Sslv3 alert handshake failure



  • I get the following error with my nginx server:
    javax.net.ssl.SSL.ProtocolException: SSL handshake aborted: ssl=0x52.....: Failure in in SSL library, usually a protocol error
    error:14077410:SSL routines:SSL23_GET_SERVER_HELLO_:sslv3 alert handshake failure

    Firefox works fine with the same URLs. I got similar errors with other programs in the past because they lacked support for Server Name Indication. (I use SNI to proxy the client to the right server). Is it possible to add support for SNI?


  • developer

    Sounds like your server only supports SSLv3. DAVdroid uses the default Android HttpsUrlConnection and doesn't change any SSL/TLS settings. SNI is supported as it's supported by HttpsUrlConnection.

    Please provide more information, maybe the host name? Which protocol versions are supported?


  • developer

    Any news on this?



  • Hello,
    I have an apache 2.4 web server configured to only allow TLS v1.2 connections. My SSL cipher suite is
    SSLCipherSuite AES128+EECDH:AES128+EDH.
    I got the following error message:

    javax.net.ssl SSL ProtocolException: SSL handshake aborted: ssl=0xf0f058: Failure in SSL library, usually a protocol error
    error: 14077410:SSL
    routines:SSL23_GET_SERVER_HELLO:sslv3
    alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x5d570d74:0x00000000)

    Will TLS v1.2 be supported by CAdroid in the future?
    On my android (4.4.4) the internal browser and firefox can display the website just fine.
    Thanks.


  • developer

    Sounds like your server only supports SSLv3. DAVdroid uses the default Android HttpsUrlConnection and doesn't change any SSL/TLS settings. According to your description, it seems that Android 4.4.4 doesn't activate TLSv1.2 by default, which is quite… strange? But yes, I think it's only enabled in Android 5+ by default, so we'll have to hack the default Android settings to enable essential encryption features.



  • I don't understand why you say: Sounds like your server only supports SSLv3
    I dropped the support for all protocols that are below TLSv1.2 with the following rule in my apache:
    SSLProtocol TLSv1.2

    I am running paranoid android 4.6 beta 5 (from 2014-10-22) and the stock browser provided can perfectly connect to websites using TLSv1.2. Is it not CAdroid program that doesn't know how to connect using TLSv1.2?


  • developer

    Sorry, I can't concentrate today. Just ignore the first sentence in my previous post.
    TLSv1.2 support comes by default with Android 5+, see http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv1-2-with-apache and https://code.google.com/p/android/issues/detail?id=61085#c6

    On versions below, we'll have to hack the default Android settings to enable essential encryption features.



  • Ok, thanks. The good news is that it is possible in android >= 4.1/4.2 and < 5.0 but has to be activated manually. Let me know if you need more details. I am ready for testing futur versions of CAdroid.



  • @rfc2822: any news about it? when will it be fixed?


  • developer

    @markus80: Don't know when I can find an hour. Pull requests are always welcome, basically it's only a few lines (see my blog article).



  • Hi, I also would be interesed to have this fixed in order to be able to sync contacts and calendar with my owncloud. For now I just have imported all my contacts manually and I'm not using calendar. I don't want to activate TLSv1.0 on my server. Would it help motivating you if we do a small donation?



  • donations should not be dependent on specific bugfixes / features.. :s



  • I have already a bugfix - except for Android version 4.0 (API level 15) which only supports TLSv1 and SSLv3 regarding SSLSocketFactory.
    Currently I'm testing it with all supported Android versions...




  • developer

    Thanks, I hope I can release a new version soon.


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.