No safe ciphers supported

[RubenKelevra]

Actual behaviour

No connections possible with secure ciphers

Expected behaviour

Secure ciphers supported

Steps to reproduce

1. create a server with safe ciphers
2. start android app
3. try to connect

Environment data

Android version: latest stable

Device model: exchangeable

Stock or customized system: native android

Nextcloud app version: latest today

Nextcloud server version: 9.0.51

Nginx cipher config

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!MD5:!aNULL:!EDH:!RC4:!DSS;
ssl_prefer_server_ciphers on;

[AndyScherzinger]

cc @LukasReschke

Do we have any environments to test this scenario Lukas or could you @RubenKelevra provide us with a test account so we can debug this matter?
Another things is that I am not sure if this is a client matter since many people in the forums had client problems while using nginx since it seems the nginx configuration has to be rather specific.

[LukasReschke]

Please provide us with a link to your domain, @RubenKelevra.

[RubenKelevra]

@LukasReschke
https://cloud.itu2015.de

Just enter this as domain and the Android App says "SSL connection error" or similar.

This domain entered on chrome on the same device works. After removing my explicit ssl-ciphers this works also in the app.

[LukasReschke]

What Android version are you using?

[AndyScherzinger]

@LukasReschke and @RubenKelevra here is the stack trace I get when trying the URL and to me this seems to be a configuration issue to some extend:

08-30 18:07:25.201 25775-25831/com.nextcloud.android.beta E/GetRemoteStatusOperation: Connection check at https://cloud.itu2015.de: SSL exception
  javax.net.ssl.SSLHandshakeException: Handshake failed
      at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
      at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.verifyPeerIdentity(AdvancedSslSocketFactory.java:248)
      at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.createSocket(AdvancedSslSocketFactory.java:185)
      at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
      at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
      at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
      at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
      at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:222)
      at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:192)
      at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.tryConnection(GetRemoteStatusOperation.java:89)
      at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.run(GetRemoteStatusOperation.java:194)
      at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
      at com.owncloud.android.operations.GetServerInfoOperation.run(GetServerInfoOperation.java:81)
      at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
      at com.owncloud.android.services.OperationsService$ServiceHandler.nextOperation(OperationsService.java:489)
      at com.owncloud.android.services.OperationsService$ServiceHandler.handleMessage(OperationsService.java:425)
      at android.os.Handler.dispatchMessage(Handler.java:102)
      at android.os.Looper.loop(Looper.java:154)
      at android.os.HandlerThread.run(HandlerThread.java:61)
   Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x75c5e0c1c0: Failure in SSL library, usually a protocol error
  error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x75d494eca0:0x00000001)
  error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x75d720ef76:0x00000000)
      at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
      at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
        ... 20 more

Or the SSL library can't handle this, don't know since I am not an SSL expert. My test is latest beta run on an Nexus5X with Android 7.0

[RubenKelevra]

@LukasReschke none, this was done on a phone of a friend which runs on android 7

[RubenKelevra]

@AndyScherzinger which infos do you need additional? :)

[AndyScherzinger]

@RubenKelevra I don't need any, the URL is fine for me looking at it from a client perspective, to try to further debug this matter. Not sure if anyone from the server/core team can support this matter, so cc @MorrisJobke @rullzer @nickvergessen

[rullzer]

I can't reproduce this on my android (with the same cipher list for nginx) it is running android 6.

This seems to be something not related to the server part but to the webserver config.

[RubenKelevra]

@rullzer I quoted the full full ssl-config of this server. I think it's might be related to "ssl_ecdh_curve secp384r1;" or a 4096 bit dhkey might be to large ... Actually Android since 4.x should support this options. :)

ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
resolver 8.8.8.8;
ssl_stapling on;
ssl_stapling_verify on;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

ssl_certificate /etc/nginx/certs/cloud.itu2015.de.crt;
ssl_certificate_key /etc/nginx/certs/cloud.itu2015.de.key;

ssl_dhparam /etc/nginx/certs/cloud.itu2015.de.dh4096.pem;
ssl_trusted_certificate /etc/nginx/certs/startssl-ca-certs.pem;

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!MD5:!aNULL:!EDH:!RC4:!DSS;
ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Public-Key-Pins 'max-age=5184000; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="';

[RubenKelevra]

@rullzer if you run your nginx with openssl please confirm the very latest version is installed, I use LibreSSL on all Servers because OpenSSL had no support for ChaCha20 until the very last version.

