Skip to content
This repository has been archived by the owner on Nov 28, 2024. It is now read-only.

[BUG] clarify config for FreshRSS, EasyRSS and TLS 1.3 #68

Open
oupala opened this issue Jul 22, 2021 · 4 comments
Open

[BUG] clarify config for FreshRSS, EasyRSS and TLS 1.3 #68

oupala opened this issue Jul 22, 2021 · 4 comments

Comments

@oupala
Copy link

oupala commented Jul 22, 2021

Describe the bug

On my configuration, I had apache configured to serve only pages under TLS, and only TLS 1.3.

I also use EasyRSS (from F-Droid) on my android to read my feeds.

It appears that the configuration on my server is not compliant with my android device or with EasyRSS, as EasyRSS cannot use FreshRSS's api when the server is configured to serve only page with TLS 1.3.

The difficult part here is that EasyRSS is not correctly handling the error and say that the username or the password is wrong. In fact, the username and the password were perfectly right, so was the FreshRSS api url. The only solution was to enable TLS 1.2 so that EasyRSS can use the api of FreshRSS

To Reproduce
Steps to reproduce the behavior:

  1. install FreshRSS
  2. configure apache to serve pages under TLS 1.3
  3. install EasyRSS on an android device
  4. try to connect to the api of FreshRSS with EasyRSS
  5. see that EasyRSS is getting an error about a wrong username or password

Expected behavior

I was expecting everything to work well, and that EasyRSS can connect to the api of FreshRSS.

Additional context

I suppose the problem comes from EasyRSS as I was able to use the web interface of FreshRSS using my Fennec (Firefox mobile) browser. Si I think it is not my android device that is reluctant to TLS 1.3.

As a consequence, there is 2 problems with EasyRSS:

  • it does not support TLS 1.3 for TLS negociation
  • it does not handle well any TLS negociation error and let it appear as a login/password error where it is in reality an http/tls configuration issue

I think the documentation of FreshRSS should spread a word about this limitation so no one else will loose hours trying to update his login and password...

I will also file this issue in FreshRSS issues, as the issue has impacts in FreshRSS *and EasyRSS.

@Frenzie
Copy link
Collaborator

Frenzie commented Jul 22, 2021

I suppose the problem comes from EasyRSS as I was able to use the web interface of FreshRSS using my Fennec (Firefox mobile) browser. Si I think it is not my android device that is reluctant to TLS 1.3.

I think Firefox includes its own libraries, so it's certainly not a given that it isn't due to the Android device. Android didn't support TLS 1.3 until Android 10, so if you have an older version it won't work. (Presumably it's not too hard to include the relevant libraries to enable support on something like Android 5+ or 6+, though with Android you never know.)

@oupala
Copy link
Author

oupala commented Jul 23, 2021

I'm running Android 7.1.2 (lineage os) so I believe my android does not support TLS 1.3 natively.

But if @Frenzie is right, if Firefox can include support for TLS 1.3, I think it should also be possible to do so for EasyRSS.

If I understand it correctly, EasyRSS can use the embedded libraries of android in order to manage HTTP and TLS, or it can take in charge its own libraries and not rely on the librariesof android. Am I right?

In the meantime, it should be added in the doc that users should pay attention to the TLS version as it can make EasyRSS not to work with a FreshRSS instance.

@Frenzie
Copy link
Collaborator

Frenzie commented Jul 23, 2021

If I understand it correctly, EasyRSS can use the embedded libraries of android in order to manage HTTP and TLS, or it can take in charge its own libraries and not rely on the librariesof android. Am I right?

Firefox is a very different kind of app. But for EasyRSS it might be possible with https://github.com/google/conscrypt or equivalent.

@quantenzitrone
Copy link

I'm running FreshRSS through caddy as a reverse proxy, which serves TLS 1.2 and 1.3 by default. I can also confirmed that via openssl s_client rss.example.com:443 -tls1_2.

I still have the same problem, that, despite my password being definitely correct, it tells me the password is incorrect.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants