ssl23_get_server_hello:tlsv1 alert handshake failure android 4.4

Question

I am working on an client - server application project with an Android client and Apache server and mutual authentication (i.e., client certificate). I am poor in SSL/TLS.

Server authentication get done all okay but when it comes to client authentication this error: ssl23_get_server_hello:tlsv1 alert handshake failure happens. I have also checked packets using WireShark many times and i also have created self signed certificates using my self created CA many times.

I should mention I've set Apache SSLVerifyClient property on "require" and SSLVerifyDepth on 1 and SSLCACertificateFile is set also. on "optional" everything is okay but i dont want it to be like that.

It seems everything is okay and without problem on my localhost when I test it using openssl s_client and I address client cert and key and CA file .

c:\OpenSSL-Win64\bin>openssl s_client -connect 192.168.1.55:443 -key c:\xampp\apache\conf\ssl.key\client.key
-cert c:\xampp\apache\conf\ssl.crt\client.crt -CAfile c:\xampp\apache\conf\ssl.crt\ca.crt
Enter pass phrase for c:\xampp\apache\conf\ssl.key\client.key:
CONNECTED(0000011C)
depth=1 C = ir, ST = khuzestan, L = dezful, O = nama, OU = nama, CN = Nama System
verify return:1
depth=0 C = ir, ST = khuzestan, L = dezful, O = nama, OU = nama, CN = 192.168.1.55
verify return:1
---
Certificate chain
 0 s:/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=192.168.1.55
   i:/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
 1 s:/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
   i:/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDQTCCAikCAQEwDQYJKoZIhvcNAQELBQAwZjELMAkGA1UEBhMCaXIxEjAQBgNV
BAgMCWtodXplc3RhbjEPMA0GA1UEBwwGZGV6ZnVsMQ0wCwYDVQQKDARuYW1hMQ0w
CwYDVQQLDARuYW1hMRQwEgYDVQQDDAtOYW1hIFN5c3RlbTAeFw0xNjEwMDcxODE0
MjdaFw0xNzEwMDcxODE0MjdaMGcxCzAJBgNVBAYTAmlyMRIwEAYDVQQIDAlraHV6
ZXN0YW4xDzANBgNVBAcMBmRlemZ1bDENMAsGA1UECgwEbmFtYTENMAsGA1UECwwE
bmFtYTEVMBMGA1UEAwwMMTkyLjE2OC4xLjU1MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAo3U+hTqP6911dUELWS9V4h1W172KKNXq/eJqnWO32+nraVHI
jPiFDcU9qRDFNSUdbFAokOrtXVZXePebNKpgbzVW2EDp3EtU4OXzYd/32YEaW0NB
SXS8eQDoJZ4+d1wl/vIM5jRovGmnNEv94XQbeGrUKdYSzaZL0Zilcg7Qop2mG3cq
EKGLCZm2tTzgkRTwkng0L7ODq1SZE4yoy5T+WNqnEOjOlQ2hVfio8HGAgGqJXUY+
YHgj0Shk6nFfg5pRpH15poNRgVGlizqLolN/EUf2CzV12MCyjdri8d5ZMfrTbszN
lwpUzp/3K3CGYjSqzEWL+9j85dE11Lrdix+rcwIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQA1XaLfV36GBpOBw32fMvoK7K9XkwP52lvMYgcAPWZFjFvdZnysndDKntFe
cQXZdKnEzm3GNUv4APAEyj97VWnFKKM3lDLaMy99jWavdMNvyU4WpjT4DWj5kP0w
9Esc2fNDv6/A1ME4Ty1XUwNbfDjbG/pz0WZn00bgvbKwmA0GjHYFZTYC0W4wdion
dP9NPTJNENmOIeIE2N4tIPuieMTeCYqwRNplVldmzgeDYKW+n15glvRF1+18kuAC
xNj6bMTOwS2aY5DXthFeLNXWerspcgyUdTss/TdIJxO+pzA1s8ZN8E6RwqfIeKWv
gIwkTiitf8InLsQVRzxEzcmR5V15
-----END CERTIFICATE-----
subject=/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=192.168.1.55
issuer=/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
---
Acceptable client certificate CA names
/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3440 bytes and written 2352 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 155B16EEDAF469AB0E4604A02CAEF4C3FFF20834DE2E25CAD801480CB1E40B2C
    Session-ID-ctx:
    Master-Key: C83DD8E4633A8DECF0410FA1ED4591F49A10AC24E3B59DC1F6CFC2E5B05878EEB7589EE5F51237E51A01E7017A1F594E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6e c4 ab eb 6f d2 04 b3-81 73 9d cf fc a6 20 08   n...o....s.... .
    0010 - 08 1d 1e bc 9e 01 e5 0e-c6 c7 a3 81 02 a9 3d 04   ..............=.
    0020 - 5c 86 aa e6 b8 f0 ad 97-a8 e4 bd 44 5b a9 97 17   \..........D[...
    0030 - 39 81 71 bf 0c 67 4a b2-fd d9 fe d8 aa c9 5e af   9.q..gJ.......^.
    0040 - 21 78 c5 e0 30 c7 5c 0c-4a 62 84 15 4b 45 48 68   !x..0.\.Jb..KEHh
    0050 - a6 f8 3b 02 61 1a f2 43-11 54 c1 dc 73 3a 2a 27   ..;.a..C.T..s:*'
    0060 - 61 f1 32 df a8 0b 21 c5-fd 02 ff 86 d6 da 7a 79   a.2...!.......zy
    0070 - ae af 92 9e 2b a5 e8 eb-dc f8 c8 9b ec 5c a0 58   ....+........\.X
    0080 - 75 f5 c7 92 e4 01 49 66-be a2 96 fd 5a 36 34 08   u.....If....Z64.
    0090 - c2 eb 14 30 f8 54 45 43-e0 4f 83 45 a1 3d 33 37   ...0.TEC.O.E.=37
