Error while connecting with TLS certificates

See original GitHub issue

I’m trying to connect to the server with the self-signed TLS client certificates (created with generate-CA.sh), but I’m having some issues.

2022-06-05 22:51:15.979 D MessageProcessor: message:TLS setup failed: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key, 
2022-06-05 22:51:15.980 D BackgroundService: endpoint state changed Error. Message: TLS setup failed: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
java.io.IOException: error constructing MAC: java.security.InvalidKeyException: No installed provider supports this key: com.android.org.bouncycastle.jcajce.PKCS12Key
	at com.android.org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(PKCS12KeyStoreSpi.java:852)
	at java.security.KeyStore.load(KeyStore.java:1484)
	at org.owntracks.android.support.SocketFactory.<init>(SourceFile:304)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.getMqttConnectOptions(SourceFile:186)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.connectToBroker(SourceFile:177)
	at org.owntracks.android.services.MessageProcessorEndpointMqtt.sendMessage(SourceFile:30)
	at org.owntracks.android.services.MessageProcessor.lambda$sendAvailableMessages$0(Unknown Source:2)
	at org.owntracks.android.services.MessageProcessor.$r8$lambda$bVYaIhYhXtJCzBaSxWOGtcUu6f8(Unknown Source:0)
	at org.owntracks.android.services.MessageProcessor$$ExternalSyntheticLambda1.call(Unknown Source:4)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at android.os.Handler.handleCallback(Handler.java:938)
	at android.os.Handler.dispatchMessage(Handler.java:99)
	at android.os.Looper.loopOnce(Looper.java:226)
	at android.os.Looper.loop(Looper.java:313)
	at android.os.HandlerThread.run(HandlerThread.java:67)

Here’s what I’ve tried so far:

  • Turn off TLS and verify that the recorder config is correctly set up
  • Used mosquitto_pub and mosquitto_sub to verify that certs generated with generate-CA.sh are working fine
  • Reinstall the app
  • Tried with new users/certs
  • Verified that I’m using the same CA for the server/client cert.

…but no luck so far. Not sure what’s wrong, but my only guess is that either openssl is generating incorrect .p12 file or the OS/app somehow can’t find the API required to open PKCS12 file.

Here are some additional information that can help the debugging process:

  1. I’ve used the following command to create .p12 file from the existing crt/key file. openssl pkcs12 -export -in name.crt -inkey name.key -name "name-cert" -out name.p12
  2. When I tried to add name.p12 file in the system settings, it did not accept the password I put in. It’s a very simple password and I’ve verified it multiple times. Perhaps this is somehow related?
  • App build number: 2.4.8, 20408019
  • Android version: 12
  • Device: Galaxy S21 Ultra
  • Installation source: Google play

Thanks for all the help!

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:35

github_iconTop GitHub Comments

1reaction
lerracommented, Nov 6, 2022

Alright, big thanks again for helping out, i really appreciate it and sent a donation.

On Sun, Nov 6, 2022, 21:16 Andrew Rowson @.***> wrote:

Great to hear, I’ll get that BC vendor change merged for the next release.

For sponsorships, we use liberapay.com/owntracks.org

— Reply to this email directly, view it on GitHub https://github.com/owntracks/android/issues/1225#issuecomment-1304884769, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEJZPFT2KYP6ACMERK5N3YLWHAG2RANCNFSM5X6N4ZOQ . You are receiving this because you were mentioned.Message ID: @.***>

1reaction
lerracommented, Nov 4, 2022

Confirmed, screenshot of the apk you sent in working state with client certificate and then i exported and imported the config to the lastest version from Google play and it does not work 😃

Big thanks for the great support!

Latest version in google play: IMG_20221104_200354.jpg

The apk you uploaded yesterday: Screenshot_2022-11-04-20-03-30-59_9951077289cab6671e6adf4f98f78cdd.jpg

Btw, any plans to enable github sponsors on the repo ?

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to Fix the SSL/TLS Handshake Failed Error? - AboutSSL
The name on the certificate doesn't match with the hostname in the URL. Incomplete or invalid certificate chain. The SSL/TLS Certificate is expired...
Read more >
How to Fix the SSL/TLS Handshake Failed Error - SSL2BUY
Failure of the SSL handshake process may be due to many reasons: a mismatch in the protocols as stated below. When a request...
Read more >
How to Fix the SSL/TLS Handshake Failed Error?
Some common fixes to the SSL/TLS handshake failed error: · Visit SSL Labs. · Click on Projects. · Click on SSL Client Test....
Read more >
Rehash: How to Fix the SSL/TLS Handshake Failed Error
The TLS Handshake Failed error can originate from the client or the server, here's a guide for fixing the problem for both users...
Read more >
What is Invalid TLS/SSL Certificate Error and How to Fix it?
One of the most common reasons behind a TLS/SSL error is misconfiguration of your certificate during installation. If you have made any mistake ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found