Login issue with android app

Hello,

I am facing Login errors with the android app. I am running the Server on centos with apache fastcgi on an alternate SSL Port. Also i bought a public SHA2 cert which is working on all clients exept on the android app. The security warning is displayed and it shows all cert properties as unknown. If i click continue anyway it loops to cert warning all time.

Any help would be appreciated.

Thx.
Mcae

I have exact the same problem, but using Nginx instead of apache.
I searched this forum, but found no solution for me.

Seafile is working from all Clients, exept for Android (tested with different Samsung Smartphones and Tablets from Android 4.4.2 to the latest version).

SSLLABS check shows no problems (just incorrect chain order, but I think this should have no impact):

The security warning comes up, and when I choose YES to continue, the message appears again and again (LOOP).

The server has the following configuration:
Debian 7.11
Nginx 1.11.3
Seafile server 5.1.4, using Seahub with fast-cgi

Using the latest Seafile Client from PlayStore (2.1.3).

I hope anybody found a solution, because we can’t get rid of Dropbox until the Seafile Client does not work on Android.

Below is the printscreen of the certificate error message.

Regards
Nina

Do you use a self signed cert?
May you try a startcom certificate for free.
I am using IT and hav no Problem on Android.
Greets
Fabian

I mentioned in my post, that i have a public cert. So no, it’s not self signed. And it is from startcom.
But what I did on apache, I restricted ssl version and cipher to make it more secure than default.

Hi Fabian,

we do not use a self-signed certificate.
We use an SSL certificate from GeoTrust (as you can see in the PDF Report from SSLLABS).

I did the same restriction as mcae, I restricted ssl protocols and ciphers to get an A+ rating at SSLLABS.

This is the related part of the “http” section of my nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+ECDHE:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;

Regards
Nina

Could be the same problem here. I also have restricted ssl protocols in order to gain a higher SSL Labs rating. Strange thin is that it has worked before, why shouldn’t it work with a newer OS? And I don’t get any error message. Neither on the smartphone nor in the logs on the server.

Hello Jochen!

I also tried almost everything and still no success. I am running android 4.4.2 but on another smartphone with android 6 the login works! I have no idea, maybe the SSL / TLS implementation of specific vendors?

Mcae

Hi Mcae,

maybe.
But here Android 6 doesn’t work.

Jochen

You can give us a test account on the problematic server (to support@seafile.com). We can login and check in the next week.

Hi Daniel,

thank you very much for this offer! Login credentials should have been sent via seafile invitation to support@seafile.com.

Please let me know if you need ssh root access.

Thank you in advance and best regards,
Jochen

Hi Guys,

finnaly, for me I could solve the problem. It was related to the ssl config on apache.

Obviously the SSL config was too strong for the android app, because it supports only TLS1.2.
I have changed cipher in order to support all TLS back to TLS1. The working part looks like:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!EXP:!LOW:!MD5:!DSS:!SEED:!IDEA
SSLHonorCipherOrder on

MCae

Hi,

I am using this in my .conf

SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On
SSLCipherSuite
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CA
MELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SE
ED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

works fine.