ssl23_get_server_hello:tlsv1 警报握手失败 android 4.4
[英]ssl23_get_server_hello:tlsv1 alert handshake failure android 4.4
问题描述
I am working on an client - server application project with an Android client and Apache server and mutual authentication (ie, client certificate).
我正在使用 Android 客户端和 Apache 服务器以及相互身份验证(即客户端证书)开发客户端 - 服务器应用程序项目。 I am poor in SSL/TLS.我在 SSL/TLS 方面很差。
Server authentication get done all okay but when it comes to client authentication this error: ssl23_get_server_hello:tlsv1 alert handshake failure happens.服务器身份验证一切正常,但是当涉及到客户端身份验证时,会出现此错误: ssl23_get_server_hello:tlsv1 alert handshake failure 。 I have also checked packets using WireShark many times and i also have created self signed certificates using my self created CA many times.我还多次使用 WireShark 检查数据包,并且我还多次使用我自己创建的 CA 创建了自签名证书。
I should mention I've set Apache SSLVerifyClient property on "require" and SSLVerifyDepth on 1 and SSLCACertificateFile is set also.我应该提到我已经在“require”上设置了 Apache SSLVerifyClient属性,在1上设置了SSLVerifyDepth ,并且还设置了SSLCACertificateFile 。 on "optional" everything is okay but i dont want it to be like that.在“可选”上一切正常,但我不希望它变成那样。
It seems everything is okay and without problem on my localhost when I test it using openssl s_client and I address client cert and key and CA file .当我使用openssl s_client对其进行测试并解决客户端证书和密钥以及 CA 文件时,在我的localhost上似乎一切正常且没有问题。
c:\OpenSSL-Win64\bin>openssl s_client -connect 192.168.1.55:443 -key c:\xampp\apache\conf\ssl.key\client.key
-cert c:\xampp\apache\conf\ssl.crt\client.crt -CAfile c:\xampp\apache\conf\ssl.crt\ca.crt
Enter pass phrase for c:\xampp\apache\conf\ssl.key\client.key:
CONNECTED(0000011C)
depth=1 C = ir, ST = khuzestan, L = dezful, O = nama, OU = nama, CN = Nama System
verify return:1
depth=0 C = ir, ST = khuzestan, L = dezful, O = nama, OU = nama, CN = 192.168.1.55
verify return:1
---
Certificate chain
0 s:/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=192.168.1.55
i:/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
1 s:/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
i:/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDQTCCAikCAQEwDQYJKoZIhvcNAQELBQAwZjELMAkGA1UEBhMCaXIxEjAQBgNV
BAgMCWtodXplc3RhbjEPMA0GA1UEBwwGZGV6ZnVsMQ0wCwYDVQQKDARuYW1hMQ0w
CwYDVQQLDARuYW1hMRQwEgYDVQQDDAtOYW1hIFN5c3RlbTAeFw0xNjEwMDcxODE0
MjdaFw0xNzEwMDcxODE0MjdaMGcxCzAJBgNVBAYTAmlyMRIwEAYDVQQIDAlraHV6
ZXN0YW4xDzANBgNVBAcMBmRlemZ1bDENMAsGA1UECgwEbmFtYTENMAsGA1UECwwE
bmFtYTEVMBMGA1UEAwwMMTkyLjE2OC4xLjU1MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAo3U+hTqP6911dUELWS9V4h1W172KKNXq/eJqnWO32+nraVHI
jPiFDcU9qRDFNSUdbFAokOrtXVZXePebNKpgbzVW2EDp3EtU4OXzYd/32YEaW0NB
SXS8eQDoJZ4+d1wl/vIM5jRovGmnNEv94XQbeGrUKdYSzaZL0Zilcg7Qop2mG3cq
