Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nextcloud connecton failes with SSLv3 error #123

Closed
feutl opened this issue Mar 13, 2020 · 8 comments
Closed

Nextcloud connecton failes with SSLv3 error #123

feutl opened this issue Mar 13, 2020 · 8 comments

Comments

@feutl
Copy link

feutl commented Mar 13, 2020

One of my tablets started (don't know exactly when) throwing an SSL handshake error to my Nextcloud instance.

All my multiple clients are using the same Nextcloud instance and they work except this one ;)

Error message as a screenshot
photoframe

The device is a
ODroid-C1
Android: 4.4.4
Kernel: 3.10.33
Photocloud-Frame: 1.13.16

I tested Firefox on this device, and was able to connect to the Nextcloud instance.

Thanks for any hint and help :)

@mvysny
Copy link
Owner

mvysny commented Mar 15, 2020

Hi! I'm guessing that it was actually your nextcloud that got updated, or something in front of nextcloud which decodes https into http . The problem is that sslv3 is deprecated since it's unsafe: https://ma.ttias.be/rfc-7568-ssl-3-0-is-now-officially-deprecated/ . It could be that nextcloud stopped supporting sslv3. If memory serves right, Android 4.4.4 did not support newer protocols than sslv3.

It sounds to me that you will either have to upgrade your tablet, or it's possible to specifically allow sslv3 on your server.

@feutl
Copy link
Author

feutl commented Mar 15, 2020

The funny thing is, I even have an older tablet with an android version you even do not support any more, and this one still works.
But yes, letsencrypt certs do get renewed regularly. I just thought, photoframe enforces SSL or can handle this differently.

Also funny, Firefox on the same device, just works opening my nextcloud instance. So do no know if it really is a Android API issue.

@feutl
Copy link
Author

feutl commented Mar 15, 2020

After some analyzes - seems I need to make some adjustments with those "older" devices. Replacing them seems the only option. As far as I have understood.
Thanks

@mvysny
Copy link
Owner

mvysny commented Mar 15, 2020

The funny thing is, I even have an older tablet with an android version you even do not support any more, and this one still works.

Okay that sounds pretty weird :-D Even though according to https://ankushg.com/posts/tls-1.2-on-android/

despite documentation suggesting otherwise, not all devices on Android 4.1+ actually support TLS 1.2.

Could it be that your tablet is one of those without a proper support for TLS 1.2? (That's a successor protocol to sslv3)

Also funny, Firefox on the same device, just works opening my nextcloud instance. So do no know if it really is a Android API issue.

Hmm could it be that Firefox packages its own ssl library which does support TLS 1.3? That could explain this behaviour. PhotoCloud uses the Android built-in https support, and that one might lack support for TLS, falling back to sslv3. I wonder whether it's possible to show the protocol used in the Android Firefox browser?

After some analyzes - seems I need to make some adjustments with those "older" devices. Replacing them seems the only option. As far as I have understood.

Alternatively you can either use plain http (of course that's unsecure and prone to MitM attacks with possibility for the attacker to learn your password, however if the tablet is at all times connected to the same wifi network as your nextcloud server then that's okay). Alternatively you can try to reconfigure your NextCloud server to accept sslv3.

Please let me know whether this answers your question 👍

@feutl
Copy link
Author

feutl commented Mar 31, 2020

After some reading, I must assume that my Odroid C1 is one of this "very special" devices :)
I do upgrade the machine to a newer one, and doing so I also ensure that I use an Android Version which is at least 5 or much higher.
Thanks for the help, the issues is "resolved" 💃

@feutl feutl closed this as completed Mar 31, 2020
@feutl
Copy link
Author

feutl commented Apr 20, 2020

@mvysny
After some reading and testing with the devices I found, you should considering raising your minimum Android Limit to 5.
The TLS 1.2 implementation, which gets enforced more often by different vendors, does not work properly on any device with a lower android version than 5.

So perhaps you can just enforce using 5, and document that as well, I assume in the future more "older" devices with 4.4 are unable to use HTTPS connections because of TLS1.2

@mvysny
Copy link
Owner

mvysny commented Apr 22, 2020

Thanks! There are users using PhotoCloud on older tablets, accessing their photo collection via Samba (Windows Share) or other means which do not require TLS1.2. Increasing minimum Android version would cut these people off. Therefore I'd like to keep the current minimum.

That being said, it's really good to have this issue documented, since all Android 4.4 users may run into this at some point. I've added this information into the FAQ at http://www.android-photo-frame.eu/faq.html

I'm also pasting the error message here in plain text, so that users can google this more easily.

The full error message reads:

Failed to connect. Please make sure that the server is running, is accessible from your phone and your OwnCloud config.php's
trusted_domain list contains 'xxx'.
Error. java.io.IOException: list / failed: -1: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL
handshake aborted: ssl=0x6cb36970: Failure in SSL library, usually a protocol error.
error 14077410:SSL routines: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741
0x6a45d74:0x00000000)

@AlphaCactus
Copy link

It appears that Dropbox API has also stopped supporting TLS 1.x. https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Reminder-The-Dropbox-API-will-no-longer-accept-TLS-1-0-or-1-1/td-p/582785

A remote user took of photo of the error so I can't see the entire error message on screen, but the part I can read says shows in small text along the top of the display: Warning: error while polling for photos, showing cached photos until the stream+WIFI comes back online: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb7e5c910; Failure in {… illegible in photo … } usually a protocol error…
Then in large text in the middle of the screen. The stream failed, retrying. Please wait.

Would it be possible to get a list of services (if any exist) in addition to the Windows Samba Share) which are still supported on these older devices?

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants