SSL Handshake failure (Android 7.0)

[ostrolucky]

I think this started when I updated to Nextcloud 12 from 11. Still works via web fine.

relevant section of adb log:

06-18 22:23:01.861  1955  2068 V de.luhmer.owncloudnewsreader.helper.FavIconHandler: Updating AVG color of feed: Laravel News - Color: -1021856
06-18 22:23:01.867  1955  2070 V de.luhmer.owncloudnewsreader.helper.FavIconHandler: Updating AVG color of feed: Yegor Bugayenko - Color: -13154481
06-18 22:23:01.868  1955  1974 V de.luhmer.owncloudnewsreader.ListView.SubscriptionExpandableListAdapter: Time needed (fetch folder list): 00:00:00.245
06-18 22:23:01.886  1955  1974 V de.luhmer.owncloudnewsreader.ListView.SubscriptionExpandableListAdapter: Reload Adapter - time taken: 00:00:00.263
06-18 22:23:01.901  1955  1978 V de.luhmer.owncloudnewsreader.ListView.SubscriptionExpandableListAdapter: Fetched folder/feed counts in 00:00:00.014
06-18 22:23:02.288  3817  4563 D WifiStateMachine: Current network is: "UPC0922354" , ID is: 119
06-18 22:23:02.291  3817  4563 D WIFI    : new score 60 for exisiting request NetworkRequest [ id=1, legacyType=-1, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN] ]
06-18 22:23:02.291  3817  4559 D WIFI_P2P: new score 60 for exisiting request NetworkRequest [ id=1, legacyType=-1, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN] ]
06-18 22:23:02.291  3817  4559 D WIFI_P2P:   my score=60, my filter=[ Transports: WIFI Capabilities: WIFI_P2P&NOT_RESTRICTED&TRUSTED&NOT_VPN LinkUpBandwidth>=1048576Kbps LinkDnBandwidth>=1048576Kbps]
06-18 22:23:02.291  3817  4563 D WIFI    :   my score=60, my filter=[ Transports: WIFI Capabilities: NOT_METERED&INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN LinkUpBandwidth>=1048576Kbps LinkDnBandwidth>=1048576Kbps]
06-18 22:23:02.291  3817  4559 D WIFI_P2P: evalRequest
06-18 22:23:02.291  3817  4563 D WIFI    : evalRequest
06-18 22:23:02.291  3817  4559 D WIFI_P2P:   done
06-18 22:23:02.291  3817  4563 D WIFI    :   done
06-18 22:23:02.292  4689  4689 D PhoneSwitcherNetworkRequstListener: new score 60 for exisiting request NetworkRequest [ id=1, legacyType=-1, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN] ]
06-18 22:23:02.292  3817  4660 D Ethernet: new score 60 for exisiting request NetworkRequest [ id=1, legacyType=-1, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN] ]
06-18 22:23:02.292  3817  4660 D Ethernet:   my score=-1, my filter=[ Transports: ETHERNET Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN LinkUpBandwidth>=100000Kbps LinkDnBandwidth>=100000Kbps]
06-18 22:23:02.292  3817  4660 D Ethernet: evalRequest
06-18 22:23:02.292  3817  4660 D Ethernet:   done
06-18 22:23:02.292  4689  4689 D PhoneSwitcherNetworkRequstListener:   my score=101, my filter=[ Transports: CELLULAR Capabilities: MMS&SUPL&DUN&FOTA&IMS&CBS&IA&RCS&XCAP&EIMS&INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN&ENT1 Specifier: <*>]
06-18 22:23:02.292  4689  4689 D PhoneSwitcherNetworkRequstListener: evalRequest
06-18 22:23:02.292  4689  4689 D PhoneSwitcherNetworkRequstListener:   done
06-18 22:23:02.292  3817  4563 D WIFI_UT : new score 60 for exisiting request NetworkRequest [ id=1, legacyType=-1, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN] ]
06-18 22:23:02.293  3817  4563 D WIFI_UT :   my score=2147483647, my filter=[ Transports: WIFI Capabilities: NOT_METERED&INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN LinkUpBandwidth>=1048576Kbps LinkDnBandwidth>=1048576Kbps]
06-18 22:23:02.293  3817  4563 D WIFI_UT : evalRequest
06-18 22:23:02.293  3817  4563 D WIFI_UT :   done
06-18 22:23:02.487 17011 17118 D EN      : [AccountInfoImpl]{RxComputationThreadPool-2} - getAuthToken()::authToken:154::decodedAuthtoken:111::decryptedAuthToken:111
06-18 22:23:02.488 17011 17118 D EN      : [AccountInfoImpl]{RxComputationThreadPool-2} - getAuthToken()::authToken:154::decodedAuthtoken:111::decryptedAuthToken:111
06-18 22:23:02.591  1955  1976 W System.err: javax.net.ssl.SSLHandshakeException: Handshake failed
06-18 22:23:02.592  1955  1976 W System.err: 	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
06-18 22:23:02.593  1955  1976 W System.err: 	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:267)
06-18 22:23:02.593  1955  1976 W System.err: 	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:237)
06-18 22:23:02.593  1955  1976 W System.err: 	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:148)
06-18 22:23:02.593  1955  1976 W System.err: 	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:186)
06-18 22:23:02.593  1955  1976 W System.err: 	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
06-18 22:23:02.594  1955  1976 W System.err: 	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
06-18 22:23:02.594  1955  1976 W System.err: 	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
06-18 22:23:02.594  1955  1976 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
06-18 22:23:02.594  1955  1976 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
06-18 22:23:02.594  1955  1976 W System.err: 	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
06-18 22:23:02.594  1955  1976 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
06-18 22:23:02.594  1955  1976 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
06-18 22:23:02.594  1955  1976 W System.err: 	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
06-18 22:23:02.594  1955  1976 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
06-18 22:23:02.595  1955  1976 W System.err: 	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
06-18 22:23:02.595  1955  1976 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
06-18 22:23:02.595  1955  1976 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
06-18 22:23:02.595  1955  1976 W System.err: 	at de.luhmer.owncloudnewsreader.reader.HttpJsonRequest$AuthorizationInterceptor.intercept(HttpJsonRequest.java:168)
06-18 22:23:02.595  1955  1976 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
06-18 22:23:02.595  1955  1976 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
06-18 22:23:02.595  1955  1976 W System.err: 	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179)
06-18 22:23:02.595  1955  1976 W System.err: 	at okhttp3.RealCall.execute(RealCall.java:63)
06-18 22:23:02.595  1955  1976 W System.err: 	at de.luhmer.owncloudnewsreader.reader.HttpJsonRequest.PerformJsonRequest(HttpJsonRequest.java:191)
06-18 22:23:02.596  1955  1976 W System.err: 	at de.luhmer.owncloudnewsreader.reader.owncloud.OwnCloudReaderMethods.GetVersionNumber(OwnCloudReaderMethods.java:437)
06-18 22:23:02.596  1955  1976 W System.err: 	at de.luhmer.owncloudnewsreader.NewsReaderListFragment$AsyncTaskGetUserInfo.doInBackground(NewsReaderListFragment.java:282)
06-18 22:23:02.596  1955  1976 W System.err: 	at de.luhmer.owncloudnewsreader.NewsReaderListFragment$AsyncTaskGetUserInfo.doInBackground(NewsReaderListFragment.java:276)
06-18 22:23:02.596  1955  1976 W System.err: 	at android.os.AsyncTask$2.call(AsyncTask.java:304)
06-18 22:23:02.596  1955  1976 W System.err: 	at java.util.concurrent.FutureTask.run(FutureTask.java:237)
06-18 22:23:02.596  1955  1976 W System.err: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
06-18 22:23:02.596  1955  1976 W System.err: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
06-18 22:23:02.596  1955  1976 W System.err: 	at java.lang.Thread.run(Thread.java:762)
06-18 22:23:02.598  1955  1976 W System.err: 	Suppressed: javax.net.ssl.SSLHandshakeException: Handshake failed
06-18 22:23:02.598  1955  1976 W System.err: 		... 32 more
06-18 22:23:02.599  1955  1976 W System.err: 	Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x7cb5035c00: Failure in SSL library, usually a protocol error
06-18 22:23:02.599  1955  1976 W System.err: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:641 0x7cb51285a0:0x00000001)
06-18 22:23:02.599  1955  1976 W System.err: error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:800 0x7cb38352d7:0x00000000)
06-18 22:23:02.599  1955  1976 W System.err: 		at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
06-18 22:23:02.599  1955  1976 W System.err: 		at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
06-18 22:23:02.599  1955  1976 W System.err: 		... 31 more
06-18 22:23:02.600  1955  1976 W System.err: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x7cb5035c00: Failure in SSL library, usually a protocol error
06-18 22:23:02.601  1955  1976 W System.err: error:1000043e:SSL routines:OPENSSL_internal:TLSV1_ALERT_INAPPROPRIATE_FALLBACK (external/boringssl/src/ssl/s3_pkt.c:641 0x7cb51285a0:0x00000001)
06-18 22:23:02.601  1955  1976 W System.err: 	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
06-18 22:23:02.601  1955  1976 W System.err: 	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
06-18 22:23:02.601  1955  1976 W System.err: 	... 31 more
06-18 22:23:02.816  3817  4653 D WifiWatchdogStateMachine:  [|220] []