EKGLCZm2tTzgkRTwkng0L7ODq1SZE4yoy5T+WNqnEOjOlQ2hVfio8HGAgGqJXUY+
YHgj0Shk6nFfg5pRpH15poNRgVGlizqLolN/EUf2CzV12MCyjdri8d5ZMfrTbszN
lwpUzp/3K3CGYjSqzEWL+9j85dE11Lrdix+rcwIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQA1XaLfV36GBpOBw32fMvoK7K9XkwP52lvMYgcAPWZFjFvdZnysndDKntFe
cQXZdKnEzm3GNUv4APAEyj97VWnFKKM3lDLaMy99jWavdMNvyU4WpjT4DWj5kP0w
9Esc2fNDv6/A1ME4Ty1XUwNbfDjbG/pz0WZn00bgvbKwmA0GjHYFZTYC0W4wdion
dP9NPTJNENmOIeIE2N4tIPuieMTeCYqwRNplVldmzgeDYKW+n15glvRF1+18kuAC
xNj6bMTOwS2aY5DXthFeLNXWerspcgyUdTss/TdIJxO+pzA1s8ZN8E6RwqfIeKWv
gIwkTiitf8InLsQVRzxEzcmR5V15
-----END CERTIFICATE-----
subject=/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=192.168.1.55
issuer=/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
---
Acceptable client certificate CA names
/C=ir/ST=khuzestan/L=dezful/O=nama/OU=nama/CN=Nama System
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3440 bytes and written 2352 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 155B16EEDAF469AB0E4604A02CAEF4C3FFF20834DE2E25CAD801480CB1E40B2C
Session-ID-ctx:
Master-Key: C83DD8E4633A8DECF0410FA1ED4591F49A10AC24E3B59DC1F6CFC2E5B05878EEB7589EE5F51237E51A01E7017A1F594E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6e c4 ab eb 6f d2 04 b3-81 73 9d cf fc a6 20 08 n...o....s.... .
0010 - 08 1d 1e bc 9e 01 e5 0e-c6 c7 a3 81 02 a9 3d 04 ..............=.
0020 - 5c 86 aa e6 b8 f0 ad 97-a8 e4 bd 44 5b a9 97 17 \..........D[...
0030 - 39 81 71 bf 0c 67 4a b2-fd d9 fe d8 aa c9 5e af 9.q..gJ.......^.
0040 - 21 78 c5 e0 30 c7 5c 0c-4a 62 84 15 4b 45 48 68 !x..0.\.Jb..KEHh
0050 - a6 f8 3b 02 61 1a f2 43-11 54 c1 dc 73 3a 2a 27 ..;.a..C.T..s:*'
0060 - 61 f1 32 df a8 0b 21 c5-fd 02 ff 86 d6 da 7a 79 a.2...!.......zy
0070 - ae af 92 9e 2b a5 e8 eb-dc f8 c8 9b ec 5c a0 58 ....+........\.X
0080 - 75 f5 c7 92 e4 01 49 66-be a2 96 fd 5a 36 34 08 u.....If....Z64.
0090 - c2 eb 14 30 f8 54 45 43-e0 4f 83 45 a1 3d 33 37 ...0.TEC.O.E.=37
00a0 - 0c fc 8f 46 8e f8 28 f3-0f df b7 db 71 2a 81 0e ...F..(.....q*..
00b0 - 39 2d 85 08 52 29 cf d1-8a 56 d6 b9 ca 24 10 a0 9-..R)...V...$..
00c0 - 86 44 68 56 13 dc c7 7b-8d 45 c1 8c c4 b4 be 5d .DhV...{.E.....]
00d0 - 91 75 4c e9 a9 61 a1 d5-af 37 70 d9 7b 7d 9a bd .uL..a...7p.{}..
00e0 - 92 85 cc d9 a8 64 9c bf-7b 8f 89 67 9a 15 d7 47 .....d..{..g...G
00f0 - 56 e9 45 39 35 b6 d5 e2-8d a6 75 0e 71 4d 9b b0 V.E95.....u.qM..
0100 - 0e 97 ae 60 37 49 bd ed-97 93 35 98 10 45 a2 0b ...`7I....5..E..
0110 - dc a2 c9 af 3b 38 98 f9-af ab 65 83 80 fc b2 19 ....;8....e.....
0120 - 10 b7 f6 4f 72 3d fd 2b-9c 18 90 9e be 32 0e 68 ...Or=.+.....2.h
0130 - 60 ac 0f 13 94 b0 9e 80-d4 14 44 41 70 7d 40 86 `.........DAp}@.
