question

Lee Tickett avatar image
Lee Tickett asked ·

SSL Error using CloseableHttpClient on Clover Mini (AOK on Genymotion emu)

I get the following;

12-24 08:36:01.122 3291-3291/com.example.lee.printticket W/System.err: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x6ab8d020: Failure in SSL library, usually a protocol error
12-24 08:36:01.122 3291-3291/com.example.lee.printticket W/System.err: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x6847ece0:0x00000000)
12-24 08:36:01.123 3291-3291/com.example.lee.printticket W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:449)
12-24 08:36:01.124 3291-3291/com.example.lee.printticket W/System.err:     at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:190)
12-24 08:36:01.124 3291-3291/com.example.lee.printticket W/System.err:     at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:435)
12-24 08:36:01.124 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:291)
12-24 08:36:01.124 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:281)
12-24 08:36:01.124 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:124)
12-24 08:36:01.125 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)
12-24 08:36:01.125 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:373)
12-24 08:36:01.125 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:225)
12-24 08:36:01.125 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
12-24 08:36:01.126 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
12-24 08:36:01.126 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
12-24 08:36:01.126 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:178)
12-24 08:36:01.126 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
12-24 08:36:01.126 3291-3291/com.example.lee.printticket W/System.err:     at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)

I found the following article on google; http://stackoverflow.com/questions/29... which suggests it's a bug in android versions < 4.4... but afaik the Clover devices runs 4.4? Also the solution looks a bit beyond my current Java expertise. Is there a simple device specific configurable i've missed? Is there an alternate library I would be better using? (making simple HTTP get API calls).

Thanks

1 comment
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Troubleshotting so far; http://stackoverflow.com/questions/34... still stuck!

0 Likes 0 · ·

1 Answer

Brian Murray avatar image
Brian Murray answered ·

It appears that you are attempting an handshake with a server that only supports SSL 3.0. All versions of SSL have known security issues and are not supported by Clover Mobile/Mini.

Clover Mobile/Mini only support TLS 1.2 with the following cipher suites:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384

To fix this issue, you will need to upgrade your server to support one of the above cipher suites.

EDIT:

Clover Station only supports TLS 1.0 due to limitations in Android 4.2 Jelly Bean. Clover Station does not yet support the cipher suites required for Mobile/Mini. For the time being, we recommend that your server support TLS 1.0 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

EDIT 2

We will be updating Clover Station to support TLS 1.2. We will also be dropping TLS 1.0 support. Please see this blog post for details.

5 comments Share
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Damn. I think the site is correctly configured for TLS but not using any of the ciphers you mentioned. I will get touch with the supplier, but getting it changed is probably unlikely. In the meantime I have managed to workaround the issue by creating a http -> https proxy and accessing the API via the proxy.

0 Likes 0 · ·

If you use an HTTPS to HTTP proxy, please clear it with the API provider and verify no sensitive information action is being sent in plain text.

0 Likes 0 · ·

So clover can't connect to the AWS services?

Running an EC2 Instance with server on 8443.

0 Likes 0 · ·

Hi Brian, with your latest edit regarding TLS 1.2, will this have any impact on the cipher suites? Thanks

0 Likes 0 · ·

No changes are being made to the cipher suites supported by Mobile and Mini. When the rollout is complete, Station will support the same cipher suites as Mobile and Mini.

0 Likes 0 · ·

Welcome to the
Clover Developer Community