[rullzer]

I'm runnig dev-libs/openssl-1.0.2h-r2 (gentoo).
I could debug more but then I'll need to setup stuff in a docker/VM since I don't want to mess with my life instance ;)

[RubenKelevra]

@rullzer allright, feel free if to ask if you need some further infos :)

[hucste]

Hi...
I confirm this bad bogue. :(
Please, see all this nextcloud thread where i wroted informations.

It appear app android need SSLv3 connections and SHA1 cipher to connect at server NC.
If the server NC is correctly setted with ultra secured ciphers as 'EECDH+AES:+AES128:+AES256', those app Android can not connect. It's necessary to downgrade security SSL by adding ':SHA' as 'EECDH+AES:+AES128:+AES256:+SHA' to obtain connections!
But...

# openssl ciphers -v 'EECDH+AES:+AES128:+AES256:+SHA'
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1

App Android can communicate only with 'ECDHE-RSA-AES128-SHA'.

I explain in other NC post why it's very bad.

[rullzer]

Can you connect to nextcloud via the browser with that cipher suite.

If not we blame android
If you can well then it must be something in a lib we use to connect.

[AndyScherzinger]

@rullzer it might be Android or rather our client lib (which is very old, from the fork), see nextcloud/android-library#17

[hucste]

@rullzer : Really ? have you read completly my post and all related informations? I dont know :(
sorry, but I do not want to repeat myself!

[rullzer]

@hucste a missed your first link. Sorry for the noise

[hucste]

@rullzer: ok, thanks! 💃

[AndyScherzinger]

@RubenKelevra did you change the server config? Just asking since my phone can now establish a secure connection?!

[RubenKelevra]

@AndyScherzinger Since this bug is still around I had to, there are users which needs this server. But if you need a testing-url I can provide the same serverconfig as before on a different URL.

[RubenKelevra]

@ALL I can confirm the android-app does NOT need an SSLv3 connection, my Server is not capable of TLS connections below 1.2 for security-reasons. So just all new secure Perfect Forward Secrecy ciphers seems to be a problem as well as ChaCha20-Poly1305 which is very well supported by Android.

[RubenKelevra]

@hucste the sslv3 part only means this ciphers are introduced with sslv3, which does not mean they are limited to sslv3 handshakes.

[AndyScherzinger]

@RubenKelevra a test url would be awesome for debugging, investigating and testing this matter. Could you then also tells me the name of the used cipher of the test instance?

[RubenKelevra]

@AndyScherzinger line 16 in codeblock on comment Number 10

[AndyScherzinger]

so

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!MD5:!aNULL:!EDH:!RC4:!DSS;

it is

@RubenKelevra what would be the test instance? 😃

[Gerii]

When the server admin changes the cipher suites to unsupported ciphers after the user has logged into the mobile app just fails silently, i.e. it looks like it tries to load something and then just returns the cached results instead of showing an error.

[jnaskali]

Just upgraded to Android 7 and NextCloud app can't connect due to "SSL initialization failed". This might be a more widespread problem soon.

[lanrat]

I'm having the same issue on Android 7 with both the NextCloud app and the NextCloud Beta app.

I was able to temporarily make it work by setting my SSL ciphers to the following in Nginx

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

This works by allowing some less secure ciphers which I am not a fan of. Hopefully a newer SSL library can be used to fix this issue.

[AndyScherzinger]

Still open

[jonaharagon]

Just ran into this issue on Android 9, SSL Initialization Error on a CloudFlare'd install, where cipher suites can't be changed. Has this really not been fixed 3 years later?

[Schmuuu]

SSL Initialization Error on a CloudFlare'd install, where cipher suites can't be changed.

This seems like an issue with Cloudflare as well to me.
Why can't they change cipher suites? It's a server and that should be configurable. Usually servers try to offer all cipher suites which are required by used clients.
Are you sure you can't request a change of the cipher suites on your server? Maybe contact Cloudflare support.