    00a0 - 0c fc 8f 46 8e f8 28 f3-0f df b7 db 71 2a 81 0e   ...F..(.....q*..
    00b0 - 39 2d 85 08 52 29 cf d1-8a 56 d6 b9 ca 24 10 a0   9-..R)...V...$..
    00c0 - 86 44 68 56 13 dc c7 7b-8d 45 c1 8c c4 b4 be 5d   .DhV...{.E.....]
    00d0 - 91 75 4c e9 a9 61 a1 d5-af 37 70 d9 7b 7d 9a bd   .uL..a...7p.{}..
    00e0 - 92 85 cc d9 a8 64 9c bf-7b 8f 89 67 9a 15 d7 47   .....d..{..g...G
    00f0 - 56 e9 45 39 35 b6 d5 e2-8d a6 75 0e 71 4d 9b b0   V.E95.....u.qM..
    0100 - 0e 97 ae 60 37 49 bd ed-97 93 35 98 10 45 a2 0b   ...`7I....5..E..
    0110 - dc a2 c9 af 3b 38 98 f9-af ab 65 83 80 fc b2 19   ....;8....e.....
    0120 - 10 b7 f6 4f 72 3d fd 2b-9c 18 90 9e be 32 0e 68   ...Or=.+.....2.h
    0130 - 60 ac 0f 13 94 b0 9e 80-d4 14 44 41 70 7d 40 86   `.........DAp}@.
    0140 - dd 04 66 da 5b 05 69 d3-57 db c9 e0 e5 76 4e 5e   ..f.[.i.W....vN^
    0150 - b5 07 d1 2b 47 ba 8e f1-92 38 68 b0 23 9e 98 4e   ...+G....8h.#..N
    0160 - dc aa fd 51 52 e0 7c 7b-f9 0e 30 58 d2 ae 80 5f   ...QR.|{..0X..._
    0170 - f2 85 0a 48 ab d6 6e 1c-ee 1b 1b 3d c6 b6 13 f6   ...H..n....=....
    0180 - ab cc 57 8d d8 90 cc 46-7c 6f af ff 83 46 b4 3d   ..W....F|o...F.=
    0190 - 1b c7 ed b4 f1 bd 91 c1-6e 22 7f 47 8c b1 39 ef   ........n".G..9.
    01a0 - 98 7b bc a2 09 0a 2e 76-13 e3 98 6f a1 b7 a3 bd   .{.....v...o....
    01b0 - 3f 8b 0e cd ca f3 65 83-a4 6f 8c 48 4a fa 82 db   ?.....e..o.HJ...
    01c0 - 96 f6 c5 e3 57 cf da 26-14 7f 91 65 cc a3 37 b3   ....W..&...e..7.
    01d0 - 4d 96 c9 4c 8a e4 cb c4-db 77 10 69 82 d5 7b e2   M..L.....w.i..{.
    01e0 - 0d 9e 62 8a 20 95 3a 8a-27 76 60 fa a8 4b 29 88   ..b. .:.'v`..K).
    01f0 - e5 90 e7 49 e9 a8 9e 14-8a f5 8f 06 da eb 1f 4c   ...I...........L
    0200 - b5 e7 9a d9 9b ed db 12-11 e2 f4 2b df cb 6f 73   ...........+..os
    0210 - 4e aa 53 a2 e7 04 ff 9c-de bc 5e 21 42 0c b7 2a   N.S.......^!B..*
    0220 - 1f d3 b9 1a b7 9b 25 92-ef 81 70 d5 1b 4d d5 9b   ......%...p..M..
    0230 - 65 40 52 c8 b4 cd b4 6b-ab d8 42 31 e0 2a 9f d4   e@R....k..B1.*..
    0240 - 35 78 34 b3 34 b5 9d 53-c2 56 82 ff e7 99 8b a6   5x4.4..S.V......
    0250 - bd 7b a5 a1 86 25 ce 45-ee 44 d4 14 19 0c 97 41   .{...%.E.D.....A
    0260 - b1 a2 c9 eb 5a c8 13 39-09 7a fa 58 15 83 fe e3   ....Z..9.z.X....
    0270 - e4 a7 5b f4 b7 74 65 bb-f7 5d d1 88 47 e2 a4 c3   ..[..te..]..G...
    0280 - 45 af 6e 31 86 73 19 1e-20 7c 3a a2 69 88 67 30   E.n1.s.. |:.i.g0
    0290 - de 3c 75 e0 d5 d4 1e 10-d8 80 ea ca 99 0a e7 c6   .<u.............
    02a0 - f5 8d ca 83 2c 23 3e 32-ec e6 72 6c 1d f1 6e 37   ....,#>2..rl..n7
    02b0 - 45 de ce 5b df a0 54 69-c5 a9 9d 9b 8f a5 7c 8c   E..[..Ti......|.
    02c0 - 0b 7d c4 b5 16 64 69 20-4e ca 0f 68 01 e9 bd db   .}...di N..h....
    02d0 - e5 17 a9 b7 40 d3 dc fd-c1 2a d7 3f a4 f8 2d e2   ....@....*.?..-.
    02e0 - f8 1f 83 25 44 d7 54 bb-e2 e6 5b 34 73 99 89 89   ...%D.T...[4s...
    02f0 - cd c8 49 53 cf f3 52 a4-c4 e6 9b b1 c6 16 85 1e   ..IS..R.........
    0300 - e8 0a af d0 8c 7e ab 6e-65 d6 2f 01 ff 59 b5 49   .....~.ne./..Y.I
    0310 - 41 56 cd 4a 3f de 75 3a-21 30 9b bc 14 66 71 87   AV.J?.u:!0...fq.
    0320 - 59 4e a2 e3 03 a1 95 7a-7a 28 7d 5a 09 05 d3 0a   YN.....zz(}Z....
    0330 - ea 4f 77 61 74 48 e4 6c-44 5b 7a 5c ed 6c f9 07   .OwatH.lD[z\.l..
    0340 - 96 ee a6 69 16 22 3b 8f-8c 53 a2 d2 b7 eb f5 3a   ...i.";..S.....:
    0350 - 8f 36 8e 2d 6e 59 58 7c-06 02 81 fb e2 c0 56 c2   .6.-nYX|......V.
    0360 - 4e 43 89 29 fd 68 0c 36-fc db 0a aa 77 70 c5 e9   NC.).h.6....wp..
    0370 - ea c2 78 9e 65 c0 10 12-73 90 54 22 80 4b 24 c9   ..x.e...s.T".K$.
    0380 - 74 39 41 d0 0c 59 61 1b-f2 eb 16 2b 35 19 88 13   t9A..Ya....+5...
    0390 - 58 79 22 83 03 2c 2c 49-52 10 7c a4 a5 ea 3a b2   Xy"..,,IR.|...:.
    03a0 - e9 94 51 70 44 71 ee 6a-1c 34 b4 aa 76 dd d3 08   ..QpDq.j.4..v...
    03b0 - 92 7d b8 db 04 47 3e ca-ea 6c 24 ac ae 9e 4f 15   .}...G>..l$...O.
    03c0 - 32 f2 34 30 9d 7d 67 29-51 17 89 26 d1 bb ec 1b   2.40.}g)Q..&....
    03d0 - 7d b2 b0 18 1f ed 84 bc-23 bb 21 04 1a 1e f5 88   }.......#.!.....
    03e0 - 10 c0 9e 97 ed f7 ee 9e-37 8f 57 27 38 59 e9 62   ........7.W'8Y.b
    03f0 - 69 58 ac 09 80 c4 42 05-93 2c 39 2e f1 3e ba f4   iX....B..,9..>..

