2.5.x: javax.net.ssl.SSLHandshakeException



  • Hi,

    I’m running nginx 1.10.3 using a self signed certificate (debian stretch, nextcloud 16).
    I’m using DAVx⁵ to sync my contacts/calendar/tasks. Up to Release 2.4 everything worked fine. Since the 2.5.x releases, I get the following exception/log when trying to sync:

    2019-07-20 22:56:05 3716 [HttpClient] <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: Handshake failed
    2019-07-20 22:56:05 1 [CustomCertService] CustomCertService destroyed
    2019-07-20 22:56:05 3716 [DavService] Couldn't refresh collection list
    EXCEPTION javax.net.ssl.SSLHandshakeException: Handshake failed
            at org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:287)
            at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:320)
            at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:284)
            at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:169)
            at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:258)
            at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
            at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
            at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
            at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
            at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
            at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
            at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:225)
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
            at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:250)
            at okhttp3.RealCall.execute(RealCall.java:93)
            at at.bitfire.dav4jvm.DavResource$propfind$1.invoke(DavResource.kt:323)
            at at.bitfire.dav4jvm.DavResource$propfind$1.invoke(DavResource.kt:34)
            at at.bitfire.dav4jvm.DavResource.followRedirects(DavResource.kt:378)
            at at.bitfire.dav4jvm.DavResource.propfind(DavResource.kt:318)
            at at.bitfire.davdroid.DavService$refreshCollections$2.invoke(DavService.kt:202)
            at at.bitfire.davdroid.DavService$refreshCollections$2.invoke$default(DavService.kt:165)
            at at.bitfire.davdroid.DavService.refreshCollections(DavService.kt:310)
            at at.bitfire.davdroid.DavService.access$refreshCollections(DavService.kt:40)
            at at.bitfire.davdroid.DavService$onStartCommand$$inlined$let$lambda$1.invoke(DavService.kt:77)
            at at.bitfire.davdroid.DavService$onStartCommand$$inlined$let$lambda$1.invoke(DavService.kt:40)
            at kotlin.concurrent.ThreadsKt$thread$thread$1.run(Thread.kt:30)
    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xa7a06648: Failure in SSL library, usually a protocol error
    error:1000012e:SSL routines:OPENSSL_internal:KEY_USAGE_BIT_INCORRECT (/usr/local/google/home/flooey/code/boringssl/ssl/ssl_cert.cc:610 0xa925125f:0x00000000)
            at org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
            at org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:386)
            at org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:225)
            ... 33 more
    

    The SSL configuration of nginx is basically the default one that ships with debian, i.e. the http-block contains:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    

    No custom cipher configuration etc. Any ideas what is wrong here? Could the self signed certificate be the problem? How can I debug this issue more in detail?

    I also read https://forums.bitfire.at/topic/2087/secp521r1-javax-net-ssl-sslhandshakeexception-handshake-failed and tried to use the configuration posted there: without success :(.

    Thanks for any kind of help!


  • developer

    Hello,

    Which curve do you use? Can you post your TLS config?

    Edit: Sorry didnt see the last paragraph



  • Hi,

    here ist the configuration file: https://gitlab.com/snippets/1878256
    There is no explicit listing of the elliptic curve in the config, but according to the nginx docs prime256v1 is the default in this ngix version.


  • developer

    @pasdVn Maybe in the conf.d files? Can you set it to 256v1 explicitly?



  • in conf.d there is just the php-fpm config. No more SSL configuration there.
    I tried to set prime256v1 explicitly one more time, but without success :(.

    I almost believe, that this maybe again (see https://forums.bitfire.at/post/10008) is connected to the X509 extensions. I compared a let’s encrypt certificate (or some “commercial” ones) with mine: There are some other extensions that are marked as “critical” (e.g. BasicConstraints). Maybe conscrypt checks them…


  • developer

    @pasdVn I don’t think Conscrypt checks certificates, but who knows. If you find out something relevant, please let us know.

    Is your server publicly accessible?



  • Ok, I got it 🙂 The cause of the problem was even in the logs, but I did not understand it before:

    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xa7a06648: Failure in SSL library, usually a protocol error
    error:1000012e:SSL routines:OPENSSL_internal:KEY_USAGE_BIT_INCORRECT (/usr/local/google/home/flooey/code/boringssl/ssl/ssl_cert.cc:610 0xa925125f:0x00000000)
    

    I miss configured the X509 extension “keyUsage”. I’ now using the following configuration for key generation (if this helps someone):

    [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    prompt = no
    [req_distinguished_name]
    C = <contry>
    ST = <state>
    L = <locality>
    O = <organization>
    OU = <organization unit>
    CN = <domain>
    [v3_req]
    keyUsage = critical,digitalSignature,keyEncipherment
    extendedKeyUsage = serverAuth
    basicConstraints=critical,CA:FALSE
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = <domain>
    

    “<…>” are place holders of course…

    @rfc2822 Sorry for opening a thread and than answering myself. Thank you anyways for this great app!


  • developer

    I’m happy that it know works for you and thanks for sharing the solution!


Log in to reply
 

Similar topics

  • 6
  • 14
  • 10