Re: Android 5.0 SSL handshake failure
On 01/22/2015 04:19 AM, Mark Thomas wrote: On 22/01/2015 00:12, Matthew Mah wrote: On 01/21/2015 03:24 PM, Christopher Schultz wrote: Have you tried a plain-old HTTPS connection? No Websocket? I just tried HTTPS using HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); try { try { InputStream in = new BufferedInputStream(urlConnection.getInputStream()); byte [] buffer = new byte[1024]; in.read(buffer); Log.i(TAG, new String(buffer)); } catch(Exception e){ } String cipherSuite = urlConnection.getCipherSuite(); Log.i(TAG, connected? + cipherSuite); } There is currently no content being served (only the websocket), but the network trace shows a successful TLSv1.2 handshake. This should mean the certificates and cipher suites are fine, but there is a problem with some interaction between Android 5.0 and the Tyrus websocket implementation. Huh? Tyrus WebSocket is nothing to do with Tomcat. Mark Tyrus is running on a client trying to negotiate a SSL connection with Tomcat. At this point, I am confident there is a bug either in Android or in Tyrus and not in the Tomcat configuration, so we can cease discussion on this topic here. I think the most logical next step is to try a different websocket implementation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Android 5.0 SSL handshake failure
On 01/21/2015 11:26 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Matt, On 1/21/15 11:13 AM, Matthew Mah wrote: On 01/20/2015 10:08 AM, Christopher Schultz wrote: Matthew, On 1/18/15 1:54 PM, Matthew Mah wrote: I have setup a Tomcat server using spring-boot with SSL/TLS for secure websockets. Tomcat version? JVM version? Any relevant configuration? Tomcat 8.0.15. multiple JVM: java version 1.7.0_55 OpenJDK Runtime Environment java version 1.7.0_65 OpenJDK Runtime Environment java version 1.7.0_71 OpenJDK Runtime Environment I have tried the default ciphers, as well as: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is listed as both supported and enabled for Android API 11+ http://developer.android.com/reference/javax/net/ssl/SSLSocket.html I would prefer a stronger cipher suite (not SHA1), but right now I am looking for anything that works. This works for Android 4.4, iOS, Firefox, and Chrome clients. Android 5.0 clients (Nexus 5) fail the SSL handshake. What protocol and ciphers are those working browsers using? Chrome: TLS 1.2 ECDHE RSA AES 128 CBC SHA1 Firefox: TLS v? ECDHE RSA AES 128 CBC SHA1 Check the archives for a somewhat recent post by me including code to scan an SSL server for the protocols and ciphers it supports. That's a great tool you've written. Using the shortlist of cipher suites on Tomcat above, this is supported: AcceptedTLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA AcceptedTLSv1 TLS_RSA_WITH_AES_128_CBC_SHA AcceptedTLSv1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Cool. Is that the whole list? It's not many: just 3 different ciphers for each of 3 protocols. It's possible there simply isn't any match between what Android 5.0 can do and what you have available. Yes, that's currently the whole list. I tried the default cipher suites first and when they did not work, I tried to slim down the list so that the openssl s_client would negotiate a cipher suite on the supported Android list. - From your SO posting, I can see you claim that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is documented to be available in Android's SSL/TLS API, so I'd be surprised if it didn't connect. I wonder if this is a problem with the handshake only? I suspect there is a problem with Android 5's handshake. I've opened an Android bug report: https://code.google.com/p/android/issues/detail?id=103251 If someone on the list had responded that they do have Android 5 connecting a websocket to Tomcat, it would probably be a configuration problem on my Tomcat server. What does your Connector configuration look like? I am using spring-boot 1.2.1, and I don't have that set explicitly. The configuration I do have is the spring boot application.properties: server.ssl.key-store = mind7.cs.umd.edu.chained.p12 server.ssl.key-store-password = secret server.ssl.key-store-type = PKCS12 Otherwise the configuration is the default for spring-boot. Perhaps you have to re-enable the SSLv2hello protocol. (Note that this does not allow SSLv2 or SSLv3 to be used as the protocol... only to start the handshake using the old protocol). I will look into this for spring boot. Thanks. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUv9NEAAoJEBzwKT+lPKRY7QwQAJOJUhBJT4F7jzuT44+vp3oF 2qd+cJLcNtF0Q6u+eyjrWLtvih+AlkxkXvEl9ezOqD5KEwnv0OHk+UDXO6NNu9ha f+X/dXWIr6+WBX9+GAF83b3G4+ZT6VqyYLjj1ydUkx5LIW6JHDbDbXbtt0OGCzN+ q98e0NKOFs2jcw0fudWWtQj1pg7VIMH5eviTdjMWSQursK1MC5n6Byreq0a1KqaP uxbmFI9NgnD9YFm+FCZeDz2Bwj76oHBYdB01TvqDFvvkihepz7SlqsuSLqBOO3Ev s3yIuq6WFIcZUjmqBmrX4aR35DsOzDTS6XRXLuS2vxKn8/WEoclezRmPlqU++f7I qy7EBZEe6wkCTxGtd13/3YbXHhfixvjwplh6127gmLQtfYRF40N++7ZTIAUejLBK bLoeB12NGbFOsPjrSXXcYb0Bj9oz9OKYYCFLL7tgLfBFgtZfh8g8xQuu8DTBs+Ue 4qXDvYDuEq1o4xlgTtQClUq2YG8dKq30U4LMW3K8e7bZFZw7yof2GW2IatWHaljj RcIM9kUxXYrUC3ak4oLJ03xRCqpu6xoouAGr/WVfT182el+CVIJM93llvxA3ULRb AeyF8J+svDiEBeZ4TNmuIp4LVbjBBYlOy7rG3SswHYHUw5KWjzQNNUlN63S1IvL5 gEfezVm/77xilOEMPp9+ =5tO3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Android 5.0 SSL handshake failure
On 01/20/2015 10:08 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Matthew, On 1/18/15 1:54 PM, Matthew Mah wrote: I have setup a Tomcat server using spring-boot with SSL/TLS for secure websockets. Tomcat version? JVM version? Any relevant configuration? Tomcat 8.0.15. multiple JVM: java version 1.7.0_55 OpenJDK Runtime Environment java version 1.7.0_65 OpenJDK Runtime Environment java version 1.7.0_71 OpenJDK Runtime Environment I have tried the default ciphers, as well as: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is listed as both supported and enabled for Android API 11+ http://developer.android.com/reference/javax/net/ssl/SSLSocket.html I would prefer a stronger cipher suite (not SHA1), but right now I am looking for anything that works. This works for Android 4.4, iOS, Firefox, and Chrome clients. Android 5.0 clients (Nexus 5) fail the SSL handshake. What protocol and ciphers are those working browsers using? Chrome: TLS 1.2 ECDHE RSA AES 128 CBC SHA1 Firefox: TLS v? ECDHE RSA AES 128 CBC SHA1 Check the archives for a somewhat recent post by me including code to scan an SSL server for the protocols and ciphers it supports. That's a great tool you've written. Using the shortlist of cipher suites on Tomcat above, this is supported: AcceptedTLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA AcceptedTLSv1 TLS_RSA_WITH_AES_128_CBC_SHA AcceptedTLSv1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA Accepted TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Has anyone successfully setup secure websockets with Android 5? I know there are SSL/TLS changes in Android 5, and so far I am unable to find any combination of configurations on the server and client to successfully connect. If someone else has gotten this to work, at least I will know I am making an error somewhere. I have details posted on stack overflow: http://stackoverflow.com/questions/28011581/android-5-0-lollipop-websocket-ssl-handshake-failure It looks like you might have to re-enable the SSL2hello pseudo-protocol, which is weird because Android 5 should definitely speak TLS. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUvm93AAoJEBzwKT+lPKRYawkQAIaON8MmU0bTw0RYmzuvcL1X uPP23ARjgfNpL04skX/+Rmy6fuHF5zmwhSeABDaHnhx/Uuyobpz+5W9/nXF1IyCq eb6wuGIrQfjHBvvA3vUHN46hNOCrN1hT/ky5oGaXcKShepNB5psl+3/l2zWSIosv 535YYYb59LLykMPEC99LNKjwHszPTciFlbiBJqkbGDWu3AxZ5iaQw8T+UlxtgHsc Mh5UlsC72hi9lkeQ9fpwV74dqpitJsVz336D2gXjtz6MeIgBc0BWYrzHCTtL4Ra7 ISk/T5wHNZTYD4iINTCrWQ4uBGazIs3x91Y8MpKHA9kiBJPZMNqX0UiED+ZuAD0x wT/9MTVyzz1YK9e8i1crcCb3EKEC4aYD6QRLoxqet9i5Bkp2ZGbUoSzw70CmEhz+ w/jHzWJ/pVVIPsxBduFRdj4R+wlYNK/wp6Qyr6EX2Fgm3ZE0MJuAH8OirnYgizrj p/vu17S/P6e8xf1q+3rcWj1ar4/1C73CVOzs1G71dAlx3KaT+DIW2CkZrySYQP29 BpEFjYy08pUUIaG36V5Jeylmz1PeF78CpSV/MD0/XdP8Ar8ayoEfFngkPKCm2e4q KF87qDZ9ylAX97Qn2hmXZKnW2AhXsi3BTf/Z/Z6eDKywhSFuWL4yO2gDrwBHZ+rb ye41SxCVoaxzodEO62Bw =yZdl -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Android 5.0 SSL handshake failure
On 01/21/2015 03:24 PM, Christopher Schultz wrote: Have you tried a plain-old HTTPS connection? No Websocket? I just tried HTTPS using HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection(); try { try { InputStream in = new BufferedInputStream(urlConnection.getInputStream()); byte [] buffer = new byte[1024]; in.read(buffer); Log.i(TAG, new String(buffer)); } catch(Exception e){ } String cipherSuite = urlConnection.getCipherSuite(); Log.i(TAG, connected? + cipherSuite); } There is currently no content being served (only the websocket), but the network trace shows a successful TLSv1.2 handshake. This should mean the certificates and cipher suites are fine, but there is a problem with some interaction between Android 5.0 and the Tyrus websocket implementation. I think the most logical next step is to try a different websocket implementation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Android 5.0 SSL handshake failure
I have setup a Tomcat server using spring-boot with SSL/TLS for secure websockets. This works for Android 4.4, iOS, Firefox, and Chrome clients. Android 5.0 clients (Nexus 5) fail the SSL handshake. Has anyone successfully setup secure websockets with Android 5? I know there are SSL/TLS changes in Android 5, and so far I am unable to find any combination of configurations on the server and client to successfully connect. If someone else has gotten this to work, at least I will know I am making an error somewhere. I have details posted on stack overflow: http://stackoverflow.com/questions/28011581/android-5-0-lollipop-websocket-ssl-handshake-failure Thanks, Matt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org