Android SSL Error Handshake Failed

Question

I have an android application that works on my home network and does not have these handshake errors. However when sending this app over to my client and testing it through their wifi network I get these logs.

E/chromium(15135): external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [1211/175912:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned 0, SSL error code 5, net_error -107
W/chromium(15135): external/chromium/net/http/http_stream_factory_impl_job.cc:865: [1211/175912:WARNING:http_stream_factory_impl_job.cc(865)] Falling back to SSLv3 because host is TLS intolerant: 

I have https URLS loaded in an android webview inside my application. I have no other information aside from these errors. Do you guys have any idea why this happens on a specific network, I am really out of ideas right now.

Answer 1

Recently I occurred a similar error during my test on connecting the specific server: handshake failed; returned -1, SSL error code 1, net_error -103

I find some useful reason by searching from chromium source code,which indicates the meaning of ret code.Maybe it can help you find the reason.

SSL error code 5:

chromium//src/third_party/boringssl/src/include/openssl/ssl.h

/* SSL_ERROR_SYSCALL indicates the operation failed externally to the library. The caller should consult the system-specific error mechanism. This is typically |errno| but may be something custom if using a custom |BIO|. It may also be signaled if the transport returned EOF, in which case the operation's return value will be zero. */

define SSL_ERROR_SYSCALL 5

net_error -107

// An SSL protocol error occurred.

NET_ERROR(SSL_PROTOCOL_ERROR, -107)

if you want to find more detail,the main function which print this log as below:

chromium//src/net/socket/ssl_server_socket_impl.cc

    int SSLServerSocketImpl::DoHandshake() {
      crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
      int net_error = OK;
      int rv = SSL_do_handshake(ssl_.get());

      if (rv == 1) {
        completed_handshake_ = true;
      // The results of SSL_get_peer_certificate() must be explicitly freed.
      bssl::UniquePtr<X509> cert(SSL_get_peer_certificate(ssl_.get()));
      if (cert) {
      // The caller does not take ownership of SSL_get_peer_cert_chain's
      // results.
      STACK_OF(X509)* chain = SSL_get_peer_cert_chain(ssl_.get());
      client_cert_ = CreateX509Certificate(cert.get(), chain);
      if (!client_cert_.get())
        return ERR_SSL_CLIENT_AUTH_CERT_BAD_FORMAT;
    }
  } else {
    int ssl_error = SSL_get_error(ssl_.get(), rv);
    OpenSSLErrorInfo error_info;
    net_error = MapOpenSSLErrorWithDetails(ssl_error, err_tracer, 
&error_info);

    // SSL_R_CERTIFICATE_VERIFY_FAILED's mapping is different between client and
    // server.
    if (ERR_GET_LIB(error_info.error_code) == ERR_LIB_SSL &&
        ERR_GET_REASON(error_info.error_code) ==
        SSL_R_CERTIFICATE_VERIFY_FAILED) {
      net_error = ERR_BAD_SSL_CLIENT_AUTH_CERT;
    }

    // If not done, stay in this state
    if (net_error == ERR_IO_PENDING) {
      GotoState(STATE_HANDSHAKE);
    } else {
      LOG(ERROR) << "handshake failed; returned " << rv << ", SSL error code "
                 << ssl_error << ", net_error " << net_error;
      net_log_.AddEvent(
          NetLogEventType::SSL_HANDSHAKE_ERROR,
          CreateNetLogOpenSSLErrorCallback(net_error, ssl_error, 
error_info));
    }
  }
  return net_error;
}