0
com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: Handshake failed

or

02-10 21:41:26.496  11524-12747/com.example.blgui3 W/System.err﹕ javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
02-10 21:41:26.506  11524-12747/com.example.blgui3 W/System.err﹕ at com.android.org.conscrypt.SSLNullSession.getPeerCertificates(SSLNullSession.java:104)
02-10 21:41:26.506  11524-12747/com.example.blgui3 W/System.err﹕ at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
02-10 21:41:26.506  11524-12747/com.example.blgui3 W/System.err﹕ at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)
02-10 21:41:26.506  11524-12747/com.example.blgui3 W/System.err﹕ at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
02-10 21:41:26.506  11524-12747/com.example.blgui3 W/System.err﹕ at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
02-10 21:41:26.506  11524-12747/com.example.blgui3 W/System.err﹕ at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
02-10 21:41:26.506  11524-12747/com.example.blgui3 W/System.err﹕ at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:372)
02-10 21:41:26.506  11524-12747/com.example.blgui3 W/System.err﹕ at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)

I constantly run into this error when I am trying to make a http request (second one) or use Volley to do it for me (first one).

I checked other posts here and spent hours looking into this issue but I haven't found anything.

I have a VPS with CentOS installed and since I am not a linux guy I reach it via WHM with root access.

I had an SSL certificate on the domain from Verisign, and the error is present on 4.4 (now that I received the upgrade) and 5.0, but it's not present on 4.1.

I moved from Verisign to Thawte (the certificate was about to expire soon and Thawte is cheaper) and I hoped this would solve the issue, but didn't. The certificate is not an intermediate certificate.

Facts

According to this link the certificate is installed correctly. I talked to Thawte as well and was told there shouldn't be a problem.

When you check the certificate for the domain in the browser it says The connection uses TLS1.2. The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.

The (partial) output of openssl s_client -connect www.dappwall.com:443 is

  Certificate chain

 0 s:/C=CH/ST=Basel-Stadt/L=Basel/O=Dappwall GmbH/CN=www.dappwall.com
       i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
     1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
       i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte,
     Inc. - For authorized use only/CN=thawte Primary Root CA
     2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte,
     Inc. - For authorized use only/CN=thawte Primary Root CA
       i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification S
    ervices Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.
    com
    No client certificate CA names sent
    ---
    SSL handshake has read 4198 bytes and written 340 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID: C1FC9A551735B29233A5AFF619CE343E0C62387DED33A2C82075F96719646289

        Session-ID-ctx:
        Master-Key: B615A4F45F2C0A2F9C37813A3F9E89448B5C54B532FF0F9C831EA38C9D1A9DA4
    B722F665DD7904A3D5ABEAA5A493AEE5
        Key-Arg   : None
        Start Time: 1423598904
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)

Any ideas? Maybe I just remove SSL from the server and go with HTTP as a last resort, that would be the same as setting trusting all certificates.

Considering I replaced the AsyncTasks with Volley in a lot of places in the app (about 25 times) I don't intend to create special HttpClients as Volley is using a built-in httpclient and I don't want to override its code.

user207421
  • 305,947
  • 44
  • 307
  • 483
erdomester
  • 11,789
  • 32
  • 132
  • 234
  • Please check that you don't try to use SSL 3.0 since the server does not support it. If you are not sure make a packet capture and have a look. – Steffen Ullrich Feb 10 '15 at 21:20
  • And using HTTP wouldn't be the same as setting trusting all certificates'. It also exposes you to passive and injection attacks. – user207421 Feb 10 '15 at 23:35
  • "How do I check it?" - Do a packet capture, use wireshark to look at the results. Maybe http://security.stackexchange.com/questions/29314/what-is-the-significance-of-the-version-field-in-a-tls-1-1-clienthello-message will help you. – Steffen Ullrich Feb 11 '15 at 01:56
  • This worked for me: http://stackoverflow.com/a/27126109/1617737 – ban-geoengineering Oct 12 '16 at 16:44

0 Answers0