    Start Time: 1476823635
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

It seems problem is android client authentication. My Android device version which i test the app on is Android 4.4 (Kitkat) and my Apache cipher suite is like this:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$

i have searched a lot and i guess the problem can be client and server Ciphers mismatch , but i am not sure if its right and i dont know how to fix it.

Thank you very much for the help.

---

UPDATE:

I am using NoSSLv3SocketFactory.java class to avoid sslv3.

it turned to this error: SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure, and here is my packet capture my packet capture and here is also my ssl access log :

[19/Oct/2016:00:47:46 +0330] 192.168.1.55 TLSv1 ECDHE-RSA-AES256-SHA "-" -
[19/Oct/2016:01:08:41 +0330] 192.168.1.55 TLSv1 ECDHE-RSA-AES256-SHA "-" -

Answer 1

Based on the information so far, especially the image of the packet capture, it looks like:

• Client and server successfully agree on a cipher (otherwise server would not sent its ServerHello)
• Client accepts the servers certificate (otherwise client would complain instead of continuing with the handshake)
• Client sends its own certificate
• Server sends back an alert: handshake_failure

The most likely thing is that the server does not like the clients certificate. Since the test with openssl s_client and a client certificate shows a successful handshake it might be that the Android client is sending a different certificate than used with the other test. Digging deeper into the packet capture should show, which certificate is sent by the client. Apart from that information about the problem should be visible on the server side, i.e. in server logs or similar.