This repository has been archived by the owner. It is now read-only.

[Nextcloud 2.2.3.4 Mac OS] Initial connexion fails ('connection closed') with strong ciphers (TSL 1.1 & 1.2 only) #13

Closed
serge-vk opened this Issue Aug 31, 2016 · 157 comments

Comments

Projects
None yet
@serge-vk

serge-vk commented Aug 31, 2016

Expected behaviour

When setting up a NextCloud account, after typing in the server address (https) in the 'Set up NextCloud server' dialogue and clicking 'next', the 'Enter user credentials' dialogue should be displayed.

Actual behaviour

A pop-up 'Connection failed' is shown with the message 'Failed to connect to the secure server address https://my.nextcloud.server/nextcloud. How do you wish to proceed?' If I click 'Select a different URL', I see the error message 'Failed to connect to Nextcloud at https://my.nextcloud.server/nextcloud/status.php: connection closed'.

OwnCloud client v. 2.2.2 (build 3472) works normally.

Steps to reproduce

  1. Install Nextcloud Mac OS client
  2. Start Nextcloud client application
  3. Try to connect to a server

Server configuration

Operating system: FreeBSD 10.3 p7
Web server: Nginx 1.11.3
Database: MariaDB 10.1.16
PHP version: 7.0.10
NextCloud version: 10.0 stable
Storage backend (external storage): ZFS data set (no external storage)

I think that this problem may be related to the cipher suite I configured in the web server. I have included the relevant lines from nginx.conf:

ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

Client configuration

Client version: 2.2.3 (build 4)
Operating system: Mac OS X 10.10.5, Mac OS X 10.9.5 (two test cases)
OS language: English UK
Installation path of client: /Applications/nextcloud.app

Logs

  1. Client log (the lines appended after clicking 'next'):
08-31 09:51:01:988 0x600000015640 OCC::PostfixLineEdit::setFullText: "https://"
08-31 09:51:19:041 0x600000015640 unknown: QIODevice::read: device not open
08-31 09:51:19:045 0x600000015640 OCC::AbstractNetworkJob::start: !!! OCC::CheckServerJob created for "https://srv.addr/nextcloud" + "status.php" "OCC::OwncloudSetupWizard"
08-31 09:51:19:069 0x600000015640 OCC::AbstractNetworkJob::slotFinished: void OCC::AbstractNetworkJob::slotFinished() 2 "Connection closed" QVariant(Invalid)
08-31 09:51:19:070 0x600000015640 OCC::CheckServerJob::finished: error: status.php replied  0 ""
08-31 09:51:19:090 0x600000015640 OCC::PostfixLineEdit::setFullText: "https://srv.addr/nextcloud"
08-31 09:51:30:630 0x600000015640 OCC::PostfixLineEdit::setFullText: "https://srv.addr/nextcloud"
08-31 09:52:33:889 0x600000015640 OCC::SocketApi::slotNewConnection: SocketApi:  New connection SocketApiSocket(0x608000639560)
08-31 09:52:33:891 0x600000015640 OCC::SocketApi::sendMessage: SocketApi:  Sending message:  "SHARE_MENU_TITLE:Share with Nextcloud"
08-31 09:52:37:546 0x600000015640 -[DelegateObject updaterDidNotFindUpdate:]: -[DelegateObject updaterDidNotFindUpdate:] 
  1. Nginx error log (after clicking 'next'):
2016/08/31 09:17:16 [info] 42607#100990: *2241 SSL_do_handshake() failed (SSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) while SSL handshaking, client: my.server.ip, server: 0.0.0.0:443
2016/08/31 09:17:16 [info] 42607#100990: *2242 SSL_do_handshake() failed (SSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) while SSL handshaking, client: my.server.ip, server: 0.0.0.0:443
2016/08/31 09:17:16 [info] 42607#100990: *2243 SSL_do_handshake() failed (SSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) while SSL handshaking, client: my.server.ip, server: 0.0.0.0:443
2016/08/31 09:17:16 [info] 42607#100990: *2244 SSL_do_handshake() failed (SSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) while SSL handshaking, client: my.server.ip, server: 0.0.0.0:443
  1. NextCloud log: No entries at the time of attempted connexion
@serge-vk

This comment has been minimized.

