{"id":19602742,"url":"https://github.com/fd-/sslviassl","last_synced_at":"2026-05-15T00:04:04.296Z","repository":{"id":112527206,"uuid":"81744267","full_name":"FD-/SSLviaSSL","owner":"FD-","description":"Demonstration of issues when running an SSLSocket via an SSLSocket when using the Conscrypt Provider on Android","archived":false,"fork":false,"pushed_at":"2017-06-20T14:59:24.000Z","size":172,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-01-09T08:26:50.374Z","etag":null,"topics":["android","java","ssl"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FD-.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-12T17:41:53.000Z","updated_at":"2023-01-26T23:53:13.000Z","dependencies_parsed_at":"2023-05-22T00:00:50.696Z","dependency_job_id":null,"html_url":"https://github.com/FD-/SSLviaSSL","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FD-%2FSSLviaSSL","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FD-%2FSSLviaSSL/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FD-%2FSSLviaSSL/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FD-%2FSSLviaSSL/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FD-","download_url":"https://codeload.github.com/FD-/SSLviaSSL/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240886197,"owners_count":19873525,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","java","ssl"],"created_at":"2024-11-11T09:26:07.296Z","updated_at":"2026-05-15T00:04:04.245Z","avatar_url":"https://github.com/FD-.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SSLviaSSL\nThis project demonstrates that creating an SSLSocket over an existing SSLSocket does not work on Android.\n\nThe app tries to send an HTTP request to an HTTPS server via a Secure Web Proxy (HTTP proxy over SSL/TLS).\n\n# Using the project\nFollow these steps to use the project:\n\n1. Set up a [Secure Web Proxy][1]\n    - The easiest way is to run the Server included in server/Server.java:\n    - Create a keystore file: keytool -genkey -keystore keystore -keyalg RSA\n    - Set KEYSTORE_PATH and KEYSTORE_KEY in server/KeystoreHelper.java      \n    - In Android Studio, just right-click on Server.java and click \"Run 'Server.main()'\".    \n    - Alternatively, you can set up a Secure Web Proxy using 3rd-party programs by following [the steps below](#how-to-set-up-a-secure-web-proxy-using-3rd-party-programs).\n2. Modify PROXY_HOST and PROXY_PORT in Main.java to match the values of your Secure Web Proxy. \n    - These values will be used as defaults for the JRE program and for the Android app.\n3. Start the Android app\n    - The exception that occurs at the second handshake will be shown in the app and printed to Logcat.\n4. Start the JRE program\n    - The Main.java class can be run in the desktop JRE directly from within Android Studio. Just right-click the file and click \"Run 'Main.main()'\". This will execute the program in the desktop JRE and print the output within Android Studio's console.\n    - You'll notice the same code that doesn't work on Android works in the desktop JRE.\n \n\n# The issue\nWhen running the app on Android and trying to fetch data from an HTTPS server via the Secure Web Proxy (code in SecureWebProxyThread.java), the second handshake (the one between the Android app and the HTTPS server) fails with a SSLHandshakeException:\n\n    javax.net.ssl.SSLHandshakeException: Handshake failed\n        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:422)\n        at com.bugreport.sslviassl.SecureWebProxyThread.doSSLHandshake(SecureWebProxyThread.java:147)\n        at com.bugreport.sslviassl.SecureWebProxyThread.run(SecureWebProxyThread.java:216)\n    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x87583000: Failure in SSL library, usually a protocol error\n    error:10000066:SSL routines:OPENSSL_internal:BAD_ALERT (external/boringssl/src/ssl/tls_record.c:457 0x97734e47:0x00000000)\n        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)\n        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:350)\n            ... 2 more\n(Exception as thrown by Android O Developer Preview)            \n            \n\n    javax.net.ssl.SSLHandshakeException: Handshake failed\n        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)\n        at com.bugreport.sslviassl.SecureWebProxyThread.doSSLHandshake(SecureWebProxyThread.java:147)\n        at com.bugreport.sslviassl.SecureWebProxyThread.run(SecureWebProxyThread.java:216)\n    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x74621f1a40: Failure in SSL library, usually a protocol error\n    error:100000e3:SSL routines:OPENSSL_internal:UNKNOWN_ALERT_TYPE (external/boringssl/src/ssl/s3_pkt.c:618 0x74705b3e7e:0x00000000)\n        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)\n        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)\n    \t... 2 more  \n(Exception as thrown by Android 7.1.1)            \n        \nThis exception does not happen if the same code is run in a desktop JRE (which you can try by running Main.java), when no proxy is used, or when only an HTTP server (not HTTPS) is used. This clearly indicates there must be an issue with the second handshake (running an SSLSocket over an existing SSLSocket) on Android.