-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No safe ciphers supported #228
Comments
Do we have any environments to test this scenario Lukas or could you @RubenKelevra provide us with a test account so we can debug this matter? |
Please provide us with a link to your domain, @RubenKelevra. |
@LukasReschke Just enter this as domain and the Android App says "SSL connection error" or similar. This domain entered on chrome on the same device works. After removing my explicit ssl-ciphers this works also in the app. |
What Android version are you using? |
@LukasReschke and @RubenKelevra here is the stack trace I get when trying the URL and to me this seems to be a configuration issue to some extend:
Or the SSL library can't handle this, don't know since I am not an SSL expert. My test is latest beta run on an Nexus5X with Android 7.0 |
@LukasReschke none, this was done on a phone of a friend which runs on android 7 |
@AndyScherzinger which infos do you need additional? :) |
@RubenKelevra I don't need any, the URL is fine for me looking at it from a client perspective, to try to further debug this matter. Not sure if anyone from the server/core team can support this matter, so cc @MorrisJobke @rullzer @nickvergessen |
I can't reproduce this on my android (with the same cipher list for nginx) it is running android 6. This seems to be something not related to the server part but to the webserver config. |
@rullzer I quoted the full full ssl-config of this server. I think it's might be related to "ssl_ecdh_curve secp384r1;" or a 4096 bit dhkey might be to large ... Actually Android since 4.x should support this options. :)
|
@rullzer if you run your nginx with openssl please confirm the very latest version is installed, I use LibreSSL on all Servers because OpenSSL had no support for ChaCha20 until the very last version. |
I'm runnig dev-libs/openssl-1.0.2h-r2 (gentoo). |
@rullzer allright, feel free if to ask if you need some further infos :) |
Hi... It appear app android need SSLv3 connections and SHA1 cipher to connect at server NC.
App Android can communicate only with 'ECDHE-RSA-AES128-SHA'. I explain in other NC post why it's very bad. |
Can you connect to nextcloud via the browser with that cipher suite. If not we blame android |
@rullzer it might be Android or rather our client lib (which is very old, from the fork), see nextcloud/android-library#17 |
@rullzer : Really ? have you read completly my post and all related informations? I dont know :( |
@hucste a missed your first link. Sorry for the noise |
@rullzer: ok, thanks! 💃 |
@RubenKelevra did you change the server config? Just asking since my phone can now establish a secure connection?! |
@AndyScherzinger Since this bug is still around I had to, there are users which needs this server. But if you need a testing-url I can provide the same serverconfig as before on a different URL. |
@ALL I can confirm the android-app does NOT need an SSLv3 connection, my Server is not capable of TLS connections below 1.2 for security-reasons. So just all new secure Perfect Forward Secrecy ciphers seems to be a problem as well as ChaCha20-Poly1305 which is very well supported by Android. |
@hucste the sslv3 part only means this ciphers are introduced with sslv3, which does not mean they are limited to sslv3 handshakes. |
@RubenKelevra a test url would be awesome for debugging, investigating and testing this matter. Could you then also tells me the name of the used cipher of the test instance? |
@AndyScherzinger line 16 in codeblock on comment Number 10 |
so
it is @RubenKelevra what would be the test instance? 😃 |
When the server admin changes the cipher suites to unsupported ciphers after the user has logged into the mobile app just fails silently, i.e. it looks like it tries to load something and then just returns the cached results instead of showing an error. |
Just upgraded to Android 7 and NextCloud app can't connect due to "SSL initialization failed". This might be a more widespread problem soon. |
I'm having the same issue on Android 7 with both the NextCloud app and the NextCloud Beta app. I was able to temporarily make it work by setting my SSL ciphers to the following in Nginx
This works by allowing some less secure ciphers which I am not a fan of. Hopefully a newer SSL library can be used to fix this issue. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Still open |
Just ran into this issue on Android 9, SSL Initialization Error on a CloudFlare'd install, where cipher suites can't be changed. Has this really not been fixed 3 years later? |
This seems like an issue with Cloudflare as well to me. In my opinion we should still put more pressure on Google to provide faster updates for their mobile OS and to deliver more secure ciphers. |
My issue is my installation works perfectly fine in the built-in browser on my phone, it’s only in this app that this issue is happening, as other people have reported. So I don’t really understand how this is the fault of the OS and not the Nextcloud app. |
Oh ... Well it usually was an issue with apps using the stack browsers libraries. If that is only an issue with this app, then sorry for the noise. |
By "built-in" you probably mean Chrome. I'm sure it comes with own TLS library and does not use crypto APIs shipped with android runtime. |
That could be the case, my stock browser was Vanadium which is based on Chromium. But if that is the case I don't see why Nextcloud won't do the exact same thing (include its own TLS library), when the alternative is using a known weak crypto API.
That isn't a configurable option. It's probable that enabling older (<1.2) versions of TLS in Cloudflare (which is an option) would fix this issue, but weakening security server-side to fix an app on one platform seems like an unacceptable solution to me. |
Because it's difficult and expensive to maintain. TLS 1.3 is coming with Android Q. @jonaharagon which Android version do you use? |
Pie, with the latest security patches. I'm running GrapheneOS on a Pixel 3, specifically. |
There is new logging framework being worked on in the moment. I just skimmed over SSL code in the nextcloud codebase and I see there si some interesting data dumped in logs. We're waiting for #4275 ot be merged. Let's see then if we can learn something from the app log. @tobiasKaminsky Shall the user send logs to you? |
I think logs can be attached in GitHub, which is better to have them directly in place. |
Maybe this could help?
https://github.com/google/conscrypt/blob/master/CAPABILITIES.md :)
|
I use the same for Talk :)
…On Mon, 5 Aug 2019, 13:14 Andy Scherzinger, ***@***.***> wrote:
Maybe this could help?
DAVx⁵ uses Conscrypt to support modern TLS protocol versions and ciphers
even on older devices. Both your client (DAVx⁵) and the CalDAV/CardDAV
server must share at least one cipher, otherwise a SSLProtocolException
will occur.
https://github.com/google/conscrypt/blob/master/CAPABILITIES.md :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#228?email_source=notifications&email_token=AAABNMXYMIIPWKHZY7LZWGLQDADRBA5CNFSM4COBLM4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3RP4LQ#issuecomment-518192686>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAABNMQRWMFHHG6NTJYSQADQDADRBANCNFSM4COBLM4A>
.
|
Whiel you don't rely on jackrabbit for WebDAV communication, not sure if jackrabbit and Conscrypt play well together, cc @tobiasKaminsky |
I just gave it a try: #4314 |
This request did not receive an update in the last 4 weeks. Please take a look again and update the issue with new details, otherwise the issue will be automatically closed in 2 weeks. Thank you! |
resolved via #4314 - please report back in case 3.8.0 doesn't fix this matter. |
Actual behaviour
No connections possible with secure ciphers
Expected behaviour
Secure ciphers supported
Steps to reproduce
Environment data
Android version: latest stable
Device model: exchangeable
Stock or customized system: native android
Nextcloud app version: latest today
Nextcloud server version: 9.0.51
Nginx cipher config
The text was updated successfully, but these errors were encountered: