Pierre
Pierre

Reputation: 2866

Unknown protocol error with HTTPS connection on android

I am calling a REST service using HTTPS on an android application. I already have working code for this, but now that I am using a newly installed server hosting the REST service I can no longer establish a connection.

Here is the exception:

javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x15b7768: Failure in SSL library, usually a protocol error
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (external/openssl/ssl/s23_clnt.c:683 0x402e5cc3:0x00000000)

The application use the Apache classes to interact with the REST service. I get this error even when using a dummy TrustManager that accepts any kind of certificate.

When calling the REST Service from the Android Navigator, the connection is successfully established and works fine.

The Android phone is running the latest 4.0.3 Android from HTC.

The REST Service is a hosted mod_perl application on Apache configured with SSL support.

Browsing the OpenSSL source code at https://github.com/android/platform_external_openssl/blob/ics-mr0/ssl/s23_clnt.c does not give me any hints besides a low level problem.

Any suggestion of how to debug this further ?

Upvotes: 10

Views: 9856

Answers (1)

Pierre
Pierre

Reputation: 2866

Ok I found what the problem is.

Following the suggestion to use OpenSSL s_client it made me realize that I use the wrong port number for the connection. The new server is using the standard SSL port which was not the case for the other server I was using previously.

As the server was not responding according to the SSL protocol, the response could not be decoded meaningfully by OpenSSL and thus the Unknown Protocol Error.

For the people wanting to know how I used OpenSSL s_client (in your shell do):

$ openssl s_client -connect myhost.example.com:443 -tls1 -servername myhost.example.com

The -servername option enlists Server Name Indication (SNI) to ensure the server provides the correct certificate if there are multiple sites hosted at the server. SNI is a TLS 1.0 (and above) option, and -tls1_1 and -tls1_2 usually work, too.

Then a truck load of information is shown regarding the SSL connection just opened.

Upvotes: 17

Related Questions