Show comment
Hide comment
@serge-vk

serge-vk Aug 31, 2016

I am not sure if this is the right tracker, but I got booted out of the tracker for the OwnCloud client.

serge-vk commented Aug 31, 2016

I am not sure if this is the right tracker, but I got booted out of the tracker for the OwnCloud client.

@LukasReschke

This comment has been minimized.

Show comment
Hide comment
@LukasReschke

LukasReschke Sep 1, 2016

Member

Please post your server address.

Member

LukasReschke commented Sep 1, 2016

Please post your server address.

@serge-vk

This comment has been minimized.

Show comment
Hide comment
@serge-vk

serge-vk Sep 1, 2016

Hi Lukas,
My server is behind a corporate firewall. I am willing to poke a hole in it for you to test the connexion, but to do that I would need the IP address (or a subnet at least) from where you would like to connect.

serge-vk commented Sep 1, 2016

Hi Lukas,
My server is behind a corporate firewall. I am willing to poke a hole in it for you to test the connexion, but to do that I would need the IP address (or a subnet at least) from where you would like to connect.

@LukasReschke

This comment has been minimized.

Show comment
Hide comment
@LukasReschke

LukasReschke Sep 1, 2016

Member

I'd love a test with https://www.ssllabs.com/ssltest/analyze.html against it. Hard to have an IP range there :/

Member

LukasReschke commented Sep 1, 2016

I'd love a test with https://www.ssllabs.com/ssltest/analyze.html against it. Hard to have an IP range there :/

@serge-vk

This comment has been minimized.

Show comment
Hide comment
@serge-vk

serge-vk Sep 1, 2016

I will try opening the ssllabs IP address and running the test. If that does not work, I could set up a separate server with the same nginx configuration (maybe, just a test static page) and open it to outside. Would that be useful?

serge-vk commented Sep 1, 2016

I will try opening the ssllabs IP address and running the test. If that does not work, I could set up a separate server with the same nginx configuration (maybe, just a test static page) and open it to outside. Would that be useful?

@LukasReschke

This comment has been minimized.

Show comment
Hide comment
@LukasReschke

LukasReschke Sep 1, 2016

Member

Yes. Certainly :)

Member

LukasReschke commented Sep 1, 2016

Yes. Certainly :)

@serge-vk

This comment has been minimized.

Show comment
Hide comment
@serge-vk

serge-vk Sep 1, 2016

Hi Lukas, for the moment I hit an obstacle. SSL Labs requires a domain name to run tests. It refuses to work with IP addresses and so far we just used IP address to connect to the server. I could probably put up a proper DNS record and try again (though, that's another unplanned exercise). Maybe, I will try to tweak the Nginx configuration first and see if if makes any difference.

serge-vk commented Sep 1, 2016

Hi Lukas, for the moment I hit an obstacle. SSL Labs requires a domain name to run tests. It refuses to work with IP addresses and so far we just used IP address to connect to the server. I could probably put up a proper DNS record and try again (though, that's another unplanned exercise). Maybe, I will try to tweak the Nginx configuration first and see if if makes any difference.

@Groggy

This comment has been minimized.

Show comment
Hide comment
@Groggy

Groggy commented Sep 2, 2016

@LukasReschke

This comment has been minimized.

Show comment
Hide comment
@LukasReschke

LukasReschke Sep 2, 2016

Member

Maybe owncloud/client@127c107, let's see…

Member

LukasReschke commented Sep 2, 2016

Maybe owncloud/client@127c107, let's see…

@freretuc

This comment has been minimized.