In my opinion we should still put more pressure on Google to provide faster updates for their mobile OS and to deliver more secure ciphers.
You would be surprised how many cipher suites my old Win10 mobile and WinPhone 8.1 devices actually support. I never had issues with strictly (secure) configured websites. At least these regular updates MS provided should have been a good example for Google.

[jonaharagon]

My issue is my installation works perfectly fine in the built-in browser on my phone, it’s only in this app that this issue is happening, as other people have reported. So I don’t really understand how this is the fault of the OS and not the Nextcloud app.

[Schmuuu]

Oh ... Well it usually was an issue with apps using the stack browsers libraries. If that is only an issue with this app, then sorry for the noise.

[ezaquarii]

My issue is my installation works perfectly fine in the built-in browser on my phone

By "built-in" you probably mean Chrome. I'm sure it comes with own TLS library and does not use crypto APIs shipped with android runtime.

[jonaharagon]

That could be the case, my stock browser was Vanadium which is based on Chromium. But if that is the case I don't see why Nextcloud won't do the exact same thing (include its own TLS library), when the alternative is using a known weak crypto API.

This seems like an issue with Cloudflare as well to me.
Why can't they change cipher suites?

That isn't a configurable option. It's probable that enabling older (<1.2) versions of TLS in Cloudflare (which is an option) would fix this issue, but weakening security server-side to fix an app on one platform seems like an unacceptable solution to me.

[ezaquarii]

But if that is the case I don't see why Nextcloud won't do the exact same thing

Because it's difficult and expensive to maintain.

TLS 1.3 is coming with Android Q.
TLS 1.2 should be supported since Android API 20+ (Lollipop).

@jonaharagon which Android version do you use?

[jonaharagon]

Just ran into this issue on Android 9

Pie, with the latest security patches. I'm running GrapheneOS on a Pixel 3, specifically.

[ezaquarii]

There is new logging framework being worked on in the moment. I just skimmed over SSL code in the nextcloud codebase and I see there si some interesting data dumped in logs. We're waiting for #4275 ot be merged.

Let's see then if we can learn something from the app log.

@tobiasKaminsky Shall the user send logs to you?

[tobiasKaminsky]

@tobiasKaminsky Shall the user send logs to you?

I think logs can be attached in GitHub, which is better to have them directly in place.

[AndyScherzinger]

Maybe this could help?

DAVx⁵ uses Conscrypt to support modern TLS protocol versions and ciphers even on older devices. Both your client (DAVx⁵) and the CalDAV/CardDAV server must share at least one cipher, otherwise a SSLProtocolException will occur.

https://github.com/google/conscrypt/blob/master/CAPABILITIES.md :)

Conscrypt supports Java 7 or later on OpenJDK and Gingerbread (API Level 9) or later on Android. The build artifacts are available on Maven Central.

[mario]

I use the same for Talk :)

…

On Mon, 5 Aug 2019, 13:14 Andy Scherzinger, ***@***.***> wrote: Maybe this could help? DAVx⁵ uses Conscrypt to support modern TLS protocol versions and ciphers even on older devices. Both your client (DAVx⁵) and the CalDAV/CardDAV server must share at least one cipher, otherwise a SSLProtocolException will occur. https://github.com/google/conscrypt/blob/master/CAPABILITIES.md :) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#228?email_source=notifications&email_token=AAABNMXYMIIPWKHZY7LZWGLQDADRBA5CNFSM4COBLM4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3RP4LQ#issuecomment-518192686>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAABNMQRWMFHHG6NTJYSQADQDADRBANCNFSM4COBLM4A> .

[AndyScherzinger]

I use the same for Talk :)

Whiel you don't rely on jackrabbit for WebDAV communication, not sure if jackrabbit and Conscrypt play well together, cc @tobiasKaminsky

[tobiasKaminsky]

I just gave it a try: #4314
Can you please test it?
I am not that sure if I added it on the correct place, but at least server connection should now work.

[stale]

This request did not receive an update in the last 4 weeks. Please take a look again and update the issue with new details, otherwise the issue will be automatically closed in 2 weeks. Thank you!

[AndyScherzinger]

resolved via #4314 - please report back in case 3.8.0 doesn't fix this matter.