SSL Handshake Failure on Oreo

Question

I am trying to interact with a server using a self signed certificate.

It works fine for Nougat but has an exception for Oreo:

javax.net.ssl.SSLHandshakeException: Handshake failed
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:444)

Based off Android O's changelog, it does seem like things have changed in regards to insecure protocol fallbacks. I'd just like to make sure that my trust manager isn't the issue:

public static OkHttpClient getClient() {
    try {
        // Create a trust manager that does not validate certificate chains
        final TrustManager[] trustAllCerts = new TrustManager[]{
                new X509TrustManager() {
                    @SuppressLint("TrustAllX509TrustManager")
                    @Override
                    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
                    }

                    @SuppressLint("TrustAllX509TrustManager")
                    @Override
                    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
                    }

                    @Override
                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                        return new java.security.cert.X509Certificate[]{};
                    }
                }
        };

        // Install the all-trusting trust manager
        final SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustAllCerts, new java.security.SecureRandom());

        // Create an ssl socket factory with our all-trusting manager
        final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]);

        // Allow our hostname
        builder.hostnameVerifier((hostname, session) -> {
            return hostname.equals(API_HOST_NAME);
        });
        builder.addInterceptor(new MyCustomInterceptor());
        if (BuildConfig.DEBUG) {
            builder.addInterceptor(new HttpLoggingInterceptor().setLevel(HttpLoggingInterceptor.Level.BASIC));
            builder.addNetworkInterceptor(new StethoInterceptor());
        }
        return builder.build();
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}

The server's configurations are based off of this example.

Is there anything visibly wrong with my client, or is this perhaps an issue on the server?

Still no unfortunately. It also seems like this issue is happening on Samsung devices with Nougat. I'm still waiting on more logs so I can get a better idea of the issue — Allan W, Jan 22 '18 at 17:52
We fixed the issue on our end. I've referenced the stack overflow post that helped us below. Note that this ended up not being an Android O bug as presumed — Allan W, Feb 22 '18 at 19:13

score 0 · Answer 1 · answered Feb 22 '18 at 19:12

After more testing, it seemed like it was working on Oreo, and was namely an issue with Android 7.0

The solution to our problem is found in this stack overflow, which references this Android bug.

To summarize, the issue had to do with Android 7.0 supporting only one elliptic curve.

SSL Handshake Failure on Oreo

1 Answers1