0

I need to interface with an 3rd party API in Android Application (Android API 24) written in Kotlin. I've the source generated by Swagger but still I don't have a success with getting any data. Each time I call the API class I got such exception

    error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0xa7cf3780:0x00000001)
    error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0xa52a6266:0x00000000)
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
            ... 22 more
Disconnected from the target VM, address: 'localhost:37941', transport: 'socket'

The problem is clearly caused by failed SSLv3 handshake what makes sense as this 3rd party API supports only TLS 1.3 I done some modification to auto generated ApiClient.kt class to force it to use proper TLS version with supported cipers. Unfortunately I've still got the same error. Ok HTTP seems to completely ignore the configuration I'm forcing and still tries to connect to the Endpoint using unsupported SSLv3.

    companion object {
        protected const val ContentType = "Content-Type"
        protected const val Accept = "Accept"
        protected const val JsonMediaType = "application/json"
        protected const val FormDataMediaType = "multipart/form-data"
        protected const val XmlMediaType = "application/xml"

        @JvmStatic
        val connspec: ConnectionSpec = ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                .tlsVersions(TlsVersion.TLS_1_2)
                .cipherSuites(
                        CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
                .build();

        @JvmStatic
        val client: OkHttpClient = OkHttpClient.Builder().connectionSpecs(Arrays.asList(connspec))
                .build();

        @JvmStatic
        var defaultHeaders: Map<String, String> by ApplicationDelegates.setOnce(mapOf(ContentType to JsonMediaType, Accept to JsonMediaType))

        @JvmStatic
        val jsonHeaders: Map<String, String> = mapOf(ContentType to JsonMediaType, Accept to JsonMediaType)
    }

Could somebody guide me where to look for a root cause of that errors?

Mateusz L
  • 41
  • 1
  • 7
  • If you can connect using the compatible cipher spec, but it fails when you restrict to TLSv1.2, then likely it requires a server upgrade. Can you provide debug output from curl or similar for a successful request? – Yuri Schimke Dec 17 '20 at 06:08
  • Unfortunately I can't connect. I mean that even I force OK HTTP to use only TLS 1.2 I still got ```SSLV3_ALERT_HANDSHAKE_FAILURE``` what suppose that the library still uses obsolete protocol and fails after the server denies the SSLv3 Curl dump is here: https://pastebin.pl/view/96c47cea – Mateusz L Dec 17 '20 at 07:54
  • What about if you relax the cipher suite restrictions and just use ConnectionSpec.RESTRICTED_TLS without modification? Once you start restricting further you shouldn't be too suprised to have SSL failures. You might need to start debugging the JVM SSL Handshake if you care about this level of detail. – Yuri Schimke Dec 17 '20 at 08:08

1 Answers1

0

The problem has been solved some time ago and it was completely unrelated to the application code itself. As I discovered Android 7.0 has a bug in BoringSSL library which doesn't support some elliptic curves. When I've bumped the target API version the SSL exception disappeared. The problem is described here: Android - SSL/TLS and ECC (Elliptic curve cryptography)

Mateusz L
  • 41
  • 1
  • 7
  • From Review: Hi, while links are a great way of sharing knowledge, they won't really answer the question if they get broken in the future. Add to your answer the essential content of the link which answers the question. In case the content is too complex or too big to fit here, describe the general idea of the proposed solution. Remember to always keep a link reference to the original solution's website. See: [How do I write a good answer?](https://stackoverflow.com/help/how-to-answer) – sɐunıɔןɐqɐp Feb 05 '21 at 15:30