"SSL handshake aborted" exception while adding account



  • Adding an account with DAVdroid 0.8.2 from F-Droid using https fails with the following error:

    [...]
    E/davdroid.ResourceFinder(21404): javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb9f748: Failure in SSL library, usually a protocol error
    E/davdroid.ResourceFinder(21404): error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x53941d74:0x00000000)
    [...]
    

    complete log

    I am running Radicale 0.10 behind a Hiawatha 9.13 reverse-proxy. The certificate is from StartSSL and is working fine in the android browser. I am using an android 4.4.4 (cm11) build from 2015-08-01 on a HTC Desire S.
    This whole combination works fine without https.


  • admin

    Which SSL/TLS version do you use on your server? Seems like the server only speaks SSLv3 (or your device doesn't speak a recent enough version of TLS for the server).



  • My server (cal.schoelhorn.eu) doesn't support SSL, only TLS 1.0 to 1.2. (See the ssllabs report)
    It works fine in the android stock browser (I can download the ics there manually) and in other apps that contact the same webserver (eg seafile).


  • admin

    DAVdroid is using these cipher suites:

    D/HttpClient(21404): Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
    D/HttpClient(21404): Enabled cipher suites:[TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]

    Is at least one of these ciphers accepted by your server?



  • Ah, this is the problem, my server only supports ciphers with SHA256 (or higher) and DAVdroid supports only ones with SHA1 (and lower), with one exception: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. But ssllabs says this cipher is only used "for BEAST mitigation".

    It seems android 4.4 should support SHA256, so would it be possible to activated the associate cyphers in DAVdroid?


  • admin

    https://github.com/bitfireAT/davdroid/blob/master/app/src/main/java/at/bitfire/davdroid/webdav/TlsSniSocketFactory.java

    DAVdroid activates a set of known good ciphers [https://github.com/bitfireAT/davdroid/blob/master/doc/NIST.SP.800-52r1.pdf] in addition to the ciphers activated by default. It does not activate all available ciphers because it can't know whether the available ciphers are secure (there might be null ciphers and ciphers that are not enabled by default because they're not secure enough).

    Can you please verify that Android 4.4 supports the ciphers you're using and then post the names here? We could add it to the set of (additionally) allowed ciphers.



  • According to the NIST-paper terminology, the following ciphers should be enabled:
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (typo in the paper: ECHDE instead of ECDHE)
    TLS_RSA_WITH_AES_256_GCM_SHA384

    Additionally the following cipher can be enabled:
    TLS_RSA_WITH_AES_256_CBC_SHA256

    Additional elliptic curve ciphers: (not supported by my server, but also recommended by the paper):
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (should)
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (should)
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (should)

    All mentioned ciphers are in general supported by android 4.4. However my device (or the stock browser?) only supports two of the ones mentioned above:
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (should)
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (should)



  • Ok, looking at the code, most of these are already in the allowedCiphers list, but somehow they are not enabled?


  • developer

    @klemens I have updated TlsSniSocketFactory so that the code is more readable, but didn't no any functional changes.

    First, DAVdroid makes a difference by Android version:

    1. For Android < 5.0, DAVdroid sets the allowed TLS versions (= removes SSLv3, adds TLSv1.1, TLSv1.2) and allowed ciphers (to enable ciphers for TLSv1.1 and TLSv1.2).
    2. For Android 5.0+, there were significant changes so that ugly application-level cipher settings are not needed anymore. However, SSLv3 is still active by default so DAVdroid removes SSLv3, but it doesn't mangle the enabled ciphers.

    The following is only applicable for Android < 5.0:

    1. DAVdroid disables SSLv3 and enables all available TLS versions (up to 1.2 for Android 4.4). (Android 4.4 comes with TLSv1.2 support, but it's disabled by default.)
    2. DAVdroid takes the ciphers that are enabled by default and adds some pre-defined ciphers, if available (see code, "allowedCiphers"). This is required because we manually activate TLSv1.1/1.2, so we have to activate related ciphers too. It doesn't enable all available ciphers for security reasons (null ciphers, unsecure ciphers etc.).

