HTTPS proxy doesn’t make sense because you can’t terminate your HTTP connection at the proxy for security reasons. With your trust policy, it might work if the proxy server has a HTTPS port. Your error is caused by connecting to HTTP proxy port with HTTPS. You can connect through a proxy using SSL tunneling (many … Read more
SSLlabs is apparently testing “out of the box” support. Java crypto has a crock dating back to the 1990s when the US government severely restricted export of crypto software, and as a result the JRE (or JDK) as distributed by then-Sun now-Oracle does not permit use of 256-bit symmetric encryption, which your server is demanding. … Read more
According to https://www.ssllabs.com, the server supports cipher suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA They are listed as “unavailable cipher suite” as you can see in the debug messages. In the JRE/lib/security/local_policy.jar, we see // Some countries have import limits on crypto strength. This policy file // is worldwide importable. grant { permission javax.crypto.CryptoPermission “DES”, … Read more
This is a known regression in Android 7.0, acknowledged by Google and fixed sometime before the release of Android 7.1.1. Here is the bug report: https://code.google.com/p/android/issues/detail?id=224438. To be clear, the bug here is that 7.0 only supports ONE elliptic curve: prime256v1 aka secp256r1 aka NIST P-256, as Cornelis points out in the question. So if … Read more
You’re initialising your SSLContext with a null KeyManager array. The key manager is what handles the server certificate (on the server side), and this is what you’re probably aiming to set when using javax.net.ssl.keyStore. However, as described in the JSSE Reference Guide, using null for the first parameter doesn’t do what you seem to think … Read more
Finally solved it ;). Got a strong hint here (Gandalfs answer touched a bit on it as well). The missing links was (mostly) the first of the parameters below, and to some extent that I overlooked the difference between keystores and truststores. The self-signed server certificate must be imported into a truststore: keytool -import -alias … Read more
First, you need to obtain the public certificate from the server you’re trying to connect to. That can be done in a variety of ways, such as contacting the server admin and asking for it, using OpenSSL to download it, or, since this appears to be an HTTP server, connecting to it with any browser, … Read more
I found the solution for it by analyzing the data packets using wireshark. What I found is that while making a secure connection, android was falling back to SSLv3 from TLSv1 . It is a bug in android versions < 4.4 , and it can be solved by removing the SSLv3 protocol from Enabled Protocols … Read more
The handshake failure could have occurred due to various reasons: Incompatible cipher suites in use by the client and the server. This would require the client to use (or enable) a cipher suite that is supported by the server. Incompatible versions of SSL in use (the server might accept only TLS v1, while the client … Read more