SSL Handshake failed after habdroid upgrade to 2.0.0

Hi,

after upgrading to Habdroid 2.0 I could not connect to my own cloud-instance.
I get the error message “SSL Handshake failed - maybe you need a valid client certificate”

I tried to activate/deactivate the two options to ignore certificate and hostname, but this doesn’t make any difference.

I also generated client-certificates and configured the nginx to verify the client-certificates, but there is still the error.
When I connect through chrome from the android phone I see, that the certificate is verified and I can connect to the website, so the certificates are ok.

What am I doing wrong?

Kind regards
Thomas

Hi,

nobody has an idea?
Could anybody help, please?

Kind regards
Thomas

I have a similar issue. I have my own (on-prem) openHAB deployment. I have set up Apache to act as a reverse proxy, and do basic auth and SSL client cert auth (using a certificate from a non-public CA) at the same time. It all works fine from a browser.

But when I try to set the openHAB Android app to go through Apache, it just throws me this “SSL Handshake failed - maybe you need a valid client certificate” error message. The CA root certificate is trusted by the phone, obviously. If I set the Android app to “Ignore certificate”, it just tries to reconnect and reconnect and reconnect and…

Meanwhile, in the Apache error log, it says:

SSL Library Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request – speaking HTTP to HTTPS port!?

Which actually sounds fair, after looking at the network traffic using TCPdump. It looks like as if the Android app tried to initiate a connection using SSL, but after a couple of packets, it switched over to HTTP and issued “GET /rest/sitemaps/_default/_default HTTP/1.1”

If, on Apache, I only leave SSL enabled, and turn off both Basic auth and Certificate auth, the app can connect just fine. If I turn on either of the authentication options on, it fails.

Does anyone have any idea what’s happening here, or how I could debug the traffic from the phone side?

I found my error:

In the nginx configuration I ha ciphers enabled, which produced the error.
(A test with ssl-labs of the site shows only B as result)
After setting the ciphers like mentioned in the openhab-documentation ssl-labs shows A+ and habdroid can connect to the myOpenHab cloud.

Could you share your cipher config/list?

Finally found in the OpenHAB config:

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;

In case anyone is interested, I have also found a solution, or rather a workaround for my problem. I can’t figure out for the life of me why, but SSL and authentication doesn’t work for me with Habdroid and Apache. I set up Nginx instead of Apache, and now everything’s fine and dandy.