Show comment
Hide comment
@freretuc

freretuc Sep 2, 2016

I have the same issue with the nextcloud server 10.0 and the nextcloud client (2.2.3 build 4) but the owncloud client (v2.2.3.3601) works fine.

freretuc commented Sep 2, 2016

I have the same issue with the nextcloud server 10.0 and the nextcloud client (2.2.3 build 4) but the owncloud client (v2.2.3.3601) works fine.

@serge-vk

This comment has been minimized.

Show comment
Hide comment
@serge-vk

serge-vk Sep 2, 2016

I have been randomly changing my ssl configuration, modifying ciphers, protocols, &c and so far this is what I found: I kept getting the same error as originally reported until I enabled TLS v1.0 (ssl_protocols TLSv1;). So far, I haven't found any nginx configuration working with the NextCloud client with TLS v1.1 or 1.2 protocols.

serge-vk commented Sep 2, 2016

I have been randomly changing my ssl configuration, modifying ciphers, protocols, &c and so far this is what I found: I kept getting the same error as originally reported until I enabled TLS v1.0 (ssl_protocols TLSv1;). So far, I haven't found any nginx configuration working with the NextCloud client with TLS v1.1 or 1.2 protocols.

@LukasReschke

This comment has been minimized.

Show comment
Hide comment
@LukasReschke

LukasReschke Sep 2, 2016

Member

That makes sense. I guess it's owncloud/client@127c107, before I trigger that recompilation job (takes a lot of time…). Can you check if you have SNI enabled on the host?

If so, can you disable it for testing purposes? It should work then. That would help :)

Member

LukasReschke commented Sep 2, 2016

That makes sense. I guess it's owncloud/client@127c107, before I trigger that recompilation job (takes a lot of time…). Can you check if you have SNI enabled on the host?

If so, can you disable it for testing purposes? It should work then. That would help :)

@serge-vk

This comment has been minimized.

Show comment
Hide comment
@serge-vk

serge-vk Sep 2, 2016

The output of nginx -V on my server returns 'TLS SNI support enabled'. I have to confess, though, that I have no idea about how to disable it. I could probably try recompiling openssl with --disable-tlsext option. Do you know if there is a less invasive way?

serge-vk commented Sep 2, 2016

The output of nginx -V on my server returns 'TLS SNI support enabled'. I have to confess, though, that I have no idea about how to disable it. I could probably try recompiling openssl with --disable-tlsext option. Do you know if there is a less invasive way?

@farion

This comment has been minimized.

Show comment
Hide comment
@farion

farion Sep 5, 2016

I have the same problem. The windows version works btw. Also the owncloud version worked for me. I tried also to enable TLSv1 on my nginx without luck.

farion commented Sep 5, 2016

I have the same problem. The windows version works btw. Also the owncloud version worked for me. I tried also to enable TLSv1 on my nginx without luck.

@serge-vk

This comment has been minimized.

Show comment
Hide comment
@serge-vk

serge-vk Sep 6, 2016

Hi Farion. Just to make sure I was not inventing stuff, I enabled TLSv1 on my main server (before I was playing with a test VM that did not actually have NextCloud installed) and I am able to set up a NextCloud account through the Mac OS client normally. It seems to sync just fine as well, although I haven't made many changes so far. I am not going to keep this configuration, but from cursory testing, NextCloud client is perfectly functional with TLSv1 on my set-up (see the issue report).

serge-vk commented Sep 6, 2016

Hi Farion. Just to make sure I was not inventing stuff, I enabled TLSv1 on my main server (before I was playing with a test VM that did not actually have NextCloud installed) and I am able to set up a NextCloud account through the Mac OS client normally. It seems to sync just fine as well, although I haven't made many changes so far. I am not going to keep this configuration, but from cursory testing, NextCloud client is perfectly functional with TLSv1 on my set-up (see the issue report).

@sethrd

This comment has been minimized.

