Android Client cannot verify letsencrypt certificate

mulmer · January 6, 2019, 1:38pm

Hello all,

I have my seafile server running now since a couple of months. I used certbot to integrate a letsencrypt certificate. It works fine in LAN and WAN on multiple devices. Yet I have one Android Phone in the field that suddenly got a certificate issue. It says not trusted connection and cannot verify the issuer, the fingerprint and timestamp at all. I’ve tried clearing cache and data, reinstalling, LTE vs Wlan, checked AV settings with other devices that work and also imported the certificate manually. The user has no issue with her other devices (windows and iOS)
Her security settings on her Android are also the same as mine. I don’t know what to do anymore and need assistance. Since all other devices work fine I’m sure it’s a issue on that phone. Any ideas?
Kind regards
Michael

bionade24 · January 7, 2019, 3:44pm

Does other Let’s Encrypt sites work? (Like seafile.com) Otherwise try to renew the Cert and Chrome.

mulmer · January 7, 2019, 4:02pm

The User can use Firefox and Chrome on that device and goto the Server-URL without any issues. Its only the Seafile App on that Android that is having this issue

bionade24 · January 7, 2019, 4:05pm

Have tried a older/newer version?

mulmer · January 7, 2019, 4:07pm

its the Version installed from the Playstore yesterday 2.11 somthing.

bionade24 · January 7, 2019, 4:10pm

Try an older version: https://github.com/haiwen/seadroid/releases

mulmer · January 7, 2019, 7:26pm

I tested:

Seafile-2.2.10
Seafile-2.2.9
Seafile-2.2.8

no difference

bionade24 · January 7, 2019, 11:25pm

Importing Certs doesn’t work for the android client for a long time now. Which Android Version. Is there a old “shitty” internal browser and if yes does it accept the cert?

mulmer · January 8, 2019, 6:59am

It’s a Android 8.1 device and it’s up2date from an app perspective

mulmer · January 22, 2019, 7:48pm

Okay so I finally got this solved:

I needed to add: DHE-RSA-AES128-SHA for this Android device to work. (its a honor 8) not so old but still seams to rely on that cipher.

just wanted to let you know

dcp · November 4, 2019, 4:21pm

I confirm this is STILL an issue.

I had recently ‘tightened up’ my SSL security on my public facing nginx server that proxies to my personal Seafile server. Got an A+ rating on ssllabs. Now I have to add that old cipher back in to get the app to work, which SSL Labs declares as ‘WEAK’.

When will the app be updated to not rely on old ciphers?

Edit: I ALSO had to remove the nginx config lines for ssl_stapling. Even with this, while I can get the app to access the files once more I still get an error about an untrusted connection within the app.

You CAN set the downgraded SSL configuration for that site only though, so that might help limit the scope of vulnerability - if indeed you really NEED the app

mulmer · November 4, 2019, 4:40pm

Thanks for updating this topic.

What I don’t understand is this here maybe you can say it in a different way:
You CAN set the downgraded SSL configuration for that site only though, so that might help limit the scope of vulnerability - if indeed you really NEED the app

dcp · November 4, 2019, 5:02pm

My apologies if I was not clear. Within an nginx site config (the one that proxy-passes to my seafile server) I was able to do the following:

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:DHE-RSA-AES128-SHA;
ssl_stapling off;
ssl_stapling_verify off;

So only THAT site had to have the weaker cipher presented, not the server as a whole (i.e. not affecting other sites)

I then meant that it might be considered a security risk by even needing to utilize the app and maybe we should just use the mobile browsers instead.

mulmer · November 4, 2019, 5:23pm

Ok now I got you.

But I thought that old phone rely on the old cypher and that it’s not a problem of the seafile app. What from my understanding only uses the OS available cyphers

dcp · November 4, 2019, 6:03pm

Not sure how that’d be if the same phone can use Chrome or Opera and connect via TLS1.3 which does not have the weaker cipher (only TLS 1.2)

mulmer · November 4, 2019, 7:17pm

Hmm good argument, what are you going to do now?

You could have a look into the code you’re self and try to fix it, but it takes some programming skills to accomplish that

By the way: my honor 10 didn’t have issues with this cypher not been included. But an older Honor 8 phone did. So this an argument against yours…

I don’t understand this issue really…

sfftw · November 9, 2019, 2:25pm

Can confirm.

Im not really into android programming but i personally only had this issue with old phones that only wanted to connect using TLS1.0.

The funny thing was that only part of the seafile api was accessed using TLS1.0 and the phones could indeed speak TLS1.2 but need to use TLS1.0 for some parts (maybe cert verificiation?)

I dropped support for TLS1.0 and 1.1 anyway LOL.

skrue · October 30, 2020, 2:23pm

That solved it for me, thank you.

I am on Android 7.0 (Samsung Galaxy A5 2016), running Seafile behind a Traefik v2 reverse proxy.

Had to add TLS_DHE_RSA_WITH_AES_128_CBC_SHA to the cipher suites in the dynamic_conf.yml file.