\n\nInterestingly, there seems to be a very similar issue in the JRE version of the Conscrypt Provider used in recent Android versions: Instead of throwing an exception, the second handshake never finishes (SSLSocket.startHandshake() never returns). A sample project for the Conscrypt Provider can be found in the [conscrypt branch](https://github.com/FD-/SSLviaSSL/tree/conscrypt) of this repository.\n\n__Note:__ It seems like the specific error message depends on the Android version used (as they use different Security providers). The exceptions listed above are from Android O Developer Preview 1 in an emulator and from Android N 7.1.1 on a Nexus 9.\n\n# TCPDUMP\nI added tcpdumps of two runs to the `tcpdumps` directory. Dumps were taken with `sudo tcpdump -i any -s 0 -w file_name.tcpdump`;\n- android_ssl_via_ssl.tcpdump:\n      - Taken from virtual machine hosting the proxy server and https server. \n      - Proxy server was squid3, running on port 8080, secured via an stunnel (stunnel4) on port 10443. \n      - HTTPS server was apache2, running on port 80 (HTTP) and 443 (HTTPS)\n      - Server machine had IP 10.211.55.13\n      - Android device had IP 10.211.55.2\n- jre_ssl_via_ssl.tcpdump:\n      - Taken from virtual machine hosting the proxy server and https server. \n      - Proxy server was squid3, running on port 8080, secured via an stunnel (stunnel4) on port 10443. \n      - HTTPS server was apache2, running on port 80 (HTTP) and 443 (HTTPS)\n      - Server machine had IP 10.211.55.13\n      - Client machine running JRE had IP 10.211.55.2      \n\n#  How to set up a [Secure Web Proxy][1] using 3rd-party programs:\nThese steps were tested on a vanilla Ubuntu 14.04 image.\n\n(Alternatively, Squid can be run via SSL without any external tool, but it has to be compiled specifically for that: http://wiki.squid-cache.org/Features/HTTPS)\n\n1. Install Squid:\n\n        sudo apt-get install squid3\n\n2. Edit the Squid config file at /etc/squid3/squid.conf:\n(If the file doesn’t exist, you’ll have to create it)\n\n        sudo nano /etc/squid3/squid.conf\n\n    Use a config file like this:\n\n        http_port 8080\n        cache_dir ufs /var/spool/squid3 100 16 256\n        cache_mgr local@localhost\n        access_log /var/log/squid3/access.log combined\n        http_access allow all\n\n3. (re)Start Squid to apply the new config:\n\n        sudo service squid3 restart\n\n4. Install stunnel:\n\n        apt-get install stunnel4 -y\n\n5. Create a certificate:\n\n        openssl genrsa -out key.pem 2048\n        openssl req -new -x509 -key key.pem -out cert.pem -days 1095\n        cat key.pem cert.pem \u003e\u003e stunnel.pem\n        sudo cp stunnel.pem /etc/stunnel/\n\n6. Edit the stunnel config file at /etc/stunnel/stunnel.conf\n\n        sudo nano /etc/stunnel/stunnel.conf\n\n    Use a config file like this:\n\n        client = no\n        [squid]\n        accept = 10443\n        connect = 127.0.0.1:8080\n        cert = /etc/stunnel/stunnel.pem \n\n7. Start an SSL tunnel for the http proxy:\n\n        sudo stunnel4\n\n8. Test if tunnel and proxy work:\n\n        URL=\"http://google.com\" PROXY=127.0.0.1:10443; echo -e \"GET $URL HTTP/1.0\\\\n\\\\n\" | openssl s_client -connect $PROXY -ign_eof\n\n    Should return:\n    \n        HTTP/1.1 302 Moved Temporarily\n        Cache-Control: private\n        Content-Type: text/html; charset=UTF-8\n        Location: http://www.google.{depends on your location}\n        Content-Length: 258\n        Date: Sun, 12 Feb 2017 18:09:37 GMT\n        X-Cache: MISS from ubuntu\n        X-Cache-Lookup: MISS from ubuntu:8080\n        Via: 1.1 ubuntu (squid/3.3.8)\n        Connection: close\n        \n        \u003cHTML\u003e\u003cHEAD\u003e\u003cmeta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"\u003e\n        \u003cTITLE\u003e302 Moved\u003c/TITLE\u003e\u003c/HEAD\u003e\u003cBODY\u003e\n        \u003cH1\u003e302 Moved\u003c/H1\u003e\n        The document has moved\n        \u003cA HREF=\"http://www.google.{depends on your location}\"\u003ehere\u003c/A\u003e.\n        \u003c/BODY\u003e\u003c/HTML\u003e\n        \n\n[1]: https://www.chromium.org/developers/design-documents/secure-web-proxy\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffd-%2Fsslviassl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffd-%2Fsslviassl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffd-%2Fsslviassl/lists"}