Hi,
if you don't know how to pass -Djavax.net.debug=all option as a command line argument to your Android application, you can set it in the application code before calling clinet.connectToServer() like this: System.getProperties().put("javax.net.debug", "all");
I just hope it is supported on Android and gives as valuable output as on Oracle JDK.
ClientProperties.LOG_HTTP_UPGRADE will not help you, because it just prints HTTP upgrade messages and is useful to see negotiated headers. Your program does not get that far, because it fails below HTTP/Websocket level.
I would recommend you to create a simple Tyrus SSL client that would connect to the same server as your Android application. Use it on Oracle JDK/Open JDK and use -Djavax.net.debug=all to see what protocol/cypher suites/certificate is the server trying to use.
Petr
On Jan 17, 2015, at 9:12 PM, Matthew Mah wrote:
> Petr,
>
> Thank you for the references and example on how to configure SSL/TLS. This is clear and should be very helpful.
>
> The exception stack trace is attached for an Android 5 device. I do not find it illuminating.
>
> I am not sure how to run Android Studio to pass the option -Djavax.net.debug=all
>
> I have enabled the client trace
> client.getProperties().put(ClientProperties.LOG_HTTP_UPGRADE, true);
> but unfortunately this prints to standard output, which I can read on an Android 4.4 device (which connects), but not on Android 5 (SSL handshake failure).
> http://stackoverflow.com/q/26535287/4107809
>
> So far merely changing the TLS values on the client has not helped.
>
> There are some reports that particular cipher suites are cause problems, I will try changing which are enabled and report back if I make further progress.
> https://code.google.com/p/android/issues/detail?id=81603
>
> Thanks again,
> Matt
>
> On 01/17/2015 09:31 AM, Petr Janouch wrote:
>> Hi Matt,
>>
>> first could you send the entire Exception? The Deployment exception is just a wrapper and its cause should tell as more.
>>
>> If the exception stack trace does not clarify the problem, you can run your client with -Djavax.net.debug=all and it will print a detailed SSL debug output. This output might tell you what went wrong. If it does not, post it here and I will have a look at it (Just make sure it does not contain any information you don't want us to see ;) ).
>>
>> You can refer to Tyrus documentation where it is shown how o configure ssl on the client: https://tyrus.java.net/documentation/1.9/user-guide.html#d0e1128
>> The link shows how to use the ClientProperties.SSL_ENGINE_CONFIGURATOR and classes SslContextConfigurator and SslEngineConfigurator to configure SSL. You should not use WLS_SSL_PROTOCOLS_PROPERTY, it is an internal API and therefore it is not documented.
>>
>> About how to configure protocols. This page contains the standard names of protocols and cipher suites: http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#jssenames
>> Those are the names that are expected in SslEngineConfigurator methods parameters.
>>
>> Here is a modified sample from the documentation that configures Tyrus client to use SSL TLS 1 and TLS 1.1 and also prints the result and the information which protocols are supported on your platform:
>>
>> final ClientManager client = createClient();
>> final SslContextConfigurator defaultConfig = new SslContextConfigurator();
>>
>> defaultConfig.retrieve(System.getProperties());
>> // or setup SSLContextConfigurator using its API.
>>
>> SslEngineConfigurator sslEngineConfigurator =
>> new SslEngineConfigurator(defaultConfig, true, false, false);
>>
>> sslEngineConfigurator.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1"});
>>
>> // the specified protocols must be supported by the platform, so just to check:
>> SSLEngine sslEngine = sslEngineConfigurator.createSSLEngine("whatever");
>>
>> System.out.println("Suported: ");
>> for (String s : sslEngine.getSupportedProtocols()) {
>> System.out.println(s);
>> }
>>
>> System.out.println("Enabled: ");
>> for (String s : sslEngine.getEnabledProtocols()) {
>> System.out.println(s);
>> }
>>
>> client.getProperties().put(ClientProperties.SSL_ENGINE_CONFIGURATOR,
>> sslEngineConfigurator);
>>
>> Hope this will help.
>> Petr
>>
>> On Jan 17, 2015, at 12:43 AM, Matthew Mah wrote:
>>
>>> Could you please elaborate on how this can be done?
>>>
>>> From the documentation,
>>> https://tyrus.java.net/apidocs/1.9/org/glassfish/tyrus/client/ClientManager.htm
>>>
>>> I am not sure whether to set WLS_SSL_PROTOCOLS_PROPERTY or the ClientProperties.SSL_ENGINE_CONFIGURATOR. It is also not apparent what String or array of Strings to use.
>>>
>>> https://tyrus.java.net/apidocs/1.9/org/glassfish/tyrus/client/SslEngineConfigurator.html#setEnabledProtocols(java.lang.String[])
>>>
>>> Thanks,
>>> Matt
>>>
>>> On 01/16/2015 05:59 PM, Salatiel Filho wrote:
>>>> Try disable tlsv1.2 And check if it works.
>>>>
>>>> On Jan 16, 2015 5:04 PM, "Matthew Mah" <matthew.y.mah_at_gmail.com> wrote:
>>>> I am encountering problems connecting Android 5.0 using the tyrus websocket to either nginx or tomcat servers using a secure websocket.
>>>>
>>>> javax.websocket.DeploymentException: SSL handshake has failed
>>>>
>>>> The code works fine for Android 4.4 , so I think this is related to the SSL changes in Android 5.0:
>>>> http://developer.android.com/about/versions/android-5.0-changes.html#ssl
>>>>
>>>> Is there a way I can tell what exactly is failing? I am not sure whether its a problem with the certificate or with the TLS protocol or the cipher suites available.
>>>>
>>>> Thanks,
>>>> Matt
>>>
>>
>
> <exceptionStackTrace.txt>