Support modern TLS ciphers.



  • I had a very confusing error. When I tried to add an account, all I got was “could not verify host name”. And the logs said nothing more than “Using documented SNI with host name …” and then nothing. Which of course was utterly useless, since the certificates were perfectly fine.
    That in itself is already an error, IMHO…

    I had to use wireshark to dump the traffic. In there, I noticed that DAVdroid’s SSL Client Hello only offered a rather sorry set of ciphers. No GCM, only SHA1, and RC4 and even 3DES still enabled. Completely insecure and outdated.
    The best cipher in there was on a SSL3 level. ECDHE-RSA-AES256-SHA. (Which uses CBC.)

    The thing is, that I banned everything below

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256

    and only have the AES128 ones in there “because” Firefox still fails to support GCM with SHA384, according to the devs.
    And not having curve25519, chacha20 with poly1305 and umac-etm is already bad enough from a security standpoint…

    When I added the above poor cipher to my apache cipher suite, everything worked.

    So now I had to wrap everything into a VPN, just to delude myself into having some security. ;)

    Conclusion: Could you please update the used cipher suite? Thanks. :)


  • developer

    DAVdroid doesn't set ciphers, so I guess android.net.SSLCertificateSocketFactory does.

    So, please:

    1. Check whether there's a corresponding AOSP bug already and its status.
    2. Can you please provide a set of preferred cipers?
    3. Do you know whether these ciphers will be available on all Android devices?

    Personally, I think it's quite annoying that I have to care about ciphers for simply using a HTTPS client, but I guess that's the Android way.



  • Yes, I already expected that it may not be DAVdroid. It’s weird though, since CyanogenMod11’s browser accepted the better ciphers fine. It may be that Apache HTTPsomething library…

    Well, in cipher priority, it would be enough if it simply used the TLS 1.2 cipher suite for now. So e.g. the output of openssl ciphers -v for the latest OpenSSL. :)
    (Well, if you remove all the bad old stuff like RC4, RC2, 3DES, SHA1, MD5 and insecure key exchanges like DH without E*, EC* or *E or partial ciphers… you end up with my above list plus the ECDSA-signing ones again. :)

    This is what DAVdroid currently uses:

    TLS_RSA_WITH_RC4_128_MD5 (0x0004)
    TLS_RSA_WITH_RC4_128_SHA (0x0005)
    TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
    TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
    TLS_RSA_WITH_DES_CBC_SHA (0x0009)
    TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
    TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
    TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
    

    If that is ordered by preference, then it’s bordering on insanity. ^^


  • developer

    Note: I don't think that's ordered by preference, because on my device, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA is used by default.

    There's another thing: By default, Android uses only TLS 1.0 and not 1.2. I have enabled TLS 1.2 using ssl.setEnabledProtocols(ssl.getSupportedProtocols());. Maybe this only enables the newer TLS protocol, but not related ciphers. I'll have a look.


  • developer

    On my Android 4.1 test device, these ciphers are enabled by default/available:

    Enabled ciphers:
    SSL_RSA_WITH_RC4_128_MD5
    SSL_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDH_RSA_WITH_RC4_128_SHA
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    SSL_RSA_WITH_DES_CBC_SHA
    SSL_DHE_RSA_WITH_DES_CBC_SHA
    SSL_DHE_DSS_WITH_DES_CBC_SHA
    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    
    
    Supported ciphers:
    SSL_RSA_WITH_RC4_128_MD5
    SSL_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDH_RSA_WITH_RC4_128_SHA
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    SSL_RSA_WITH_DES_CBC_SHA
    SSL_DHE_RSA_WITH_DES_CBC_SHA
    SSL_DHE_DSS_WITH_DES_CBC_SHA
    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    SSL_RSA_WITH_NULL_MD5
    SSL_RSA_WITH_NULL_SHA
    TLS_ECDH_ECDSA_WITH_NULL_SHA
    TLS_ECDH_RSA_WITH_NULL_SHA
    TLS_ECDHE_ECDSA_WITH_NULL_SHA
    TLS_ECDHE_RSA_WITH_NULL_SHA
    SSL_DH_anon_WITH_RC4_128_MD5
    TLS_DH_anon_WITH_AES_128_CBC_SHA
    TLS_DH_anon_WITH_AES_256_CBC_SHA
    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
    SSL_DH_anon_WITH_DES_CBC_SHA
    TLS_ECDH_anon_WITH_RC4_128_SHA
    TLS_ECDH_anon_WITH_AES_128_CBC_SHA
    TLS_ECDH_anon_WITH_AES_256_CBC_SHA
    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
    SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
    SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
    TLS_ECDH_anon_WITH_NULL_SHA
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    

    On older/newer Android versions, other ciphers may be available.

    Can you suggest how to select ciphers to specifically enable/disable them?

    1. Ideally, Android (SSLSocketFactory) would pre-select optimum values.
    2. DAVdroid should remove insecure cipers.
    3. DAVdroid could add more secure ciphers.
    4. However, it's not a good idea to allow all supported ciphers because that might allow insecure renegotation, NULL ciphers etc.
    5. How shall this list of ciphers be updated? Again, ideally this would be Android's task. Maybe recent Android versions provide reasonable default values? In this case, manual cipher selection would only be required for intermediate Android versions (thus making updates of the list unnecessary).

  • developer


  • developer

    And SSLv3 should be disabled, too.


  • developer

    http://developer.android.com/about/versions/android-5.0-changes.html#ssl

    Should be fixed with Android 5.0, thus existing workaround code should be conditional.


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.