dax7
May 21, 2020, 10:01am
1
i cant post links. so i am attaching the issue in this pastebin.
pastebin[.]com[/]raw[/]d1m8iViF
fox
May 21, 2020, 10:23am
2
set your server to use whatever ciphers you want (as long as they are supported by android and/or okhttp3) and tt-rss app will use it.
dax7
May 21, 2020, 10:38am
3
these ciphers are recommended by mozilla observatory. But ttrss android app gives ssl error:
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
i have to use these ciphers for ttrss to work:
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
also i have to add TLSv1 for the app to work
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
could this be due to android 4.4. also i was asking can we integrate it in the app to use TLSv1.2 or higher.
fox
May 21, 2020, 11:09am
4
i’m not going to add some kind of app-specific ssl libraries to tt-rss.
if okhttp3 uses system ssl libraries you’re going to have to either limit your cipher-related imagination to what they provide or get a newer device.
Test your server with SSL Server Test (Powered by Qualys SSL Labs) to see what it says about compatibiliy with that ancient Android 4.4 (have you looked to see if LineageOS has support for the device? You could be on Android 10 if so …).
dax7
May 21, 2020, 11:25am
6
its custom rom. cyanogen mod. i dont think it is supported any where now. so there is no chance of flashing roms.
dax7
May 21, 2020, 11:28am
7
can you look at the solution provided in this issue:
opened 10:30PM - 25 Feb 16 UTC
closed 05:31PM - 20 Mar 16 UTC
android
Our lawyers and security consultants claim that for [PCI](https://en.wikipedia.o… rg/wiki/Payment_Card_Industry_Data_Security_Standard) compliance*, we must disable TLS 1.0 and 1.1 on our servers. For some confusing reason, Android has _supported_ TLS 1.2 [since API 16 (android 4.1) but enabled it by default only since API 20 (android "4.4W")](http://developer.android.com/reference/javax/net/ssl/SSLSocket.html).
With okhttp 2.6, we were able to force use of TLS 1.2 with:
``` java
OkHttpClient cli = new OkHttpClient();
SSLContext sc = SSLContext.getInstance("TLSv1.2");
sc.init(null, null, null);
cli.setSslSocketFactory(new Tls12SocketFactory(sc.getSocketFactory()));
ConnectionSpec cs = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.tlsVersions(TlsVersion.TLS_1_2)
.build();
cli.setConnectionSpecs(ImmutableList.of(cs));
```
where `Tls12SocketFactory` is [this](https://gist.github.com/mlc/549409f649251897ebef).
However, okhttp 3.1 uses some kind of reflection on internal implementation details of the `SSLSocketFactory`, so the above implementation [no longer works](https://gist.github.com/mlc/a0f43fa0b15a8f96244b). And, indeed, it's a bit silly to make callers write so much code anyway. Specifying `TLS_1_2` in the `ConnectionSpec` should be enough to get TLSv1.2 whenever it is supported.
As far as I can tell, the only reason why the custom socket factory is needed in the first place is that `ConnectionSpec.supportedSpec()` [calls `SSLSocket.getEnabledProtocols()`](https://github.com/square/okhttp/blob/parent-3.1.2/okhttp/src/main/java/okhttp3/ConnectionSpec.java#L145-L150) to learn the list of protocols supported by the system, so on Android 4._x_ where TLS 1.2 is supported but not enabled by default, OkHttp thinks 1.2 is not supported at all.
Sorry for this long bug report: I _think_ the fix is as simple as changing `getEnabledProtocols()` above to `getSupportedProtocols()` but wanted to submit this bug for discussion before making a PR with such a change, in case there is some affirmative reason why it's the other way now.
\* Originally I understood the PCI compliance deadline to be June 2016; however, it seems like it has since [been changed](http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls) to be June 2018. Regardless, OkHttp should support this change for users that want it.
It turns out one of my servers both gets an A+ grade and supports Android 4.4.2 with TLS v1.2. The apache2 config for this is:
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384SSLHonorCipherOrder onSSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
LineageOS is the followup/fork from when Cyanogen mod died.
dax7
May 21, 2020, 11:36am
10
Changing rom is not an option for me and my device doesn’t work when i disable TLSv1. I guess the device is just too old. Is there any possibility that native TLSv1.2 support is enabled in the ttrss android app ?
fox
May 21, 2020, 11:40am
11
i’m not going to add hacks on top of okhttp3 because of your ancient device running cyanogen.
however, realistically, nobody cares about you enough to MITM you anyway, let it go and use TLSv1 or whatever.
dax7
May 21, 2020, 11:42am
12
Thanks for your time dev. Your apps are great.