SSL Handshake failed with Android 7.0 supporting secp256r1 curve

0

We started encountering SSL Handshake error on a few old mobile devices after upgrading our web-server from Ubuntu 16.04 to 18.04. On digging a bit deeper we noticed a few things

  1. The mobile devices which were facing this issue had Android 7.0 as their operating system.
  2. On upgrading the Android operating system, SSL handshake happened smoothly.
  3. The error we got on the mobile during handshake was

    SSL handshake terminated: ssl=0x8c78e100: Failure in SSL library, usually a protocol error error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x7a7c16e0:0x00000001) error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIE

  4. The error we saw on enabling debug error log on openresty web-server was

    SSL_do_handshake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking,

  5. The ecdh curves listed in web-server configuration were secp384r1:prime256v1:secp521r1

  6. The only ecdh curve supported by the Android device as seen in Wireshark during client helo was secp256r1.
  7. As far as we understood prime256v1 and secp256r1 are both NIST P-256 , so since we support prime256v1 and android device supports secp256r1, this should work, but doesn't.
  8. On trying to specify secp256r1 in web-server, it fails with following error.

    [emerge] SSL_CTX_set1_curves_list("secp384r1:prime256v1:secp521r1:secp256r1") failed (SSL:)

  9. Another thing to note is that we support TLSv1.2 and TLSv1.3 in our web-server

  10. Below is the list of curves supported by the openssl

    root@staging-senpiper:/etc/openresty# openssl ecparam -list_curves
    secp112r1 : SECG/WTLS curve over a 112 bit prime field secp112r2 : SECG curve over a 112 bit prime field
    secp128r1 : SECG curve over a 128 bit prime field
    secp128r2 : SECG curve over a 128 bit prime field
    secp160k1 : SECG curve over a 160 bit prime field
    secp160r1 : SECG curve over a 160 bit prime field
    secp160r2 : SECG/WTLS curve over a 160 bit prime field
    secp192k1 : SECG curve over a 192 bit prime field
    secp224k1 : SECG curve over a 224 bit prime field
    secp224r1 : NIST/SECG curve over a 224 bit prime field
    secp256k1 : SECG curve over a 256 bit prime field
    secp384r1 : NIST/SECG curve over a 384 bit prime field
    secp521r1 : NIST/SECG curve over a 521 bit prime field
    prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
    prime192v2: X9.62 curve over a 192 bit prime field
    prime192v3: X9.62 curve over a 192 bit prime field
    prime239v1: X9.62 curve over a 239 bit prime field
    prime239v2: X9.62 curve over a 239 bit prime field
    prime239v3: X9.62 curve over a 239 bit prime field
    prime256v1: X9.62/SECG curve over a 256 bit prime field
    sect113r1 : SECG curve over a 113 bit binary field
    sect113r2 : SECG curve over a 113 bit binary field
    sect131r1 : SECG/WTLS curve over a 131 bit binary field
    sect131r2 : SECG curve over a 131 bit binary field
    sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
    sect163r1 : SECG curve over a 163 bit binary field
    sect163r2 : NIST/SECG curve over a 163 bit binary field
    sect193r1 : SECG curve over a 193 bit binary field
    sect193r2 : SECG curve over a 193 bit binary field
    sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
    sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
    sect239k1 : SECG curve over a 239 bit binary field
    sect283k1 : NIST/SECG curve over a 283 bit binary field
    sect283r1 : NIST/SECG curve over a 283 bit binary field
    sect409k1 : NIST/SECG curve over a 409 bit binary field
    sect409r1 : NIST/SECG curve over a 409 bit binary field
    sect571k1 : NIST/SECG curve over a 571 bit binary field sect571r1 : NIST/SECG curve over a 571 bit binary field
    c2pnb163v1: X9.62 curve over a 163 bit binary field
    c2pnb163v2: X9.62 curve over a 163 bit binary field
    c2pnb163v3: X9.62 curve over a 163 bit binary field
    c2pnb176v1: X9.62 curve over a 176 bit binary field
    c2tnb191v1: X9.62 curve over a 191 bit binary field
    c2tnb191v2: X9.62 curve over a 191 bit binary field
    c2tnb191v3: X9.62 curve over a 191 bit binary field
    c2pnb208w1: X9.62 curve over a 208 bit binary field
    c2tnb239v1: X9.62 curve over a 239 bit binary field
    c2tnb239v2: X9.62 curve over a 239 bit binary field
    c2tnb239v3: X9.62 curve over a 239 bit binary field
    c2pnb272w1: X9.62 curve over a 272 bit binary field
    c2pnb304w1: X9.62 curve over a 304 bit binary field
    c2tnb359v1: X9.62 curve over a 359 bit binary field
    c2pnb368w1: X9.62 curve over a 368 bit binary field
    c2tnb431r1: X9.62 curve over a 431 bit binary field
    wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
    wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
    wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
    wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
    wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
    wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
    wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
    wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
    wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
    wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
    wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
    Oakley-EC2N-3: IPSec/IKE/Oakley curve #3 over a 155 bit binary field. Not suitable for ECDSA. Questionable extension field!
    Oakley-EC2N-4: IPSec/IKE/Oakley curve #4 over a 185 bit binary field. Not suitable for ECDSA. Questionable extension field! brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
    brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
    brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
    brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
    brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
    brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
    brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
    brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
    brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
    brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
    brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
    brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
    brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
    brainpoolP512t1: RFC 5639 curve over a 512 bit prime field SM2
    : SM2 curve over a 256 bit prime field

Any help or pointers will be greatly appreciated

android
ssl
nginx
openssl
asked on Stack Overflow May 19, 2020 by raman2887

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0