Show comment
Hide comment
@sethrd

sethrd Sep 6, 2016

Enabling TLSv1 in nginx allows the client to work for me, but I'm not going to run an insecure protocol just to use the official client. The owncloud client works for the time being.

sethrd commented Sep 6, 2016

Enabling TLSv1 in nginx allows the client to work for me, but I'm not going to run an insecure protocol just to use the official client. The owncloud client works for the time being.

@Minutemanqvs

This comment has been minimized.

Show comment
Hide comment
@Minutemanqvs

Minutemanqvs Sep 9, 2016

On Apache (CentOS 7), reverting from a secure configuration to the default settings "solves" this issue, but it's bad. Here is an example Apache configuration to test this issue:

Non-working secure config:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Working less-secure config:

SSLProtocol all -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

Nextcloud client version 2.2.3 (build 4) has this issue, Owncloud client version 2.2.3 (build 3601) works fine.

Minutemanqvs commented Sep 9, 2016

On Apache (CentOS 7), reverting from a secure configuration to the default settings "solves" this issue, but it's bad. Here is an example Apache configuration to test this issue:

Non-working secure config:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Working less-secure config:

SSLProtocol all -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

Nextcloud client version 2.2.3 (build 4) has this issue, Owncloud client version 2.2.3 (build 3601) works fine.

@serge-vk

This comment has been minimized.

Show comment
Hide comment
@serge-vk

serge-vk Sep 9, 2016

On my set-up (see report), the only change I had to make was to add TLSv1 to the original statement ssl_protocols TLSv1.1 TLSv1.2;. The original strong cipher suites worked fine with TLSv1.0, but I need TLSv1.2, so I'll use OwnCloud client for the time being.

serge-vk commented Sep 9, 2016

On my set-up (see report), the only change I had to make was to add TLSv1 to the original statement ssl_protocols TLSv1.1 TLSv1.2;. The original strong cipher suites worked fine with TLSv1.0, but I need TLSv1.2, so I'll use OwnCloud client for the time being.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Sep 10, 2016

generally i'd recommend to check against:
https://wiki.mozilla.org/Security/Server_Side_TLS
and their provided server config generator:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
when you're about to compile, in addition to the existing conditions the various operating systems provide (like old ssl versions on mac os...)

as silly as my recommendation sounds, i got the links stated above from your server admin documentation ( https://docs.nextcloud.com/server/10/admin_manual/configuration_server/harden_server.html?#use-https => Proper SSL configuration)

thank you for recompiling.

ghost commented Sep 10, 2016

generally i'd recommend to check against:
https://wiki.mozilla.org/Security/Server_Side_TLS
and their provided server config generator:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
when you're about to compile, in addition to the existing conditions the various operating systems provide (like old ssl versions on mac os...)

as silly as my recommendation sounds, i got the links stated above from your server admin documentation ( https://docs.nextcloud.com/server/10/admin_manual/configuration_server/harden_server.html?#use-https => Proper SSL configuration)

thank you for recompiling.

@koehn

This comment has been minimized.

Show comment
Hide comment
@koehn

koehn Sep 14, 2016

I've also got the same problem on my server; it seems the client is unable to connect via TLS 1.2; as others have commented, the OwnCloud client works fine (as does the iOS client, BTW).

koehn commented Sep 14, 2016

I've also got the same problem on my server; it seems the client is unable to connect via TLS 1.2; as others have commented, the OwnCloud client works fine (as does the iOS client, BTW).

@Steve8291

This comment has been minimized.

Show comment
Hide comment
@Steve8291

Steve8291 Sep 17, 2016

Same problem for me. Using ownCloud client until there is a fix.

Steve8291 commented Sep 17, 2016

Same problem for me. Using ownCloud client until there is a fix.

@zeigerpuppy

This comment has been minimized.

