0

We have an old server (windows server 2003) which only supports older SSL/TLS and cipher suites. This is a problem and we are working on upgrading it. Android 7 does not seem to accept this and I need a quick-fix to go around this problem.

How do I allow arbitrary loads like App Transport Security Settings in iOS 9? We had the same problem there. There is nothing wrong with our certificate we just need Android 7 to accept the connection, I think the problem is TLS 1.0.

W/System.err: javax.net.ssl.SSLHandshakeException: Connection closed by peer
W/System.err: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)

Everything is working fine on Android 6 and below.

Zeezer
  • 1,503
  • 2
  • 18
  • 33
  • Have you seen this -- https://stackoverflow.com/questions/39287830/connection-closed-by-peer-error-occurs-in-android-7-0-nougat-while-connecting -- to check if the KB968730 is applicable to you? – Anand Bhat Sep 13 '16 at 13:03
  • Yes, I saw it, KB968730 does not apply to our problem. It will not allow me to upgrade from TLS 1.0 on windows server 2003 unfortunately. But the question is about the same problem, not expressed too well though. – Zeezer Sep 13 '16 at 13:12
  • 1
    You can try setting up a [network security configuration](https://developer.android.com/training/articles/security-config.html), where you add your server's certificate as a trust anchor. I suspect that it will not help, but it is at least worth a try. – CommonsWare Sep 13 '16 at 13:54
  • 1
    Unfortunately not. There is nothing wrong with our certificate configuration. – Zeezer Sep 14 '16 at 07:18
  • Did you find a solution to this issue? I am facing the same right now... – IgorGanapolsky Sep 29 '16 at 16:35
  • No I didn't. Upgraded to Windows Server 2008 R2 instead. Working fine now. – Zeezer Oct 03 '16 at 14:57

1 Answers1

0

Not exactly the answer to your question, but I was in the same boat with a 2003 server with Exchange 2003 and Android 7.0 not being able to do ActiveSync with it. As you we are also planning a migration and needed a quick workaround to hold for another month. I ended basically offloading SSL to a 2012 R2 with IIS and the Application Request Routing module... details here:

http://blog.lint.at/iis-as-reverseproxy-with-ssl-offloading/

Also, if you apply the right security enhancements in the 2012 R2 box (look here), you'll be effectively raising the security on those sites to a level 2003 is just not able... I am getting an SSLLabs A rating on 2003 OWA...

MrLumute
  • 101
  • 3