Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x76a8eb8a00: Failure in SSL library, usually a protocol error error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:641 0x76a8e2b0a0:0x00000001) error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:800 0x76d2e2c253:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:364)
SSLV3 - wrapper string, actualy sslv3 not use
My web server is (include version):
nginx version: nginx/1.14.1
built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.0l 10 Sep 2019)
TLS SNI support enabled
The operating system my web server runs on is (include version): Debian GNU/Linux 9.13 (stretch)
Previously, the RSA private key was generated. And everything worked.
Now a private key has been generated as EC and application (with okhttp3 https://square.github.io/okhttp or direct use ssl) on Android 7.0 - cannot connect (application using android webclient backend is working).
The only way to fix this is by NOT using an EC certificate. Right now you can work around by switching to P-256, but as the future E1 intermediate is P-384, that's not a long term solution.
Android 7.0 has a bug, where the only supported elliptic curve is P-256 , meaning that the P-384 curve used by Let's Encrypts E1/X2 certs cannot be handled by this Android version. The Android version advises ECC support though, so I presume that this scenario will simply break (handshakes usually fail with "illegal parameter" TLS alert from my tests). 7.1 is fixed though, this seems to only affect 7.0. Older than 7.0 (e.g 6.x and below) as well as 7.1 and newer works fine.
So you need to use the P-256 elliptic curve (at least as long as it's still signed by the RSA intermediate, as that is supposed to change eventually to be signed by a P-384 intermediate that will break on Android 7.0 anyway), so stick with RSA if you need to support older android versions.
So, you need to configure whatever ACME client you're using to generate an RSA key instead of an EC one. It's still not clear to me what ACME client you're using. Most of them will use RSA by default and wouldn't switch to EC without somebody specifically telling them to.
Thank you! I use dehydrate script - it have --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
Now I will try to generate new certs.
I generate new certs with prime256v1 - now Android 7.0 is work.
Thanks all!
Glad to hear that's working for you. But do be aware that some other old systems might not support prime256v1 either, and you might need to switch to RSA. And at some point (possibly quite a while from now so old Android may not have as much market share), prime256v1 (P-256) keys will be signed by a P-384 intermediate, which Android 7.0 also won't like. RSA is the most backward-compatible, if that's something you're concerned with.