WebSocketException: An error has occurred during a TLS handshake

Hi,

We have a problem with an older mobile app, written in Xamarin.Forms (using Couchbase Lite 1.4.1). After a migration to a new server Couchbase Sync Gateway/2.7.2(2;583d2dc) EE, we’re experiencing this exception running the app (both Android and iOS):

Log exception

ERROR Internal Server Error
16/03/2022 17:33:44|Fatal|WebSocket.connect|WebSocketSharp.WebSocketException: An error has occurred during a TLS handshake. —> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. —> Mono.Btls.MonoBtlsException: Ssl error:1000042e:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/tls_record.c:462
at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223
— End of inner exception stack trace —
at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00046] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:178
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsClient(string,System.Security.Cryptography.X509Certificates.X509CertificateCollection,System.Security.Authentication.SslProtocols,bool)
at System.Net.Security.SslStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/System.Net.Security/SslStream.cs:216
at WebSocketSharp.WebSocket.setClientStream () [0x000cd] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1934
— End of inner exception stack trace —
at WebSocketSharp.WebSocket.setClientStream () [0x000f0] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1943
at WebSocketSharp.WebSocket.doHandshake () [0x00000] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1253
at WebSocketSharp.WebSocket.connect () [0x00073] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1124
INFO) CHANGE TRACKER (WebSocketChangeTracker): [14] 2022-3-16 05:33:44.661+01:00 WebSocketChangeTracker[h2h_app_clienti/] connection with forcibly was closed (1015 An exception has occurred while connecting.)
16/03/2022 17:33:46|Fatal|WebSocket.connect|WebSocketSharp.WebSocketException: An error has occurred during a TLS handshake. —> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. —> Mono.Btls.MonoBtlsException: Ssl error:1000042e:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/tls_record.c:462
at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289
at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223
— End of inner exception stack trace —
at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00046] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:178
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsClient(string,System.Security.Cryptography.X509Certificates.X509CertificateCollection,System.Security.Authentication.SslProtocols,bool)
at System.Net.Security.SslStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/System.Net.Security/SslStream.cs:216
at WebSocketSharp.WebSocket.setClientStream () [0x000cd] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1934
— End of inner exception stack trace —
at WebSocketSharp.WebSocket.setClientStream () [0x000f0] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1943
at WebSocketSharp.WebSocket.doHandshake () [0x00000] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1253
at WebSocketSharp.WebSocket.connect () [0x00073] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1124
INFO) CHANGE TRACKER (WebSocketChangeTracker): [6] 2022-3-16 05:33:46.997+01:00 WebSocketChangeTracker[h2h_app_clienti/] connection with forcibly was closed (1015 An exception has occurred while connecting.)
16/03/2022 17:33:51|Fatal|WebSocket.connect|WebSocketSharp.WebSocketException: An error has occurred during a TLS handshake. —> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. —> Mono.Btls.MonoBtlsException: Ssl error:1000042e:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/tls_record.c:462
at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715
at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289
at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate03-16 17:33:51.158 V/mono-stdout(20803): at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223
at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00046] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:178
at System.Net.Security.SslStream.Auth03-16 17:33:51.160 V/mono-stdout(20803): at WebSocketSharp.WebSocket.setClientStream () [0x000cd] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1934
— End of inner exception stack trace —
at WebSocketSharp.WebSocket.setClientStream () [0x000f0] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1943
at WebSocketSharp.WebSocket.doHandshake () [0x00000] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1253
at WebSocketSharp.WebSocket.connect () [0x00073] in /Users/jenkins/jenkins/workspace/couchbase-lite-net-build@2/1.4.1/Android/couchbase-lite-net/vendor/websocket-sharp/websocket-sharp/WebSocket.cs:1124
INFO) SYNC (Puller): [11] 2022-3-16 05:33:51.180+01:00 Change tracker for 085c40ec-1cf0-4bd3-b994-40be85d7e7ac stopped
INFO) SYNC (Puller): [15] 2022-3-16 05:33:51.187+01:00 Change tracked stopped, entering retry loop…

It looks like a problem coming from remote Couchbase SyncGateway, but we’ve no idea how we can verify this. Anyone have some ideas?

Thanks!

The minimum required version for Sync Gateway now is TLS 1.2. It sort of looks like your app settings are using the “managed TLS” setting rather than the “Native TLS” setting (the former doesn’t support 1.2). This is a Visual Studio setting you can change:

HttpClient Stack and SSL/TLS Implementation Selector for Android - Xamarin | Microsoft Docs

EDIT I can’t remember how custom the implementation is in 1.x either. It has been end of life for years at this point :frowning:

1 Like

Hi @borrrden, thanks for your reply!

Finally we’ve found the solution. The problem was VS2019 (both Windows and Mac version): TLS settings was discarded at compile time. We forced the security protocol type at startup with this instruction:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

It works! (In VS2017 this issue doesn’t exists). Thanks again for your suggestion and hope that this solution can help someone else.