    @yohann You can look up ciphers which are supported by your Android device at https://developer.android.com/reference/javax/net/ssl/SSLEngine, and then enable those ciphers on your Web server.



  • thank you again, so i need to change ssl configuration on my nginx server.
    I followed the link you provided from the https://www.davdroid.com/manual/security/#c200 article but i'm sorry i don't understand it. There is a list of ciphers by «API level» which mean nothing to me (i am not an android dev). Anyway now the problem is almost solved, i just need to figure out what line of ssl config to change on my nginx server.


  • developer

    @yohann API levels corresponds to Android versions. You can find a list there: https://developer.android.com/guide/topics/manifest/uses-sdk-element#ApiLevels

    For instance, if you have Android 7.1 or 7.1.1, your API level is 25.