Show comment
Hide comment
@zeigerpuppy

zeigerpuppy Sep 26, 2016

I have the same issue too, since I updated my cipher suites to the recommended secure for nginx (from Mozilla SSL Configuration Generator, as the docs suggest). I can connect with the client (mac 2.2.3.4) to my nextcloud if I proxy via apache but a direct connection via nginx fails.
It certainly seems like the cipher suites in the client may need an update.

zeigerpuppy commented Sep 26, 2016

I have the same issue too, since I updated my cipher suites to the recommended secure for nginx (from Mozilla SSL Configuration Generator, as the docs suggest). I can connect with the client (mac 2.2.3.4) to my nextcloud if I proxy via apache but a direct connection via nginx fails.
It certainly seems like the cipher suites in the client may need an update.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Sep 29, 2016

Same here, any clue from the dev team?

ghost commented Sep 29, 2016

Same here, any clue from the dev team?

@MojoDwarf

This comment has been minimized.

Show comment
Hide comment
@MojoDwarf

MojoDwarf Oct 8, 2016

I can confirm Nextcloud-2.2.4.1 still experiences the same issue.
Likewise owncloud 2.2.4.3709 is still working.

MojoDwarf commented Oct 8, 2016

I can confirm Nextcloud-2.2.4.1 still experiences the same issue.
Likewise owncloud 2.2.4.3709 is still working.

@Ardakilic

This comment has been minimized.

Show comment
Hide comment
@Ardakilic

Ardakilic Oct 14, 2016

I'm also having the same issue with Nextcloud client 2.2.4 on Sierra. Owncloud client works nice though.

Ardakilic commented Oct 14, 2016

I'm also having the same issue with Nextcloud client 2.2.4 on Sierra. Owncloud client works nice though.

@rullzer

This comment has been minimized.

Show comment
Hide comment
@rullzer

rullzer Oct 17, 2016

Member

This is an issue with our build chain on OS X. Where Qt isn't playing nice with openssl. We are looking into it but lets phrase it this way: trying to compile and ship anything not on the approved by list is a pain.

Member

rullzer commented Oct 17, 2016

This is an issue with our build chain on OS X. Where Qt isn't playing nice with openssl. We are looking into it but lets phrase it this way: trying to compile and ship anything not on the approved by list is a pain.

@rullzer rullzer changed the title from [Nextcloud 2.2.3.4 Mac OS] Initial connexion fails ('connection closed') with strong ciphers to [Nextcloud 2.2.3.4 Mac OS] Initial connexion fails ('connection closed') with strong ciphers (TSL 1.1 & 1.2 only) Oct 17, 2016

@tvk7 tvk7 referenced this issue Oct 27, 2016

Closed

Segmentation Fault #40

@MartinHahner88

This comment has been minimized.

Show comment
Hide comment
@MartinHahner88

MartinHahner88 Oct 17, 2017

Unfortunately Nextcloud-2.3.3.1beta.pkg is not working for me under MacOS High Sierra 10.13.1 Beta (17B35a)
It says "Failed to connect to server at https://... : Unknown error"

MartinHahner88 commented Oct 17, 2017

Unfortunately Nextcloud-2.3.3.1beta.pkg is not working for me under MacOS High Sierra 10.13.1 Beta (17B35a)
It says "Failed to connect to server at https://... : Unknown error"

@kangaroo72

This comment has been minimized.

Show comment
Hide comment
@kangaroo72

kangaroo72 Oct 17, 2017

I think macOS High Sierra ... has even more "suprises" ... :-(

kangaroo72 commented Oct 17, 2017

I think macOS High Sierra ... has even more "suprises" ... :-(

@divansantana

This comment has been minimized.

Show comment
Hide comment
@divansantana

divansantana Oct 17, 2017

@mario Can confirm that Nextcloud-2.3.2-beta-x86_64.glibc2.14.AppImage fixes the issue on a Linux (Devuan 9) system connecting to the Nextcloud VM, which is hardened by default.

divansantana commented Oct 17, 2017

@mario Can confirm that Nextcloud-2.3.2-beta-x86_64.glibc2.14.AppImage fixes the issue on a Linux (Devuan 9) system connecting to the Nextcloud VM, which is hardened by default.

@plinss

This comment has been minimized.