    My Android 4.4.2 test device has these ciphers, according to socket.getEnabledCipherSuites() where socket is created by SSLSocketFactory:

    Available cipher suites:

    • SSL_RSA_WITH_RC4_128_MD5
    • SSL_RSA_WITH_RC4_128_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDH_RSA_WITH_RC4_128_SHA
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_RSA_WITH_RC4_128_SHA
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    • SSL_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    • SSL_RSA_WITH_DES_CBC_SHA
    • SSL_DHE_RSA_WITH_DES_CBC_SHA
    • SSL_DHE_DSS_WITH_DES_CBC_SHA
    • SSL_RSA_EXPORT_WITH_RC4_40_MD5
    • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    • SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    • SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    • SSL_RSA_WITH_NULL_MD5
    • SSL_RSA_WITH_NULL_SHA
    • TLS_ECDH_ECDSA_WITH_NULL_SHA
    • TLS_ECDH_RSA_WITH_NULL_SHA
    • TLS_ECDHE_ECDSA_WITH_NULL_SHA
    • TLS_ECDHE_RSA_WITH_NULL_SHA
    • SSL_DH_anon_WITH_RC4_128_MD5
    • TLS_DH_anon_WITH_AES_128_CBC_SHA
    • TLS_DH_anon_WITH_AES_256_CBC_SHA
    • SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
    • SSL_DH_anon_WITH_DES_CBC_SHA
    • TLS_ECDH_anon_WITH_RC4_128_SHA
    • TLS_ECDH_anon_WITH_AES_128_CBC_SHA
    • TLS_ECDH_anon_WITH_AES_256_CBC_SHA
    • TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
    • SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
    • SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
    • TLS_ECDH_anon_WITH_NULL_SHA
    • TLS_EMPTY_RENEGOTIATION_INFO_SCSV

    Assuming RFC 3268 terminology, I don't see any available SHA256 ciphers, especially not those mentioned on https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2

    Can you view your DAVdroid logs and check the available ciphers? Or maybe you can verify otherwise that SHA256 is really supported?



  • Ok, I just did some testing with the new version 0.8.4: according to the logcat output, my device supports the exact same list of cyphers as your test-device (plus TLS_FALLBACK_SCSV, which was backported to cm11).

    The default security provider (conscrypt) seems to have all SHA-2 cyphers commented in cm11. I don't know the reason, but I will try to compile a version with some of them uncommented to see if it works.

    Regarding SSL-Labs: The android 5.0 changelog you linked contains this statement:

    Note that the security ProviderInstaller from Google Play services already offers these changes across Android platform versions back to Android 2.3.

    So maybe this list is the one from the Google Play security provider. I don't use Google Apps on any of my devices, so I cannot check if that is really the case.

    Edit: Ok, forget the last sentence, the cipherlist probably just comes from the stock browser which seems to use its own crypto. (Checked with the ClientTest)


  • developer

    Edit: Ok, forget the last sentence, the cipherlist probably just comes from the stock browser which seems to use its own crypto. (Checked with the ClientTest)

    Makes sense. That would mean that the SSL sockets DAVdroid can use don't support SHA-2 and this issue can be closed?



  • Yes, I will try to find another way to enable SHA2-ciphers on my device.
    Thanks for your help debugging this problem!



  • Some more information about this:

    It turns out, my webserver does support SHA-1 ciphers, but only for TLS 1 and 1.1 clients. TLS 1.2 clients only get SHA-2 ciphers. So enabling TLS 1.2 while at the same time not providing the new SHA-2 ciphers is the "problem". (Actually android is the one to blame here for providing TLS 1.2 but not the new ciphers it brings with it; this is also probably one of the reasons for not enabling it by default)

    So I just compiled a version of DAVdroid which uses the default protocols and sync now works properly using TLS 1.0. (TLS 1.1 would probably work, too)


  • developer

    According to TLS 1.2 – Mandatory Cipher Suites, only TLS_RSA_WITH_AES_128_CBC_SHA is mandatory for TLS 1.2, so I guess this one should be enabled on your server? (Of course you're free to disable it, but than clients like DAVdroid may disbehave.)



  • You are right, technically TLS_RSA_WITH_AES_128_CBC_SHA is mandatory in TLS 1.2.
    However most recommendations nowadays only contain at least SHA-256 ciphers. (eg Mozilla)

    A workaround would be to retry with TLS 1.2 disabled if the connection fails due to TLS-errors.
    But I am also fine building my own versions of DAVdroid in the future.



  • @klemens
    could you provide a patch for your modifications to davdroid code so that it can use the default protocols ?
    thanks



  • Sure, here you go: https://gist.github.com/klemens/821e8e8727452e206253
    The first patch results in the default protocols used (SSLv3 and TLSv1 for android 4.4). But I would recommend the second one, which enables TLSv1 and TLSv1.1, but disables TLSv1.2 to avoid problems with SHA2.


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.