English

Error message "SSL handshake aborted" in an app

Continuing the discussion from Problems with some sites:

@AlbertJP Since you have some experience, maybe you can help out with this issue:

My Android 4.4.2 system is missing a root certificate by Trustwave / it has one that is by “SecureTrust Corporation” and when I download a root certificate from the Trustwave website and try to install it, it says that it is already installed. I think that the SecureTrust certificate is in the way.

Do you have an idea how I could make that app work for that specific podcast?

PS.: I have a 5-year-old Sony e-reader at home, which is hopelessly outdated, but works really fine for reading. Since the software is so closed and Sony didn’t release updates, the browser throws errors for almost all websites I try to visit.

The error “SSL handshake aborted” could also triggered by a too old SSL library that tries to connect to a server, that has disabled weak handshakes like SSL 3.0/TLS 1.0. In these cases, only a new ssl library would help, which is built-in in Android.

2 Likes

Is there any way for me as a user to solve this? Or is it rather something that’s controlled by the apps code, as this StackOverflow answer suggests?

Is there a replacement firmware for that e-reader or e-readers in general?

On a browser level, you can use Firefox for Android which brings its own TLS library and currently supports the latest and greatest version of TLS (TLS 1.3).

This however, will not fix the handshake problems with apps that use the built-in SSL/TLS library. It is unfortunate, but your phone is reaching its end of life when it comes to modern security protocols. The only way to fix this would be to upgrade to Android 5.0, which comes with support for TLS 1.2.

I did some research and it seems like Android 4.1+ does support TLS 1.2 in client side TLS sockets, but that is disabled by default and has to be manually enabled by the app developer.
EDIT: K-9 Mail does exactly that.

1 Like

I believe most apps don’t use their own TLS library but Android system’s one. This is exactly a good source for this error.

Heh, I just found out the Startcom certs are still enabled by default in LOS 14.1 (with microG, I suppose w/o as well). GG CA system. I disabled them manually and recommend everyone to do the same!

EDIT: https://www.reddit.com/r/LineageOS/comments/907qqz/startcom_ca_still_trusted/

1 Like

The web site sends the TrustWave certificate after its own, as an intermediate certificate. The web site is trusted by TrustWave, and in turn TrustWave (certificate included with the web site) is trusted by SecureTrust which is installed, and then your system trusts the web site. This is a chain of certificates, and such a chain is quite common and can be even longer. Sometimes chaining is used for compatibility reasons with older browsers: the chain contains a certificate that is in the store of modern devices, but not of old ones; it gets sent anyway ‘just in case’.

1 Like