SSL Handshake failed - maybe you need a valid client certificate

Similar to other posts… but not the same configuration

Followed this tutorial and have everything running, except I cannot get the mobile app to connect to my OpenHAB Cloud remotely. I keep getting “SSL Handshake failed - maybe you need a valid client certificate”.

I’ve tried quite a few things, found a few similar posts but nothing i’ve done has worked. I can access the server on a mobile device remotely using chrome, and the app works locally.

My Setup
-OpenHab 2.1 on windows machine at home (no authentication or SSL via server IP:port)
-OpenHab Cloud running an Amazon Lightsail instance (Ubuntu) (https://sub.domain.com)
-letsencrypt cert “sub.domain.com
-Both linked and communicating great
-working on https in chrome browser

server config:

server {
listen 80 default_server;
    listen [::]:80 default_server;
    server_name SUB.DOMAIN.COM;
    return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name SUB.DOMAIN.COM ;

location /css {
        alias  /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/css;
    }
    location /js {
        alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/js;
    }
    location /img {
        alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/img;
    }
    location /bootstrap {
        alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/bootstrap;
    }
    location /font-icons {
        alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/font-icons;
    }
    location /fonts {
        alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/fonts;
    }
    location /js-plugin {
        alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/js-plugin;
    }
    location /downloads {
        alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/downloads;
    }

    location / {
        proxy_pass http://localhost:3000;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr ;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
        proxy_set_header X-Forwarded-Proto https;
    }


ssl_certificate /etc/letsencrypt/live/SUB.DOMAIN.COM/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/SUB.DOMAIN.COM/privkey.pem; # managed by Certbot

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:AES256+EECDH:!ADH:!AECDH:!MD5";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam /etc/nginx/certs/dhparam.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    root /usr/share/nginx/SUB.DOMAIN.COM;
    index index.html index.htm;
    location ~ /.well-known {
    	allow all;
    }


}

I’ve tried enabling “Ignore” boxes in the android app
I’ve used “openssl pkcs12” to generate a .pfx key and imported it into the app. No Luck
I’ve ran a SSL Lab test and removed the ciphers that caused a B result. Everything is now an A
Tried creating new DH parameters
I’ve tried everything I can think of and every solution I could find.
Tried:
https://community.openhab.org/t/ssl-handshake-failed-after-habdroid-upgrade-to-2-0-0/37667/3
and
https://community.openhab.org/t/ssl-handshake-failed-after-habdroid-upgrade/31856
which seems like maybe it is a bug?
I also don’t see anything in the nginx error.log

I’m not sure if this in a app issue or server setup so I though I would post this here. I also asked this question on tutorial but decided better to make thread Seems a few people are having the same issue and haven’t been able to solve, or haven’t posted a solution. Maybe I’m missing something simple…

Any help would be greatly appreciated, I at a loss of what to try next…

I found the solution finally. Found in the OpenHab Security page:

https://docs.openhab.org/installation/security.html

Modify the ssl-cipher section of your config to:

ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;

Instead of: (from tutorial)

ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;

!Notice that the double quotes are not in the updated version

2 Likes

Thanks!
I was waiting for your post since one month :wink: I was sure the problem is the device not the openhab-cloud config.

I had the same problem, but only just with one device.
iPad works fine. Samsung Galaxy Node Edge works fine. Sony XPERIA Z1 works fine.
Only the Samsung Galaxy S7 Edge had that “SSL Handshake failed"-problem.

After changing the ssl_ciphers all of the devices are working fine.
Good news

Where can I find this entry / file to change it?

Where I will change it???

A full Setup excample/tutorial you will find here:

Find the following Step:

##Step 6: Setup SSL in nginx

There you will find the way to the path to the config file

The problem is that I used an openHab Server based an Windows 10…

…this topic is about a private openhab-cloud, like the public openhab-cloud “https://www.myopenhab.org/”.

If you have an openhab-server installed in you local network and you want to access it via internet, you have to use the binding openHAB Cloud Connector witch you have to connect to a private openhab-cloud installation or the public openhab-cloud.

I am not sure if your problem has something to do with this kind of configuration.
If you use the public openhab-cloud you will not have this problem.
Because it is hosted by the openhab community itselfe.

So if you still think that your problem has something to do with this topic, please give us an idea of your openhab configuration.

Yes I’ve installed a server, and I use the cloud connector . We have one Mobile phone and one tablet wih the mobile app, based on Android 8. Both working well. Now we’ve got a new tablet, based on Android 7 and on this device we get the SSL Handshake failed - message.

Ok. So if you use https://www.myopenhab.org/ as your openhab-cloud, I cant help you.
If you use a private openhab-cloud, you installed by yourself please tell me more about this server.