0140 - dd 04 66 da 5b 05 69 d3-57 db c9 e0 e5 76 4e 5e ..f.[.i.W....vN^
0150 - b5 07 d1 2b 47 ba 8e f1-92 38 68 b0 23 9e 98 4e ...+G....8h.#..N
0160 - dc aa fd 51 52 e0 7c 7b-f9 0e 30 58 d2 ae 80 5f ...QR.|{..0X..._
0170 - f2 85 0a 48 ab d6 6e 1c-ee 1b 1b 3d c6 b6 13 f6 ...H..n....=....
0180 - ab cc 57 8d d8 90 cc 46-7c 6f af ff 83 46 b4 3d ..W....F|o...F.=
0190 - 1b c7 ed b4 f1 bd 91 c1-6e 22 7f 47 8c b1 39 ef ........n".G..9.
01a0 - 98 7b bc a2 09 0a 2e 76-13 e3 98 6f a1 b7 a3 bd .{.....v...o....
01b0 - 3f 8b 0e cd ca f3 65 83-a4 6f 8c 48 4a fa 82 db ?.....e..o.HJ...
01c0 - 96 f6 c5 e3 57 cf da 26-14 7f 91 65 cc a3 37 b3 ....W..&...e..7.
01d0 - 4d 96 c9 4c 8a e4 cb c4-db 77 10 69 82 d5 7b e2 M..L.....w.i..{.
01e0 - 0d 9e 62 8a 20 95 3a 8a-27 76 60 fa a8 4b 29 88 ..b. .:.'v`..K).
01f0 - e5 90 e7 49 e9 a8 9e 14-8a f5 8f 06 da eb 1f 4c ...I...........L
0200 - b5 e7 9a d9 9b ed db 12-11 e2 f4 2b df cb 6f 73 ...........+..os
0210 - 4e aa 53 a2 e7 04 ff 9c-de bc 5e 21 42 0c b7 2a N.S.......^!B..*
0220 - 1f d3 b9 1a b7 9b 25 92-ef 81 70 d5 1b 4d d5 9b ......%...p..M..
0230 - 65 40 52 c8 b4 cd b4 6b-ab d8 42 31 e0 2a 9f d4 e@R....k..B1.*..
0240 - 35 78 34 b3 34 b5 9d 53-c2 56 82 ff e7 99 8b a6 5x4.4..S.V......
0250 - bd 7b a5 a1 86 25 ce 45-ee 44 d4 14 19 0c 97 41 .{...%.E.D.....A
0260 - b1 a2 c9 eb 5a c8 13 39-09 7a fa 58 15 83 fe e3 ....Z..9.z.X....
0270 - e4 a7 5b f4 b7 74 65 bb-f7 5d d1 88 47 e2 a4 c3 ..[..te..]..G...
0280 - 45 af 6e 31 86 73 19 1e-20 7c 3a a2 69 88 67 30 E.n1.s.. |:.i.g0
0290 - de 3c 75 e0 d5 d4 1e 10-d8 80 ea ca 99 0a e7 c6 .<u.............
02a0 - f5 8d ca 83 2c 23 3e 32-ec e6 72 6c 1d f1 6e 37 ....,#>2..rl..n7
02b0 - 45 de ce 5b df a0 54 69-c5 a9 9d 9b 8f a5 7c 8c E..[..Ti......|.
02c0 - 0b 7d c4 b5 16 64 69 20-4e ca 0f 68 01 e9 bd db .}...di N..h....
02d0 - e5 17 a9 b7 40 d3 dc fd-c1 2a d7 3f a4 f8 2d e2 ....@....*.?..-.
02e0 - f8 1f 83 25 44 d7 54 bb-e2 e6 5b 34 73 99 89 89 ...%D.T...[4s...
02f0 - cd c8 49 53 cf f3 52 a4-c4 e6 9b b1 c6 16 85 1e ..IS..R.........
0300 - e8 0a af d0 8c 7e ab 6e-65 d6 2f 01 ff 59 b5 49 .....~.ne./..Y.I
0310 - 41 56 cd 4a 3f de 75 3a-21 30 9b bc 14 66 71 87 AV.J?.u:!0...fq.
0320 - 59 4e a2 e3 03 a1 95 7a-7a 28 7d 5a 09 05 d3 0a YN.....zz(}Z....
0330 - ea 4f 77 61 74 48 e4 6c-44 5b 7a 5c ed 6c f9 07 .OwatH.lD[z\.l..