Show comment
Hide comment
@plinss

plinss Oct 17, 2017

Work for me on both Sierra (10.12.6) and High Sierra (10.13), connects with TLS 1.2 ECDHE-ECDSA-AES256-GCM-SHA384. Haven't tested the 10.13.1 beta.

Thanks for addressing this. Next up: supporting OpenSSL 1.1.0 to get CHACHA20-POLY1305 support, though that can maybe wait until they go final with TLS 1.3 support

plinss commented Oct 17, 2017

Work for me on both Sierra (10.12.6) and High Sierra (10.13), connects with TLS 1.2 ECDHE-ECDSA-AES256-GCM-SHA384. Haven't tested the 10.13.1 beta.

Thanks for addressing this. Next up: supporting OpenSSL 1.1.0 to get CHACHA20-POLY1305 support, though that can maybe wait until they go final with TLS 1.3 support

@ymhuang0808

This comment has been minimized.

Show comment
Hide comment
@ymhuang0808

ymhuang0808 Oct 18, 2017

Nextcloud-2.3.3.1beta works for me on macOS High Sierra. The SSL configuration is from modern profile in Mozilla Generator.

Thanks a lot.

ymhuang0808 commented Oct 18, 2017

Nextcloud-2.3.3.1beta works for me on macOS High Sierra. The SSL configuration is from modern profile in Mozilla Generator.

Thanks a lot.

@plinss

This comment has been minimized.

Show comment
Hide comment
@plinss

plinss Oct 25, 2017

Can also confirm that Nextcloud-2.3.2-beta-x86_64.glibc2.14.AppImage works on Debian 9.2.

However Nextcloud-2.3.3-beta-x86_64.AppImage is NOT working on Debian 9.2 against the same Nextcloud instance (TLS 1.2, strong ciphers only). Getting SSL errors.

plinss commented Oct 25, 2017

Can also confirm that Nextcloud-2.3.2-beta-x86_64.glibc2.14.AppImage works on Debian 9.2.

However Nextcloud-2.3.3-beta-x86_64.AppImage is NOT working on Debian 9.2 against the same Nextcloud instance (TLS 1.2, strong ciphers only). Getting SSL errors.

@S3phe

This comment has been minimized.

Show comment
Hide comment
@S3phe

S3phe Oct 25, 2017

I can confirm: 2.3.3beta (build 1) (GIT 57bc79) works on Mac OS High Sierra Beta 10.13 (17A362a)

S3phe commented Oct 25, 2017

I can confirm: 2.3.3beta (build 1) (GIT 57bc79) works on Mac OS High Sierra Beta 10.13 (17A362a)

@madmas

This comment has been minimized.

Show comment
Hide comment
@madmas

madmas Oct 28, 2017

Hi,
I can confirm that Nextcloud-2.3.3.1beta.pkg is working on macOS Sierra 10.12.6
Looking forward to the official release 👍 , thank you :-)

madmas commented Oct 28, 2017

Hi,
I can confirm that Nextcloud-2.3.3.1beta.pkg is working on macOS Sierra 10.12.6
Looking forward to the official release 👍 , thank you :-)

@mario

This comment has been minimized.

Show comment
Hide comment
@mario

mario Oct 28, 2017

Member
Member

mario commented Oct 28, 2017

@Steve8291

This comment has been minimized.

Show comment
Hide comment
@Steve8291

Steve8291 Oct 28, 2017

I can also confirm that Nextcloud-2.3.3.1beta.pkg is working with macOS Sierra 10.12.6 using strong ciphers only TLS v1.2 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384 Curves secp521r1:secp384r1:prime256v1 Seeing no errors in any logs.
This is fantastic. Thank you.

Steve8291 commented Oct 28, 2017

I can also confirm that Nextcloud-2.3.3.1beta.pkg is working with macOS Sierra 10.12.6 using strong ciphers only TLS v1.2 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384 Curves secp521r1:secp384r1:prime256v1 Seeing no errors in any logs.
This is fantastic. Thank you.

