Android Client cannot verify letsencrypt certificate

Hello all,

I have my seafile server running now since a couple of months. I used certbot to integrate a letsencrypt certificate. It works fine in LAN and WAN on multiple devices. Yet I have one Android Phone in the field that suddenly got a certificate issue. It says not trusted connection and cannot verify the issuer, the fingerprint and timestamp at all. I’ve tried clearing cache and data, reinstalling, LTE vs Wlan, checked AV settings with other devices that work and also imported the certificate manually. The user has no issue with her other devices (windows and iOS)
Her security settings on her Android are also the same as mine. I don’t know what to do anymore and need assistance. Since all other devices work fine I’m sure it’s a issue on that phone. Any ideas?
Kind regards
Michael

Does other Let’s Encrypt sites work? (Like seafile.com) Otherwise try to renew the Cert and Chrome.

The User can use Firefox and Chrome on that device and goto the Server-URL without any issues. Its only the Seafile App on that Android that is having this issue

Have tried a older/newer version?

its the Version installed from the Playstore yesterday 2.11 somthing.

Try an older version: https://github.com/haiwen/seadroid/releases

I tested:

Seafile-2.2.10
Seafile-2.2.9
Seafile-2.2.8

no difference

Importing Certs doesn’t work for the android client for a long time now. Which Android Version. Is there a old “shitty” internal browser and if yes does it accept the cert?

It’s a Android 8.1 device and it’s up2date from an app perspective

Okay so I finally got this solved:

I needed to add: DHE-RSA-AES128-SHA for this Android device to work. (its a honor 8) not so old but still seams to rely on that cipher.

just wanted to let you know

2 Likes

I confirm this is STILL an issue.

I had recently ‘tightened up’ my SSL security on my public facing nginx server that proxies to my personal Seafile server. Got an A+ rating on ssllabs. Now I have to add that old cipher back in to get the app to work, which SSL Labs declares as ‘WEAK’.

When will the app be updated to not rely on old ciphers?

Edit: I ALSO had to remove the nginx config lines for ssl_stapling. Even with this, while I can get the app to access the files once more I still get an error about an untrusted connection within the app.

You CAN set the downgraded SSL configuration for that site only though, so that might help limit the scope of vulnerability - if indeed you really NEED the app

Thanks for updating this topic.

What I don’t understand is this here maybe you can say it in a different way:
You CAN set the downgraded SSL configuration for that site only though, so that might help limit the scope of vulnerability - if indeed you really NEED the app

My apologies if I was not clear. Within an nginx site config (the one that proxy-passes to my seafile server) I was able to do the following:

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:DHE-RSA-AES128-SHA;
ssl_stapling off;
ssl_stapling_verify off;

So only THAT site had to have the weaker cipher presented, not the server as a whole (i.e. not affecting other sites)

I then meant that it might be considered a security risk by even needing to utilize the app and maybe we should just use the mobile browsers instead.

Ok now I got you.

But I thought that old phone rely on the old cypher and that it’s not a problem of the seafile app. What from my understanding only uses the OS available cyphers

1 Like

Not sure how that’d be if the same phone can use Chrome or Opera and connect via TLS1.3 which does not have the weaker cipher (only TLS 1.2)

Hmm good argument, what are you going to do now?

You could have a look into the code you’re self and try to fix it, but it takes some programming skills to accomplish that

By the way: my honor 10 didn’t have issues with this cypher not been included. But an older Honor 8 phone did. So this an argument against yours…

I don’t understand this issue really…

Can confirm.

Im not really into android programming but i personally only had this issue with old phones that only wanted to connect using TLS1.0.

The funny thing was that only part of the seafile api was accessed using TLS1.0 and the phones could indeed speak TLS1.2 but need to use TLS1.0 for some parts (maybe cert verificiation?)

I dropped support for TLS1.0 and 1.1 anyway LOL.