0340 - 96 ee a6 69 16 22 3b 8f-8c 53 a2 d2 b7 eb f5 3a ...i.";..S.....:
0350 - 8f 36 8e 2d 6e 59 58 7c-06 02 81 fb e2 c0 56 c2 .6.-nYX|......V.
0360 - 4e 43 89 29 fd 68 0c 36-fc db 0a aa 77 70 c5 e9 NC.).h.6....wp..
0370 - ea c2 78 9e 65 c0 10 12-73 90 54 22 80 4b 24 c9 ..x.e...s.T".K$.
0380 - 74 39 41 d0 0c 59 61 1b-f2 eb 16 2b 35 19 88 13 t9A..Ya....+5...
0390 - 58 79 22 83 03 2c 2c 49-52 10 7c a4 a5 ea 3a b2 Xy"..,,IR.|...:.
03a0 - e9 94 51 70 44 71 ee 6a-1c 34 b4 aa 76 dd d3 08 ..QpDq.j.4..v...
03b0 - 92 7d b8 db 04 47 3e ca-ea 6c 24 ac ae 9e 4f 15 .}...G>..l$...O.
03c0 - 32 f2 34 30 9d 7d 67 29-51 17 89 26 d1 bb ec 1b 2.40.}g)Q..&....
03d0 - 7d b2 b0 18 1f ed 84 bc-23 bb 21 04 1a 1e f5 88 }.......#.!.....
03e0 - 10 c0 9e 97 ed f7 ee 9e-37 8f 57 27 38 59 e9 62 ........7.W'8Y.b
03f0 - 69 58 ac 09 80 c4 42 05-93 2c 39 2e f1 3e ba f4 iX....B..,9..>..
Start Time: 1476823635
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
It seems problem is android client authentication.似乎问题是android客户端身份验证。 My Android device version which i test the app on is Android 4.4 (Kitkat) and my Apache cipher suite is like this:我测试应用程序的 Android 设备版本是 Android 4.4 (Kitkat),我的 Apache 密码套件是这样的:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GC$
i have searched a lot and i guess the problem can be client and server Ciphers mismatch , but i am not sure if its right and i dont know how to fix it.我已经搜索了很多,我想问题可能是客户端和服务器密码不匹配,但我不确定它是否正确,我不知道如何解决它。
Thank you very much for the help.非常感谢你的帮助。
UPDATE :更新:
I am using NoSSLv3SocketFactory.java class to avoid sslv3.我正在使用NoSSLv3SocketFactory.java类来避免 sslv3。
it turned to this error: SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure , and here is my packet capture my packet capture and here is also my ssl access log :它变成了这个错误: SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure ,这是我的数据包捕获我的数据包捕获,这也是我的 ssl 访问日志:
[19/Oct/2016:00:47:46 +0330] 192.168.1.55 TLSv1 ECDHE-RSA-AES256-SHA "-" -
[19/Oct/2016:01:08:41 +0330] 192.168.1.55 TLSv1 ECDHE-RSA-AES256-SHA "-" -
1 个解决方案
解决方案1
1 2016-10-19 05:56:45
Based on the information so far, especially the image of the packet capture, it looks like:根据目前的信息,尤其是抓包的图像,它看起来像:
- Client and server successfully agree on a cipher (otherwise server would not sent its ServerHello)客户端和服务器成功就密码达成一致(否则服务器不会发送它的 ServerHello)
- Client accepts the servers certificate (otherwise client would complain instead of continuing with the handshake)客户端接受服务器证书(否则客户端会抱怨而不是继续握手)
- Client sends its own certificate客户端发送自己的证书
- Server sends back an alert: handshake_failure服务器发回警报:handshake_failure
The most likely thing is that the server does not like the clients certificate.最有可能的是服务器不喜欢客户端证书。 Since the test with openssl s_client and a client certificate shows a successful handshake it might be that the Android client is sending a different certificate than used with the other test.由于使用openssl s_client和客户端证书进行的测试显示握手成功,因此 Android 客户端发送的证书可能与其他测试中使用的证书不同。 Digging deeper into the packet capture should show, which certificate is sent by the client.深入挖掘数据包捕获应该显示客户端发送了哪个证书。 Apart from that information about the problem should be visible on the server side, ie in server logs or similar.除了关于问题的信息应该在服务器端可见,即在服务器日志或类似的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.