@nursoda

This comment has been minimized.

Show comment
Hide comment
@nursoda

nursoda Oct 28, 2017

I confirm that it works fine here, too, on HighSierra. This is my letsencrypt config for Apache 2.4.10 on Debian 9.2 stable ('modern' + ':ECDHE-RSA-AES256-SHA' for Android 4.3):
SSLProtocol all -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire
Please release.

nursoda commented Oct 28, 2017

I confirm that it works fine here, too, on HighSierra. This is my letsencrypt config for Apache 2.4.10 on Debian 9.2 stable ('modern' + ':ECDHE-RSA-AES256-SHA' for Android 4.3):
SSLProtocol all -SSLv3 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire
Please release.

@patschi

This comment has been minimized.

Show comment
Hide comment
@patschi

patschi Oct 30, 2017

Member

Can also confirm Nextcloud-2.3.3.1beta.pkg as working on macOS High Sierra, using:

ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
Member

patschi commented Oct 30, 2017

Can also confirm Nextcloud-2.3.3.1beta.pkg as working on macOS High Sierra, using:

ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
@tht

This comment has been minimized.

Show comment
Hide comment
@tht

tht Nov 1, 2017

Nextcloud-2.3.3.1beta.pkgalso works on OS X El Capitan (10.11.6) using TLSv1.2.

tht commented Nov 1, 2017

Nextcloud-2.3.3.1beta.pkgalso works on OS X El Capitan (10.11.6) using TLSv1.2.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Nov 6, 2017

Hi,
I tried Nextcloud-2.3.3.1beta.pkg and it did not work.

My Nginx allows following ciphers:
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;

and listens with following protocols
listen 443 http2;
listen [::]:443 http2;

ghost commented Nov 6, 2017

Hi,
I tried Nextcloud-2.3.3.1beta.pkg and it did not work.

My Nginx allows following ciphers:
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL;

and listens with following protocols
listen 443 http2;
listen [::]:443 http2;

@kangaroo72

This comment has been minimized.

Show comment
Hide comment
@kangaroo72

kangaroo72 Nov 6, 2017

Eeeeh... Am I wrong? You're using 2.3.3.1?
2.3.3.4 will fix this...

kangaroo72 commented Nov 6, 2017

Eeeeh... Am I wrong? You're using 2.3.3.1?
2.3.3.4 will fix this...

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Nov 6, 2017

Yeah thanks if one has tomatoes on his eyes one won't find the latest version here: Mac Beta Versions
:/

Yeah with the latest it is working which is stil lesser than 2.3.3.4:
Nextcloud-2.3.3.1beta.pkg

Where can I find the latest latest?
Although as long as it is working I do not care :D but maybe for later use if somethign breaks again.

ghost commented Nov 6, 2017

Yeah thanks if one has tomatoes on his eyes one won't find the latest version here: Mac Beta Versions
:/

Yeah with the latest it is working which is stil lesser than 2.3.3.4:
Nextcloud-2.3.3.1beta.pkg

Where can I find the latest latest?
Although as long as it is working I do not care :D but maybe for later use if somethign breaks again.

@kangaroo72

This comment has been minimized.

Show comment
Hide comment
@kangaroo72

kangaroo72 Nov 6, 2017

Now you're right... rofl
I'm also using 2.3.3.1... Confused.
Will check, when I'm at home again...

kangaroo72 commented Nov 6, 2017

Now you're right... rofl
I'm also using 2.3.3.1... Confused.
Will check, when I'm at home again...

@kangaroo72

This comment has been minimized.

Show comment
Hide comment
@kangaroo72

kangaroo72 Nov 6, 2017

Aaah it's my typo... 2.3.3.4 does not exist... 2.2.3.4 was mentioned

kangaroo72 commented Nov 6, 2017

Aaah it's my typo... 2.3.3.4 does not exist... 2.2.3.4 was mentioned

@kangaroo72

This comment has been minimized.

