Does BW Android support TLSv1.3?

[bobberb]

My device stopped syncing 6 months ago without my knowledge until today. After doing some digging and putting TLSv1.2 in my nginx.conf first before TLSv1.3, I no longer have the handshake error. Is TLSv1.3 support planned for bitwarden?

[mpbw2]

What version of Android are you running @bobberb ? (Android 10 introduced support for TLSv1.3)

[bobberb]

I'm running the latest version of the S10+, most certainly Android 10.

On Tue, Jun 23, 2020, 4:31 PM Matt Portune notifications@github.com wrote:

What version of Android are you running @bobberb
https://github.com/bobberb ? (Android 10 introduced support for TLSv1.3)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#990 (comment),
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAON37ASZ3YAZM56ZR2M2WDRYEGIPANCNFSM4OGAKXMQ
.

[mpbw2]

Ok thanks, we'll look into this.

[bobberb]

nginx:
2020/06/23 16:12:17 [crit] 425#425: *1 SSL_do_handshake() failed (SSL: error:142090BA:SSL routines:tls_early_post_process_client_hello:bad cipher) while SSL handshaking, client: 10.0.1.4, server: 0.0.0.0:443

Android: Error bad handshake

Bitwarden: Latest from Google Play
Nginx: 1.18
Openssl: 1.1.1.g-2 (Arch Linux)
Android: Kernel 4.14.117 Galaxy S10 G975U Android 10

[benjaminBrownlee]

Any progress on this issue? I don't do any C# or Android development, but I feel that this would be a pretty simple configuration option. With a look at the packages you are using for HTTP and a little bit of searching, I found this solution to enable all TLS versions:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13 | SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

[mikejaques]

Answer the original question: no, the Android app does not currently, as of Feb 16, 2022. I had set my HAProxy to reject TLS < 1.3, and the app failed with "Handshake failed". If I set my HAProxy to reject < 1.2, I can successful login to my privately hosted bitwarden vault. So it maximally supports TLSv1.2 currently.

[Agraphie]

Would be great if this could be fixed. Are there any updates on the roadmap? TLS 1.3 is being rolled out more and more as default.

[Icelk]

Agreed. Some web servers have TLS 1.3 as the primary cipher, which means Bitwarden fails to log in, as they apparently choose TLS 1.3 when the client only supports TLS 1.2. This results in me not being able to log in.

[Icelk]

I've investigated further. BW supports TLS 1.3 and all the appropriate cipher suites and signature schemes. My problem was due to a misconfigured webserver. This issue can now be closed.

[benjaminBrownlee]

I've investigated further. BW supports TLS 1.3 and all the appropriate cipher suites and signature schemes. My problem was due to a misconfigured webserver. This issue can now be closed.

Care to elaborate and provide direction? It appears that several other people believe that this is an issue on the client side.

[Icelk]

Looking at the logs from my web server when I use the mobile app, its clear it supports TLS1.3:

[2022-06-28T06:59:12Z INFO  kvarn::encryption] Trying to handshake
[2022-06-28T06:59:12Z DEBUG rustls::server::hs] decided upon suite TLS13_AES_128_GCM_SHA256
[2022-06-28T06:59:12Z DEBUG rustls::server::hs] Chosen ALPN protocol [104, 116, 116, 112, 47, 49, 46, 49]
[2022-06-28T06:59:12Z INFO  kvarn::encryption] Successful handshake
[2022-06-28T06:59:12Z DEBUG kvarn] New connection requesting hostname 'Some("bitwarden.icelk.dev")'
[2022-06-28T06:59:12Z INFO  kvarn] Accepting requests from 192.168.1.1:40578
[2022-06-28T06:59:12Z DEBUG kvarn] We got a new request on connection.
[2022-06-28T06:59:12Z DEBUG kvarn] Accepting new connection from 192.168.1.1:40578 on bitwarden.icelk.dev
[2022-06-28T06:59:12Z INFO  kvarn_extensions::reverse_proxy] Sending request
[2022-06-28T06:59:12Z INFO  kvarn_extensions::reverse_proxy] Sent reverse-proxy request. Reading response.

The cipher suite TLS13_AES_128_GCM_SHA256 means TLS1.3 support.