Android 7 can't connect to prosody 0.9.12 ssl handshake error
77 views
Skip to first unread message
Gerardo Zamudio
Sep 19, 2017, 11:18:43 AM9/19/17
to prosod...@googlegroups.com
Hi
I've run into a problem with clients using Android 7.0 connecting to a
Prosody 0.9.12 server.
Android 7.0 only supports one elliptic curve, prime256v1[1][2][3]. I'm
using a 384 bit ECDSA Let's Encrypt certificate with a key generated
like this:
openssl ecparam -out domain.com.key -name secp384r1 -genkey
I can change the Prosody SSL configuration to use the prime256v1 curve
instead with
ssl = {
curve = "prime256v1"
}
But I would need to generate a new key for my certificate.
Does Prosody support using two SSL certificates (an ECDSA and RSA
certificate) for one VirtualHost? I'd like for the Android 7.0 clients
to be presented the RSA certificate and everyone else the ECDSA
certificate. I checked the SSL documentation for Prosody but I did not
find a way to use two certificates. I would appreciate being pointed to
the proper way to do this if it's possible.
Does anyone have any ideas for another workaround besides changing the
curve and certificate key?
[1]https://code.google.com/p/android/issues/detail?id=224438.
[2]https://stackoverflow.com/questions/39133437/sslhandshakeexception-handshake-failed-on-android-n-7-0
[3]https://community.letsencrypt.org/t/warning-android-7-0-clients-not-browsers-can-only-use-curve-prime256v1/23212
--
Gerardo Zamudio
Libre Expresión México
I've run into a problem with clients using Android 7.0 connecting to a
Prosody 0.9.12 server.
Android 7.0 only supports one elliptic curve, prime256v1[1][2][3]. I'm
using a 384 bit ECDSA Let's Encrypt certificate with a key generated
like this:
openssl ecparam -out domain.com.key -name secp384r1 -genkey
I can change the Prosody SSL configuration to use the prime256v1 curve
instead with
ssl = {
curve = "prime256v1"
}
But I would need to generate a new key for my certificate.
Does Prosody support using two SSL certificates (an ECDSA and RSA
certificate) for one VirtualHost? I'd like for the Android 7.0 clients
to be presented the RSA certificate and everyone else the ECDSA
certificate. I checked the SSL documentation for Prosody but I did not
find a way to use two certificates. I would appreciate being pointed to
the proper way to do this if it's possible.
Does anyone have any ideas for another workaround besides changing the
curve and certificate key?
[1]https://code.google.com/p/android/issues/detail?id=224438.
[2]https://stackoverflow.com/questions/39133437/sslhandshakeexception-handshake-failed-on-android-n-7-0
[3]https://community.letsencrypt.org/t/warning-android-7-0-clients-not-browsers-can-only-use-curve-prime256v1/23212
--
Gerardo Zamudio
Libre Expresión México
Reply all
Reply to author
Forward
0 new messages