HTTPS connection failed after connecting to server on androidarm revision

[Baltazar500]

I get an error on androidarm revision

Error: Internet Error: -4 Connection failed. Some possible causes: Failed DNS lookup, failed to load OpenSSL, failed proxy, server does not exists, has no open port or uses an unknown https certificate. HTTPS connection failed after connecting to server. Some possible causes: handshake failure, mismatched HTTPS version/ciphers, invalid certificate OpenSSL-Error: OpenSSL information: CA file: , CA dir: /system/etc/security/cacerts , TLSv1.2, BoringSSL

even when using the "--no-check-certificate" key

xidel-0.9.9.20220131.8335.4e6fcea4d02e --trace --no-check-certificate -e '//title' 'https://google.com'
Retrieving (GET): https://google.com
Error:
Internet Error: -4 Connection failed. Some possible causes: Failed DNS lookup, failed to load OpenSSL, failed proxy, server does not exists, has no open port or uses an unknown https certificate.
HTTPS connection failed after connecting to server. Some possible causes: handshake failure, mismatched HTTPS version/ciphers, invalid certificate
OpenSSL-Error:
OpenSSL information: CA file:  , CA dir: /system/etc/security/cacerts , TLSv1.2, BoringSSL

HTTPS connection failed after connecting to server. Some possible causes: handshake failure, mismatched HTTPS version/ciphers, invalid certificate
OpenSSL-Error:
OpenSSL information: CA file:  , CA dir: /system/etc/security/cacerts , TLSv1.1, BoringSSL

HTTPS connection failed after connecting to server. Some possible causes: handshake failure, mismatched HTTPS version/ciphers, invalid certificate
OpenSSL-Error:
OpenSSL information: CA file:  , CA dir: /system/etc/security/cacerts , TLSv1, BoringSSL
when talking to: https://google.com/

but not everywhere

xidel-0.9.9.20220131.8335.4e6fcea4d02e --trace --no-check-certificate -e '//title' 'https://curl.se'
Retrieving (GET): https://curl.se
Processing: https://curl.se/
curl

What is the problem ?

[benibela]

The HTTPS connection fails

I do not know what BoringSSL does there

You could try to record the connection with pcap/wireshark. Or try OpenSSL

[Baltazar500]

I do not know what BoringSSL does there

I have no idea where it comes from. How to find out the reason?

You could try to record the connection with pcap/wireshark.

Does it help to intercept https ?

Or try OpenSSL

How to do it under android (armv7) ?

There is no problem with xidel-0.9.9.20220131.8335.4e6fcea4d02e on Android 4.2.2/armv7

Linux localhost 3.4.5 #1 SMP PREEMPT Thu Mar 27 16:19:17 CST 2014 armv7l GNU/Linux

and on android 6.0/armv7 i get errors with https

Linux localhost 3.18.19+ #2 SMP PREEMPT Thu Sep 7 17:51:43 CST 2017 armv7l GNU/Linux

Maybe the strace log will help ? strace # xidel-0.9.9.20220131.8335.4e6fcea4d02e.txt

[benibela]

Does it help to intercept https ?

It shows which TLS version and ciphers are used.

How to do it under android (armv7) ?

I do not know. Perhaps get a libcrypto.so and libssl.so from OpenSSL and set LD_LIBRARY_PATH to their path.

Actually perhaps that is how it is supposed to be done. Now I have looked up the BoringSSL documentation and it says "BoringSSL does not have a stable API or ABI. ... Android's system-internal copy of BoringSSL is not exposed by the NDK and must not be used by third-party applications."

Android 4.2.2/armv7

Perhaps that still had OpenSSL

Maybe the strace log will help ? strace # xidel-0.9.9.20220131.8335.4e6fcea4d02e.txt

That looks like the problem. :

 write(3, "\26\3\1\0\235\1\0\0\231\3\3\7\5qA\321\335\272\222P\373l\261\264\215C^\233{\"x\220"..., 162) = 162
 read(3, 0xb85a880b, 5)                  = -1 ECONNRESET (Connection reset by peer)

The server does not answer anything. Perhaps it does not like the initial request. But you need to use strace -x --write=3 --read=3 to show the entire request rather than truncating. Or wireshark, which could also tell us what the request means (I tried to decode some of it. \26=content type, \3\1 = at least TLS1.0, \0\235=length, \1=CLientHello, \0\0\231=length,\3\3=at most TLS1.2,... ).

[Baltazar500]

@benibela

It shows which TLS version and ciphers are used.

I used tcpdump on the device to capture data, but there was nothing in the "Protocol" field, as well as in the "SSL" frames themselves.

Or is it necessary to intercept through wireshark ? It's a little more difficult, but I can do it.

I do not know. Perhaps get a libcrypto.so and libssl.so from OpenSSL and set LD_LIBRARY_PATH to their path.

I did not find the new OpenSSL libraries libcrypto.so and libssl.so for andoid armv7 (where can I get them?) and I used libraries from an old smartphone with 4.2.2 and it worked, but xidel gave some errors :

WARNING: linker: /data/tools/openssllib/libcrypto.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
WARNING: linker: /data/tools/openssllib/libssl.so has text relocations. This is wasting memory and prevents security hardening. Please fix.

The server does not answer anything. Perhaps it does not like the initial request. But you need to use strace -x --write=3 --read=3 to show the entire request rather than truncating.

I'm not sure if I have the full version of strace, but it seems that there were no errors with these switches and the full log was saved strace # xidel-0.9.9.20220131.8335.4e6fcea4d02e # full.txt

p.s. Through a proxy (BURP) on the desktop, android armv7 xidel requests went without libs and errors :|

[benibela]

The SNI record is missing

Looks like they changed something. I have uploaded a new version with a fix (https://github.com/benibela/internettools/commit/c353c5ca6fb7940efd6aa42c818fe7858c8b5336) (untested)

[Baltazar500]

Looks like they changed something. I have uploaded a new version with a fix

Fix in revision xidel-0.9.9.20220424.8389.2d2ee7befb8a.androidarm works :) Google and other "problem" sites give data without BoringSSL errors. Thanks.