full adb log:
out.log.zip

[David-Development]

Thanks for the report. Can you give me a little more information on your setup?

You said you're using nextcloud 12, right?
Which Android OS Version do you use?
Which Nextcloud News Android App Version do you use?

I think you're already using the latest beta, right?
Maybe.. you can try to go to the account settings and login again (In the nextcloud android news app)? Maybe disable host verification? Did you change anything on your host? Is your ssl self certificate signed or "valid"?

[ostrolucky]

Nextcloud 12.0.0
Android 7.0 on Samsung Galaxy S7

was using 0.9.9.5, but now I tried beta 0.9.9.7, same problem
disabling host verification does not help
i'm not logged in in nextcloud android news app
certificate is valid, it's letsencrypt and gives normal green lock icon in browsers

[David-Development]

Okay, thanks for feedback. I'll need to make some tests. I don't have a test instance of nextcloud 12 available right now (with valid ssl). Would it be possible to create a demo account for me on your host? (You can send me the credentials via email - david-dev@live.de).

[ostrolucky]

done, credentials sent

[David-Development]

For everyone else encountering this issue.

Apparently there is a bug in Android 7.0 which supports only one elliptic curve. It's likely that your server uses one of the other, not supported ones. Read more

Updating your phone to Android 7.1 fixes the problem. If you can't update your phone, a fix / workaround (for nextcloud) can be found here.