Show comment
Hide comment
@kangaroo72

kangaroo72 Nov 6, 2017

Damn mobile phone 2.3.3.1 of course

kangaroo72 commented Nov 6, 2017

Damn mobile phone 2.3.3.1 of course

@raoulbhatia

This comment has been minimized.

Show comment
Hide comment
@raoulbhatia

raoulbhatia Nov 14, 2017

I was bit by the same bug and wasted about 2 hours running nextcloud on nginx with TLSv1.2 only.
My peers did not experience the problem with their (older?) owncloud client.

Upgrading to Nextcloud-2.3.3.1beta.pkg resolved the issue... What a nextcloud fail...

raoulbhatia commented Nov 14, 2017

I was bit by the same bug and wasted about 2 hours running nextcloud on nginx with TLSv1.2 only.
My peers did not experience the problem with their (older?) owncloud client.

Upgrading to Nextcloud-2.3.3.1beta.pkg resolved the issue... What a nextcloud fail...

@lattedesu lattedesu referenced this issue Nov 18, 2017

Closed

Adding Seafile #40

@Upperholme

This comment has been minimized.

Show comment
Hide comment
@Upperholme

Upperholme Dec 5, 2017

What I'm struggling to understand is why a broken client is being offered to Mac users? I only wasted about an hour from the point where I'd downloaded the broken official release from https://nextcloud.com/install/#install-clients to the point where I've found this thread and been able to get hold a working beta. Why not just stick a notice on that page?

Upperholme commented Dec 5, 2017

What I'm struggling to understand is why a broken client is being offered to Mac users? I only wasted about an hour from the point where I'd downloaded the broken official release from https://nextcloud.com/install/#install-clients to the point where I've found this thread and been able to get hold a working beta. Why not just stick a notice on that page?

@esmail

This comment has been minimized.

Show comment
Hide comment
@esmail

esmail Dec 6, 2017

Just got the popup to update to 2.3.3 build 84 and ...it works!

esmail commented Dec 6, 2017

Just got the popup to update to 2.3.3 build 84 and ...it works!

@nursoda

This comment has been minimized.

Show comment
Hide comment
@nursoda

nursoda Dec 6, 2017

Finally ... I confirm 2.3.3 release fixes the issue here too. Server: 12.0.4, TLS config see comment above.

nursoda commented Dec 6, 2017

Finally ... I confirm 2.3.3 release fixes the issue here too. Server: 12.0.4, TLS config see comment above.

@mario

This comment has been minimized.

Show comment
Hide comment
@mario

mario Dec 7, 2017

Member

Thank you all for testing guys! :)

Member

mario commented Dec 7, 2017

Thank you all for testing guys! :)

@mario mario closed this Dec 7, 2017

@Upperholme

This comment has been minimized.

Show comment
Hide comment
@Upperholme

Upperholme Dec 7, 2017

https://nextcloud.com/install/#install-clients is still offering the broken 2.3.2.1 release.

Upperholme commented Dec 7, 2017

https://nextcloud.com/install/#install-clients is still offering the broken 2.3.2.1 release.

@jospoortvliet

This comment has been minimized.

Show comment
Hide comment
@jospoortvliet

jospoortvliet Dec 7, 2017

Member

@Upperholme yeah, still had to update the site. Did a PR this morning and got it approved some minutes ago, deployed the website to offer 2.3.3 - should be live once caches expire (max 30 minutes).

Member

jospoortvliet commented Dec 7, 2017

@Upperholme yeah, still had to update the site. Did a PR this morning and got it approved some minutes ago, deployed the website to offer 2.3.3 - should be live once caches expire (max 30 minutes).

@Steve8291

This comment has been minimized.

Show comment
Hide comment
@Steve8291

Steve8291 Dec 7, 2017

Yes. A big thank you to everyone who finally made this happen!

Steve8291 commented Dec 7, 2017

Yes. A big thank you to everyone who finally made this happen!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.