search

syncloud / platform

Run popular services on your device with one click
https://syncloud.org
GNU General Public License v3.0
396 stars 40 forks source link

SSL Handshake issue after upgrade to the version 200723422 #535

Closed Jayky-II closed 3 years ago

Jayky-II commented 4 years ago

After the upgrade to the version 200723422 of my syncloud server (OHC1), I could not synchronize Nextcloud services (CalDav, CardDav, RSS feeds, ...) with an old Android device (Fairphone 1, Android 4.2.2).

I receive following error message by caldav:

20200814T214454Z I org.dmfs.caldav.autheticator.AuthenticatorActivity calendar discovery log:
20200814T214456Z V org.dmfs.dav.Dav get principal /.well-known/caldav
20200814T214456Z E org.dmfs.dav.Dav connection error - trying again
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5e3af000: Failure in SSL library, usually a protocol error
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x59ba9890:0x00000000)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:420)
at org.dmfs.dav.ai.createSocket(Unknown Source)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:365)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at org.dmfs.dav.s.b(Unknown Source)
at org.dmfs.dav.s.a(Unknown Source)
at org.dmfs.dav.s.b(Unknown Source)
at org.dmfs.dav.a.a(Unknown Source)
at org.dmfs.dav.a.b(Unknown Source)
at org.dmfs.caldav.authenticator.f.run(Unknown Source)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5e3af000: Failure in SSL library, usually a protocol error
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x59ba9890:0x00000000)
at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:378)
... 13 more

20200814T214456Z E org.dmfs.dav.Dav connection error - trying again
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5dd33b68: Failure in SSL library, usually a protocol error
error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x59ba9890:0x00000000)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:420)
at org.dmfs.dav.ai.createSocket(Unknown Source)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:365)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at org.dmfs.dav.s.b(Unknown Source)
at org.dmfs.dav.s.a(Unknown Source)
at org.dmfs.dav.s.b(Unknown Source)
at org.dmfs.dav.a.a(Unknown Source)
at org.dmfs.dav.a.b(Unknown Source)
at org.dmfs.caldav.authenticator.f.run(Unknown Source)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5dd33b68: Failure in SSL library, usually a protocol error
error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x59ba9890:0x00000000)
at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:378)
... 13 more

20200814T214456Z E org.dmfs.dav.Dav SSL Error
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5dfa79e0: Failure in SSL library, usually a protocol error
error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x59ba9890:0x00000000)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:420)
at org.dmfs.dav.ai.createSocket(Unknown Source)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:365)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at org.dmfs.dav.s.b(Unknown Source)
at org.dmfs.dav.s.a(Unknown Source)
at org.dmfs.dav.s.b(Unknown Source)
at org.dmfs.dav.a.a(Unknown Source)
at org.dmfs.dav.a.b(Unknown Source)
at org.dmfs.caldav.authenticator.f.run(Unknown Source)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5dfa79e0: Failure in SSL library, usually a protocol error
error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x59ba9890:0x00000000)
at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:378)
... 13 more

20200814T214456Z E org.dmfs.caldav.autheticator.AuthenticatorActivity ssl error
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5dfa79e0: Failure in SSL library, usually a protocol error
error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x59ba9890:0x00000000)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:420)
at org.dmfs.dav.ai.createSocket(Unknown Source)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:365)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at org.dmfs.dav.s.b(Unknown Source)
at org.dmfs.dav.s.a(Unknown Source)
at org.dmfs.dav.s.b(Unknown Source)
at org.dmfs.dav.a.a(Unknown Source)
at org.dmfs.dav.a.b(Unknown Source)
at org.dmfs.caldav.authenticator.f.run(Unknown Source)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5dfa79e0: Failure in SSL library, usually a protocol error
error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x59ba9890:0x00000000)
at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:378)
... 13 more

App: org.dmfs.caldav.lib
App version: 0.4.22
OS version: 17
OS Info: FP/ahong89_wet_jb2/ahong89_wet_jb2:4.2.2/JDQ39/:user/test-keys
Date: Fri Aug 14 23:45:01 MESZ 2020

When using Firefox on this device, I can reach my Nextcloud Homepage, but without the fields for the login. Only the background and some minor things are there.

Before the last upgrade I could use all the services on my old Android device. On all more modern devices it is working fine. Would be great, if it would be possible to use them again.

cyberb commented 4 years ago

It must be due to TLS 1 and 1.1 support removal: https://github.com/syncloud/platform/commit/c4ea189a1d827c2314bc094c09b72831db778841

cyberb commented 4 years ago

Try these commands to bring back TLS 1 support to see if that is a problem:

sed -i 's/ssl_protocols.*/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/' /var/snap/platform/common/config.runtime/nginx/nginx.conf
snap restart platform.nginx-public
Jayky-II commented 4 years ago

Done, but without success. On my phone I get the following error message, now:

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x6010e510: Failure in SSL library, usually a protocol error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x59b3d890:0x00000000)

App: org.dmfs.caldav.lib
App version: 0.4.22
OS version: 17
OS Info: FP/ahong89_wet_jb2/ahong89_wet_jb2:4.2.2/JDQ39/:user/test-keys
Date: Sat Aug 22 21:19:28 MESZ 2020
DarkCoocky commented 3 years ago

You enabled the TLS 1.0 and 1.1 support but you forgot to add the cipher suites corresponding to these TLS versions so the handshake cannot be done. Try these commands, I'm not a CLI expert but it should work

sed -i 's/ssl_ciphers.*/ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;/' /var/snap/platform/common/config.runtime/nginx/nginx.conf snap restart platform.nginx-public

DarkCoocky commented 3 years ago

If you still have the same problem after using the commands written earlier you can try these that will bring the nginx config's back to the configuration before TLS1.1 and 1.2 removal.

sed -i 's/ssl_ciphers.*/ssl_ciphers HIGH:!aNULL:!MD5;/' /var/snap/platform/common/config.runtime/nginx/nginx.conf snap restart platform.nginx-public

Jayky-II commented 3 years ago

Great, it worked! The first solution worked, so I haven't try the second one. Thank you so much!

BR

cyberb commented 3 years ago

Just to let you know, every update to the system from updates will reset your change. But you can use the workaround until you get a new phone :)

Jayky-II commented 3 years ago

Just to let you know, every update to the system from updates will reset your change. But you can use the workaround until you get a new phone :)

Yeah, I supposed that it would work like that. But that's okay, as long as you've give me the "tools" to fix it by myself :)