Tiny Tiny RSS: Community

Android app and tls1.3 enabled server

tt-rss hosted on Apache/2.4.41. If tls1.3 is enabled, android app gives: Error I/O, handshake failed. If tls1.3 is disabled - everything is OK (tls1.2 is enabled in both cases).

android app has no separate SSL/TLS implementation, it uses HttpsUrlConnection provided by your device.

if your device doesn’t support whatever protocol you are trying to use, there’s nothing I can do.

I have TLS 1.3 enabled on nginx and the Android app works with no issues.

Post your apache config (specifically SSL* directives) before and after enabling TLS 1.3.

Also, Android version and OpenSSL version?

You can use a site like Qualys SSL Labs. They have a free server test that runs through a bunch of protocol and cipher combinations and reports which devices (generally speaking) will work with your current configuration. It also reports several potential issues if it finds them (downgrade attacks, incomplete certificate chains, etc.).

Android version: 9
OpenSSL: 1.1.1d
SSL config:
SSLEngine on
SSLProtocol TLSv1.2 TLSv1.3
# SSLProtocol TLSv1.2
SSLUseStapling on
SSLCipherSuite ‘HIGH:!SHA:!PSK:!DH:!kECDH:!kRSA:!ARIA:!CAMELLIA:-AES:AESGCM’
SSLCertificateFile ***_ECDSA_fullchain_latest.pem
SSLCertificateKeyFile ***_ECDSA_latest.key
SSLCertificateFile ***_RSA_fullchain_latest.pem
SSLCertificateKeyFile ***_RSA_latest.key

Problem solved. Changed: SSLProtocol **+**TLSv1.2 **+**TLSv1.3