I do believe it is using less than 1024. It's not obvious to me how to make the server use a longer DH_P_LENGTH. I don't see where we are setting it. It is using Java and ServerSocketFactory.
Perhaps it will just happen if we update OpenSSL. Perhaps we have to upgrade to Java 8 and use an environment variable. Or maybe I upgrade Denian. (where's that intern that setup the server when you need him) If the length gets longer, will it break all the 4.x and 5.x devices? Nathan On Friday, October 23, 2015 at 4:18:13 AM UTC-7, Martin Heller wrote: > > Hello Nathan, > > you need to set the DH_P_LENGTH on the server. > Most likely your server is using a too small (512 or 768, maybe 1024) > DH_P_LENGTH which is not supported by the BoringSSL library on Android > 6.0. > You can find some more information here: > https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ > > Best regards, > > Martin > > On 23/10/15 00:57, Nathan wrote: > > Where does one set a DH_P_LENGTH? On the client? On the server? In a > > certificate? > > > > Sorry if this is a dumb question for those of you who know more about > SSL. > > > > I've seen this issue but it has no solution. > > > https://code.google.com/p/android-developer-preview/issues/detail?id=2792 > > > > Nathan > > > > On Thursday, October 22, 2015 at 3:35:52 PM UTC-7, Nathan wrote: > > > > > > Something that was cut off. > > > > BAD_DH_P_LENGTH > > > > javax.net.ssl.SSLProtocolException: SSL handshake aborted: > > ssl=0x557bb63810: Failure in SSL library, usually a protocol error > > error:100c1069:SSL > > routines:ssl3_get_server_key_exchange:BAD_DH_P_LENGTH > > (external/boringssl/src/ssl/s3_clnt.c:1193 0x7fa874c518:0x00000000) > > > > > > On Thursday, October 22, 2015 at 2:04:11 PM UTC-7, Nathan wrote: > > > > I am experiencing failures connecting securely to my own server > > which are probably as a result of the Android 6.0 changes. > > > > 10-21 21:27:10.018 1267-1530/... E/ServerService: Handshake > failed > > 10-21 21:27:10.018 1267-1530/... E/ServerService: > > javax.net.ssl.SSLHandshakeException: Handshake failed > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > > com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:396) > > > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > > com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:629) > > > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > > com.android.org.conscrypt.OpenSSLSocketImpl.getOutputStream(OpenSSLSocketImpl.java:615) > > > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > > com.crittermap.iab.serverinterface.ServerService.onHandleIntent(ServerService.java:98) > > > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > > android.app.IntentService$ServiceHandler.handleMessage(IntentService.java:66) > > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > android.os.Handler.dispatchMessage(Handler.java:102) > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > android.os.Looper.loop(Looper.java:148) > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > android.os.HandlerThread.run(HandlerThread.java:61) > > 10-21 21:27:10.018 1267-1530/... E/ServerService: Caused by: > > javax.net.ssl.SSLProtocolException: SSL handshake aborted: > > ssl=0x557ba6f360: Failure in SSL library, usually a protocol > error > > 10-21 21:27:10.018 1267-1530/... E/ServerService: > > error:100c1069:SSL > > routines:ssl3_get_server_key_exchange:BAD_DH_P_LENGTH > > (external/boringssl/src/ssl/s3_clnt.c:1193 > 0x7fa874c518:0x00000000) > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native > > Method) > > 10-21 21:27:10.018 1267-1530/... E/ServerService: at > > > com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324) > > > > 10-21 21:27:10.018 1267-1530/... E/ServerService: ... 7 > more > > > > > > However, nowhere that I can find are there instructions of *what > > to do* so your code will work with Android 6.0. That should be > > common courtesy when Android makes a breaking change. > > > > it does say: > > > > Android is moving away from OpenSSL to the BoringSSL > > <https://boringssl.googlesource.com/boringssl/> library > > > > It also gives advice for what to link when you are using the > NDK. > > I am not using the NDK. What should java people do? > > I don't see anywhere in my code that I am referring to either > > BoringSSL or OpenSSL. Yet the stack trace above mentions both > > and there could be some sort of mismatch. > > > > Below is some of the code. While I am not the original author, > > this worked (and still does ) up to Android 5.x. > > > > I could not see any calls here that are deprecated. > > > > > > KeyStore trustStore = KeyStore.getInstance("BKS"); > > TrustManagerFactory trustManagerFactory = > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); > > InputStream trustStoreStream = > context.getResources().openRawResource(R.raw.iabtruststore); > > trustStore.load(trustStoreStream, > "IABTrust$tore0424".toCharArray()); > > trustManagerFactory.init(trustStore); > > > > > > // Setup the SSL context to use the truststore > > ssl_ctx = SSLContext.getInstance("TLS"); > > ssl_ctx.init(null, trustManagerFactory.getTrustManagers(), > null); > > > > //retrieve a socketfactory! > > socketFactory = ssl_ctx.getSocketFactory(); > > > > > > Any advice on what to change so that it will work? > > > > Nathan > > > > -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en --- You received this message because you are subscribed to the Google Groups "Android Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
