SSL handshake failed

Hi,

i have an app that connects to some public servers with valid ssl certificates.
The strange thing is that my app and the https connections works fine with the
sfos emulator and my Sony XA2 Plus device. However, the same application deployed
on my Jolla 1 device always runs into the SSL Handshake error.
I have the same SFOS Version (3.3.0.16) installed on the Jolla 1 and my XA2 Plus device.
Any ideas what could be the problem for this different behaviour?

Any hints how to properly fix or debug the problem?

Thanks in Advance,

Cheers,
Andreas

Ok. Found the problem. The system time was completely wrong (of my Jolla1 Test device) - thus the certificate validation failed. Fixing the system time fixed my problem.

1 Like

Iā€™m wondering if a clock offset might explain why some of my Jolla browser tabs intermittently report as ā€˜connection not secureā€™ā€¦ (Thank you AndyWuest / I will check for system time.)

That should be easy enough to test right?

I didnā€™t know if the system clock was independent from the user settings clock; it seems itā€™s the same; thatā€™s the easy part, yes.

I imagine if I checked some log it might be verbose enough to explain exactly why the errors occurred. I have updated the clock now though; will try to remember to report back after a ā€˜burn-inā€™ period.

(Iā€™m used to having certain clocks 5 min. offset out of habit; if thatā€™s incompatible with SFOS Iā€™ll have to change my habit. NBD I guess.)

@AndyWuest I have the same problem on my Jolla 1 without SIM card. I enabled automatic update in the settings, but it set time from Finland and not from Switzerland.

What did you to resolve this problem?

It seems this is the exact bug about the time updates:

https://together.jolla.com/question/886/bug-time-zone-changes-to-finland-helsinki-when-enabling-automatic-update-while-no-sim-card-is-inserted/

1 Like

Yes, itā€™s right. I tried it. Time is now set correctly, but I still get SSH Handshake error with some apps (Storeman for instance).

try something like

 openssl s_client -debug -connect sailfish.openrepos.net:443 </dev/null

Didnā€™t help :confused:
I get following error : PasteChaprilOrg

At end line I see:

    Start Time: 1648818457
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)

I think I have to follow this guide.

jap, worth a try!! :slight_smile:
good luck.

I need to dig more. Installing newer ca-certificates didnā€™t work :frowning:

If you are (much) more specific than ā€œdidnā€™t workā€, I may be able to help you.

Make sense :slight_smile:
Iā€™ll update later this night all I did. Thank you very much for your help!

Here are all steps I did:

Setting correct zone while no SIM card inserted in the phone

  1. Edited file /home/nemo/.timed/settings.data and changed Helsinki to Zurich
  2. Executed :
timedclient-qt5 --set-info=timeNitz --set-info=timezoneManual=Europe/London

Update certificates

First I tried with a newer ca-certificates package

# On my Xperia 10 II running SailfishOS 4.4.0.58
 devel-su pkcon download /tmp ca-certificates
# Copied to my Jolla 1 and then
devel-su pkcon install-local /tmp/ca-certificates-XXXX.Y.ZZ-ABC.jolla.noarch.rpm

Then because nothing changed, I followed with:

devel-su
cd /etc/pki/ca-trust/source/blacklist
curl -kLo DST-RootCA-X3.pem https://crt.sh/?d=8395
pkcon install openssl

trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 > DST-Root-CA-X3.pem

diff DST-RootCA-X3.pem DST-Root-CA-X3.pem
rm DST-Root-CA-X3.pem
update-ca-trust extract

If I run:

openssl s_client -connect sailfish.openrepos.net:443

I get following: PasteChaprilOrg

ca-certificates seems the right one:

pkcon search ca-certificate
[ā€¦]
Installed       ca-certificates-2021.2.50-1.6.1.jolla.noarch (installed)        The Mozilla CA root certificate bundle
Available       ca-certificates-2018.2.26-1.4.1.jolla.noarch (jolla)            The Mozilla CA root certificate bundle

The expired X3 certificate is obviously still active (i.e., not blacklisted). Please redo method A, including step 2a (and 4a).

It worked! Thank you!