4

I have an Android app using ION to make HTTPS requests to my backend. This morning, suddenly it started failing with SSL handshake errors:

javax.net.ssl.SSLHandshakeException: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE

This is pretty much the only info from the log.

This happened first on one phone, then another, and another, without any changes pushed neither to the phone app nor the backend. It seems to be related to an update of Google Play Services. The phones are running both Marshmallow and Nougat.

It does not fail with all servers, it seems to be related to my server on AWS using API gateway/Cloudfront. Directly accessing my EC2 servers using the same certificate works fine.

Using openssl I get the following output:

$ openssl s_client -connect <my-server>:443
CONNECTED(00000003)
SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
JHH
  • 8,567
  • 8
  • 47
  • 91

2 Answers2

4

After finding this AWS forum thread, I suspected SNI might be the problem, which led me to this Stack Overflow question that includes a fix consisting of disabling ION's Conscrypt MW:

mIon.getConscryptMiddleware().enable(false);

Just put this in yourApplication sub-class or anywhere else where Ion is configured. If you don't use a dedicated Ion instance, you could call this on Ion.getDefault().

I am not fully aware of the consequences of this change, but it does solve my issue. Note that the linked question mentions that this should NOT be needed once Google Play Services is updated, but in my case it seems an update of GPS was what triggered the need for this change. Anyone who can shed some light on why this works and what it does is very welcome to contribute to this answer.

JHH
  • 8,567
  • 8
  • 47
  • 91
1

I am not fully aware of the consequences of this change

I can only comment on this, I'm not familiar with the other details of your project.

Usually you'll find that older clients/runtimes don't support SNI because it is a more modern technology, I think introduced with TLS. For example I believe Python 2.6 doesn't support SNI.

Most modern clients/runtimes will support SNI and have no trouble communicating with API GW. In this case the TLS handshake is terminating at CloudFront, which by default requires that clients use SNI.

jackko
  • 6,998
  • 26
  • 38