{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 戒情不戒烟 的问题《Android - SSL/TLS and ECC (Elliptic curve cryptogr》','https://www.manongdao.com/q-599793.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm developing an android application which communicates with a web server. We use HTTPS for this communication and we have also a client certificate inside the android application for authentication.
We created SSL certificates using ECC (ANSI x9.62) in order to have very small certificates so we can reduce the transmission cost during handshake.
The source code for the communication is more or less like this:
InputStream keystoreIs = getResources().openRawResource(R.raw.client_bks);
KeyStore keystore = KeyStore.getInstance("BKS");
keystore.load(keystoreIs, KEYSTORE_PASSWORD);
SSLSocketFactory socketFactory = new SSLSocketFactory(keystore, KEYSTORE_PASSWORD, keystore);
Scheme serverScheme = new Scheme("https", socketFactory, SERVER_PORT);
HttpClient httpclient = new DefaultHttpClient();
httpclient.getConnectionManager().getSchemeRegistry().register(iServerScheme);
HttpPost httppost = new HttpPost(SERVER_URL);
HttpResponse response = httpclient.execute(httppost);
The problem is that when we try to connect we have errors like:
E/NativeCrypto(4744): Unknown error 5 during connect
W/System.err(4744): java.io.IOException: SSL handshake failure: I/O error during system call, Connection reset by peer
W/System.err(4744): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.nativeconnect(Native Method)
W/System.err(4744): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:316)
W/System.err(4744): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:520)
W/System.err(4744): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:461)
W/System.err(4744): at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:93)
W/System.err(4744): at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:83)
W/System.err(4744): at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:170)
W/System.err(4744): at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:106)
W/System.err(4744): at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:129)
(...)
I trid to find an example with ECC and SSL but I didn't found anything. I found several articles about encryption and key pair generation (for example http://nelenkov.blogspot.com/2011/12/using-ecdh-on-android.html#!/2011/12/using-ecdh-on-android.html) but nothing related to this SSL kind of errors.
We will appreciate any feedback. Thank you in advance!!
Default Android 7.0
SSLSocketFactorydoesn't support all of the elliptic curves known to OpenSSL/BoringSSL. The handshake only listssecp256r1in thesupported_curvesin the Client Hello.The
SSLEnginedocumentation doesn't even mention supported curves.If the server can't agree to use that curve, it will close the connection and the handshake fails on the client side with the I/O error shown.
Chrome on android however supports 3 common curves,
secp256r1,secp384r1, andx25519.EDIT
I should add the signature hash algorithm support extension does include ECDSA with SHA1 through SHA512, so it should be fine to use an ECDSA certificate on the server side.