Hello Nathan, you need to set the DH_P_LENGTH on the server. Most likely your server is using a too small (512 or 768, maybe 1024) DH_P_LENGTH which is not supported by the BoringSSL library on Android 6.0. You can find some more information here: https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
Best regards, Martin On 23/10/15 00:57, Nathan wrote: > Where does one set a DH_P_LENGTH? On the client? On the server? In a > certificate? > > Sorry if this is a dumb question for those of you who know more about SSL. > > I've seen this issue but it has no solution. > https://code.google.com/p/android-developer-preview/issues/detail?id=2792 > > Nathan > > On Thursday, October 22, 2015 at 3:35:52 PM UTC-7, Nathan wrote: > > > Something that was cut off. > > BAD_DH_P_LENGTH > > javax.net.ssl.SSLProtocolException: SSL handshake aborted: > ssl=0x557bb63810: Failure in SSL library, usually a protocol error > error:100c1069:SSL > routines:ssl3_get_server_key_exchange:BAD_DH_P_LENGTH > (external/boringssl/src/ssl/s3_clnt.c:1193 0x7fa874c518:0x00000000) > > > On Thursday, October 22, 2015 at 2:04:11 PM UTC-7, Nathan wrote: > > I am experiencing failures connecting securely to my own server > which are probably as a result of the Android 6.0 changes. > > 10-21 21:27:10.018 1267-1530/... E/ServerService: Handshake failed > 10-21 21:27:10.018 1267-1530/... E/ServerService: > javax.net.ssl.SSLHandshakeException: Handshake failed > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:396) > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:629) > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > com.android.org.conscrypt.OpenSSLSocketImpl.getOutputStream(OpenSSLSocketImpl.java:615) > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > com.crittermap.iab.serverinterface.ServerService.onHandleIntent(ServerService.java:98) > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > android.app.IntentService$ServiceHandler.handleMessage(IntentService.java:66) > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > android.os.Handler.dispatchMessage(Handler.java:102) > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > android.os.Looper.loop(Looper.java:148) > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > android.os.HandlerThread.run(HandlerThread.java:61) > 10-21 21:27:10.018 1267-1530/... E/ServerService: Caused by: > javax.net.ssl.SSLProtocolException: SSL handshake aborted: > ssl=0x557ba6f360: Failure in SSL library, usually a protocol error > 10-21 21:27:10.018 1267-1530/... E/ServerService: > error:100c1069:SSL > routines:ssl3_get_server_key_exchange:BAD_DH_P_LENGTH > (external/boringssl/src/ssl/s3_clnt.c:1193 0x7fa874c518:0x00000000) > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native > Method) > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324) > 10-21 21:27:10.018 1267-1530/... E/ServerService: ... 7 more > > > However, nowhere that I can find are there instructions of *what > to do* so your code will work with Android 6.0. That should be > common courtesy when Android makes a breaking change. > > it does say: > > Android is moving away from OpenSSL to the BoringSSL > <https://boringssl.googlesource.com/boringssl/> library > > It also gives advice for what to link when you are using the NDK. > I am not using the NDK. What should java people do? > I don't see anywhere in my code that I am referring to either > BoringSSL or OpenSSL. Yet the stack trace above mentions both > and there could be some sort of mismatch. > > Below is some of the code. While I am not the original author, > this worked (and still does ) up to Android 5.x. > > I could not see any calls here that are deprecated. > > > KeyStore trustStore = KeyStore.getInstance("BKS"); > TrustManagerFactory trustManagerFactory = > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); > InputStream trustStoreStream = > context.getResources().openRawResource(R.raw.iabtruststore); > trustStore.load(trustStoreStream, > "IABTrust$tore0424".toCharArray()); > trustManagerFactory.init(trustStore); > > > // Setup the SSL context to use the truststore > ssl_ctx = SSLContext.getInstance("TLS"); > ssl_ctx.init(null, trustManagerFactory.getTrustManagers(), null); > > //retrieve a socketfactory! > socketFactory = ssl_ctx.getSocketFactory(); > > > Any advice on what to change so that it will work? > > Nathan > > -- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/android-developers?hl=en > --- > You received this message because you are subscribed to the Google > Groups "Android Developers" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups "Android Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
