Supported TLS ciphers?
AutoImport-Evi1M4chine last edited by rfc2822
I had a very confusing error. When I tried to add an account, all I got was “
could not verify host name”. And the logs said nothing more than “
Using documented SNI with host name …” and then nothing. Which of course was utterly useless, since the certificates were perfectly fine.
That in itself is already an error, IMHO…
I had to use wireshark to dump the traffic. In there, I noticed that DAVdroid’s SSL Client Hello only offered a rather sorry set of ciphers. No
3DESstill enabled. Completely insecure and outdated.
The best cipher in there was on a SSL3 level.
ECDHE-RSA-AES256-SHA. (Which uses
The thing is, that I banned everything below
and only have the
AES128ones in there “because” Firefox still fails to support
SHA384, according to the devs.
And not having
umac-etmis already bad enough from a security standpoint…
When I added the above poor cipher to my apache cipher suite, everything worked.
So now I had to wrap everything into a VPN, just to delude myself into having some security.
Conclusion: Could you please update the used cipher suite? Thanks.
DAVdroid doesn't set ciphers, so I guess
- Check whether there's a corresponding AOSP bug already and its status.
- Can you please provide a set of preferred cipers?
- Do you know whether these ciphers will be available on all Android devices?
Personally, I think it's quite annoying that I have to care about ciphers for simply using a HTTPS client, but I guess that's the Android way.
AutoImport-Evi1M4chine last edited by
Yes, I already expected that it may not be DAVdroid. It’s weird though, since CyanogenMod11’s browser accepted the better ciphers fine. It may be that Apache HTTPsomething library…
Well, in cipher priority, it would be enough if it simply used the TLS 1.2 cipher suite for now. So e.g. the output of
openssl ciphers -vfor the latest OpenSSL.
(Well, if you remove all the bad old stuff like
MD5and insecure key exchanges like
*Eor partial ciphers… you end up with my above list plus the
ECDSA-signing ones again.
This is what DAVdroid currently uses:
TLS_RSA_WITH_RC4_128_MD5 (0x0004) TLS_RSA_WITH_RC4_128_SHA (0x0005) TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) TLS_RSA_WITH_DES_CBC_SHA (0x0009) TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014) TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
If that is ordered by preference, then it’s bordering on insanity. ^^
Note: I don't think that's ordered by preference, because on my device, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA is used by default.
There's another thing: By default, Android uses only TLS 1.0 and not 1.2. I have enabled TLS 1.2 using
ssl.setEnabledProtocols(ssl.getSupportedProtocols());. Maybe this only enables the newer TLS protocol, but not related ciphers. I'll have a look.
On my Android 4.1 test device, these ciphers are enabled by default/available:
Enabled ciphers: SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV Supported ciphers: SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_RSA_WITH_NULL_SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_NULL_SHA SSL_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA TLS_ECDH_anon_WITH_RC4_128_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV
On older/newer Android versions, other ciphers may be available.
Can you suggest how to select ciphers to specifically enable/disable them?
- Ideally, Android (SSLSocketFactory) would pre-select optimum values.
- DAVdroid should remove insecure cipers.
- DAVdroid could add more secure ciphers.
- However, it's not a good idea to allow all supported ciphers because that might allow insecure renegotation, NULL ciphers etc.
- How shall this list of ciphers be updated? Again, ideally this would be Android's task. Maybe recent Android versions provide reasonable default values? In this case, manual cipher selection would only be required for intermediate Android versions (thus making updates of the list unnecessary).
Maybe interesting reading: http://stackoverflow.com/questions/18523784/ssl-tls-protocols-and-cipher-suites-with-the-androidhttpclient
And SSLv3 should be disabled, too.
Should be fixed with Android 5.0, thus existing workaround code should be conditional.
I know this topic is really old, but I'm using Android 7 and I still use a weak cipher AES128-GCM-SHA256 So I wanna know if you will do something to use a correct cipher on Davdroid ? I dunno why since 4 years there is no updates on this problem, maybe I need to do something on my phone ?
Thank you very much !
Is there an actual problem? DAVdroid uses the Android crypto-provider, so you will have exactly those ciphers available which are supported by your system.
Thank you for your quick reply !
Yes, my davdroid cannot use stronger than AES128-GCM-SHA256 cipher:
000.000.000.000 - User [24/Jul/2018:20:35:01 +0200] TLSv1.2/AES128-GCM-SHA256 "PROPFIND /remote.php/dav/calendars/User /Calendar/ HTTP/2.0" 207 1469 "-" "DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"
Asus Zenfone 2
With same server, with same nextcloud instance, I've no cipher troubles with nexcloud app ( or others apps in general ) :
000.000.000.000 - User [26/Jul/2018:10:38:41 +0200] TLSv1.2/DHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/webdav/file.ext HTTP/1.1" 207 835 "-" "Mozilla/5.0 (Android) ownCloud-android/3.2.1"
Here my nginx's configuration, nothing of special, just ugly ciphers at end of ssl_ciphers
ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
I Hope to be able to remove AES128 ciphers to keep strong crypto configuration
Maybe I need to do something on my davdroid ? Do you have EC with your davdroid ?
Thank you !
@jujubickoille On Android 7, DAVdroid does not change the available ciphers. It just uses what's available by Android.
I dunno what Davdroid change or don't but, with davdroid, I cannot have strongger than a poor AES128. cf my nginx configuration and my logs.
It's same with the smartphone of my wife and I've no problem with other apps ( Nextcloud app, Chrome, Samsung webbrowser... ) with these phones or with others devices ( when I access to my calendar with my computer using nextcloud Calendar app ).
So, for me, the problem can be only from davdroid because only davdroid use this cipher ( and if I remove it from my nginx's conf, I got SSL error when I sync my davdroid ).
How can I give you some constructive informations ? A debug file with and without AES enabled in Nginx can be interresting for you ?
Thank you !
@jujubickoille Can you provide a test account which works with other Android 7 apps, but doesn't work with DAVdroid?
I can confirm I have the same issue using DavDroid on Nextcloud last version hosted by Nginx. If I keep this week AES128 cipher, DavDroid can synchronise properly.
But if I remove it and keep strong encryption, DavDroid will flood my phone with SSL handshake failure notification.
I'm using a Galaxy S6 with Android7.
I have no difficulties with others apps with or without AES128.
I will post my nginx SSL configuration and some screenshot of DavDroid error on my phone later.
@ap0p0 Screenshots won't be of any use. Even debug info and logs probably won't be helpful, because they will just say that there are incompatible ciphers.
Can you provide a test account that works with the NC app on Android 7, but does not work with DAVdroid on Android 7?
I prefer to not have my nextcloud unsynced with davdroid clients.
But if you can make you own nginx web server with SSL configuration like below, you should reproduce the issue:
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
Have you tried
as described here? https://forums.bitfire.at/post/8331
Thank you for your quick answer. I added this, removed AES128 cipher, restarted nginx and I did a caldav/cardav sync. No SSL failure on my phone so I can confirm it's OK with strong crypto!!
@rfc2822 I've add the prime256v1 curve in my nginx, remove weak cipher and it work too !
Thank you very much, now I use TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 So it's really great =))
I didn't see there topics, I'm sorry but I think it will be helpfull !
many thanks rfc2822 !