search

Piwigo / Piwigo-Android

Piwigo Native Android App
GNU General Public License v3.0
140 stars 43 forks source link

Handshake failed at connection #203

Closed mike855 closed 4 years ago

mike855 commented 4 years ago

Hello, when I try to connect, I got handshake failed. No problem with any web browser

Smartphone (please complete the following information):

HTTPS://bebe-charly.ddns.net

Nginx conf : upstream piwigo { server unix:/var/run/piwigo.sock; }

server { listen 80; listen [::]:80; server_name bebe-charly.ddns.net; root /var/www/piwigo; index index.php index.html index.htm; return 301 https://$server_name$request_uri; }

server { listen 443 ssl; listen [::]:443; server_name bebe-charly.ddns.net; root /var/www/piwigo; index index.php index.html index.htm;

ssl                         on;
ssl_certificate             /etc/letsencrypt/live/bebe-charly.ddns.net/fullchain.pem;
ssl_certificate_key         /etc/letsencrypt/live/bebe-charly.ddns.net/privkey.pem;
ssl_trusted_certificate     /etc/letsencrypt/live/bebe-charly.ddns.net/chain.pem;
ssl_dhparam                 /etc/ssl/certs/dhparam.pem;

ssl_session_cache           shared:SSL:1m;
ssl_session_timeout         1440m;
ssl_buffer_size             8k;
ssl_protocols               TLSv1.2;

ssl_ciphers                 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_prefer_server_ciphers   on;
ssl_ecdh_curve              secp384r1;
ssl_stapling                on;
ssl_stapling_verify         on;

add_header                  Strict-Transport-Security "max-age=63072000";
ramack commented 4 years ago

where do you get "handshake failed"? - in the app? Do you get the snackbar with the "details" button? Can you click on that and then on "REPORT"? This will prepare a report with the technical details in a mail to us.

On the other side I believe that your setup suffers from the same problem as #184.

mike855 commented 4 years ago

I got it when logging with the app. I just sent the report

ramack commented 4 years ago

the interesting part is: ANDROID_VERSION=7.0

STACK_TRACE=javax.net.ssl.SSLHandshakeException: Handshake failed
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
 [...]
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x7f80c82c00: Failure in SSL library, usually a protocol error
error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x7f602f8e00:0x00000001)
error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x7f73616f76:0x00000000)

which seems to be an Android 7.0 related issue (because crypto in 7.0 lacks some widely used elliptic curves). There is quite some talk about that issue with the missing ciphers in Android 7.0 in the web so I recommend you search a little and adjust the settings on nginx to allow more ciphers. Probably something RSA based is what you want to add, but as I'm not a security expert, take this advice with a gain of salt and check your final nginx config with some of the well known ssl-checkers, as adding (potentially weak) ciphers to add Android 7 compatibility can be a security risk.

Edit: potentially adding a cipher like ECDHE-RSA-AES128-GCM-SHA256 could help...

mike855 commented 4 years ago

Ok thanks I will dig in that way

Envoyé depuis Yahoo Mail pour Android

Le ven., nov. 22, 2019 à 21:02, Raphael Macknotifications@github.com a écrit :
the interesting part is: ANDROID_VERSION=7.0 STACK_TRACE=javax.net.ssl.SSLHandshakeException: Handshake failed at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429) [...] Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x7f80c82c00: Failure in SSL library, usually a protocol error error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x7f602f8e00:0x00000001) error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x7f73616f76:0x00000000)

which seems to be an Android 7.0 related issue (because crypto in 7.0 lacks some widely used elliptic curves). There is quite some talk about that issue with the missing ciphers in Android 7.0 in the web so I recommend you search a little and adjust the settings on nginx to allow more ciphers. Probably something RSA based is what you want to add, but as I'm not a security expert, take this advice with a gain of salt and check your final nginx config with some of the well known ssl-checkers, as adding (potentially weak) ciphers to add Android 7 compatibility can be a security risk.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

mike855 commented 4 years ago

Hello! I found the problem! Here is the original post : https://help.nextcloud.com/t/problems-to-connect-my-nextcloud-with-my-android-7/11059/4

ssl_ecdh_curve secp384r1; must be replaced by ssl_ecdh_curve prime256v1;

ramack commented 4 years ago

Thanks for reporting back. So I think we can close this, as it is purely related to Android 7 not supporting elliptic curve TLS which was used by your SSL-reverse proxy.