Supported TLS ciphers?



  • I had a very confusing error. When I tried to add an account, all I got was “could not verify host name”. And the logs said nothing more than “Using documented SNI with host name …” and then nothing. Which of course was utterly useless, since the certificates were perfectly fine.
    That in itself is already an error, IMHO…

    I had to use wireshark to dump the traffic. In there, I noticed that DAVdroid’s SSL Client Hello only offered a rather sorry set of ciphers. No GCM, only SHA1, and RC4 and even 3DES still enabled. Completely insecure and outdated.
    The best cipher in there was on a SSL3 level. ECDHE-RSA-AES256-SHA. (Which uses CBC.)

    The thing is, that I banned everything below

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256

    and only have the AES128 ones in there “because” Firefox still fails to support GCM with SHA384, according to the devs.
    And not having curve25519, chacha20 with poly1305 and umac-etm is already bad enough from a security standpoint…

    When I added the above poor cipher to my apache cipher suite, everything worked.

    So now I had to wrap everything into a VPN, just to delude myself into having some security. 😉

    Conclusion: Could you please update the used cipher suite? Thanks. 🙂


  • developer

    DAVdroid doesn't set ciphers, so I guess android.net.SSLCertificateSocketFactory does.

    So, please:

    1. Check whether there's a corresponding AOSP bug already and its status.
    2. Can you please provide a set of preferred cipers?
    3. Do you know whether these ciphers will be available on all Android devices?

    Personally, I think it's quite annoying that I have to care about ciphers for simply using a HTTPS client, but I guess that's the Android way.



  • Yes, I already expected that it may not be DAVdroid. It’s weird though, since CyanogenMod11’s browser accepted the better ciphers fine. It may be that Apache HTTPsomething library…

    Well, in cipher priority, it would be enough if it simply used the TLS 1.2 cipher suite for now. So e.g. the output of openssl ciphers -v for the latest OpenSSL. 🙂
    (Well, if you remove all the bad old stuff like RC4, RC2, 3DES, SHA1, MD5 and insecure key exchanges like DH without E*, EC* or *E or partial ciphers… you end up with my above list plus the ECDSA-signing ones again. 🙂

    This is what DAVdroid currently uses:

    TLS_RSA_WITH_RC4_128_MD5 (0x0004)
    TLS_RSA_WITH_RC4_128_SHA (0x0005)
    TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
    TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
    TLS_RSA_WITH_DES_CBC_SHA (0x0009)
    TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
    TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
    TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
    

    If that is ordered by preference, then it’s bordering on insanity. ^^


  • developer

    Note: I don't think that's ordered by preference, because on my device, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA is used by default.

    There's another thing: By default, Android uses only TLS 1.0 and not 1.2. I have enabled TLS 1.2 using ssl.setEnabledProtocols(ssl.getSupportedProtocols());. Maybe this only enables the newer TLS protocol, but not related ciphers. I'll have a look.


  • developer

    On my Android 4.1 test device, these ciphers are enabled by default/available:

    Enabled ciphers:
    SSL_RSA_WITH_RC4_128_MD5
    SSL_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDH_RSA_WITH_RC4_128_SHA
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    SSL_RSA_WITH_DES_CBC_SHA
    SSL_DHE_RSA_WITH_DES_CBC_SHA
    SSL_DHE_DSS_WITH_DES_CBC_SHA
    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    
    
    Supported ciphers:
    SSL_RSA_WITH_RC4_128_MD5
    SSL_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDH_RSA_WITH_RC4_128_SHA
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    SSL_RSA_WITH_DES_CBC_SHA
    SSL_DHE_RSA_WITH_DES_CBC_SHA
    SSL_DHE_DSS_WITH_DES_CBC_SHA
    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    SSL_RSA_WITH_NULL_MD5
    SSL_RSA_WITH_NULL_SHA
    TLS_ECDH_ECDSA_WITH_NULL_SHA
    TLS_ECDH_RSA_WITH_NULL_SHA
    TLS_ECDHE_ECDSA_WITH_NULL_SHA
    TLS_ECDHE_RSA_WITH_NULL_SHA
    SSL_DH_anon_WITH_RC4_128_MD5
    TLS_DH_anon_WITH_AES_128_CBC_SHA
    TLS_DH_anon_WITH_AES_256_CBC_SHA
    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
    SSL_DH_anon_WITH_DES_CBC_SHA
    TLS_ECDH_anon_WITH_RC4_128_SHA
    TLS_ECDH_anon_WITH_AES_128_CBC_SHA
    TLS_ECDH_anon_WITH_AES_256_CBC_SHA
    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
    SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
    SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
    TLS_ECDH_anon_WITH_NULL_SHA
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    

    On older/newer Android versions, other ciphers may be available.

    Can you suggest how to select ciphers to specifically enable/disable them?

    1. Ideally, Android (SSLSocketFactory) would pre-select optimum values.
    2. DAVdroid should remove insecure cipers.
    3. DAVdroid could add more secure ciphers.
    4. However, it's not a good idea to allow all supported ciphers because that might allow insecure renegotation, NULL ciphers etc.
    5. How shall this list of ciphers be updated? Again, ideally this would be Android's task. Maybe recent Android versions provide reasonable default values? In this case, manual cipher selection would only be required for intermediate Android versions (thus making updates of the list unnecessary).

  • developer


  • developer

    And SSLv3 should be disabled, too.


  • developer

    http://developer.android.com/about/versions/android-5.0-changes.html#ssl

    Should be fixed with Android 5.0, thus existing workaround code should be conditional.



  • Hello,

    I know this topic is really old, but I'm using Android 7 and I still use a weak cipher AES128-GCM-SHA256 So I wanna know if you will do something to use a correct cipher on Davdroid ? I dunno why since 4 years there is no updates on this problem, maybe I need to do something on my phone ?

    Thank you very much !


  • developer

    @jujubickoille Hello,

    Is there an actual problem? DAVdroid uses the Android crypto-provider, so you will have exactly those ciphers available which are supported by your system.



  • Thank you for your quick reply !

    Yes, my davdroid cannot use stronger than AES128-GCM-SHA256 cipher:

    000.000.000.000 - User [24/Jul/2018:20:35:01 +0200] TLSv1.2/AES128-GCM-SHA256 "PROPFIND /remote.php/dav/calendars/User /Calendar/ HTTP/2.0" 207 1469 "-" "DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"
    

    I'm using:
    Samsung J6
    Asus Zenfone 2

    With same server, with same nextcloud instance, I've no cipher troubles with nexcloud app ( or others apps in general ) :

    000.000.000.000 - User [26/Jul/2018:10:38:41 +0200] TLSv1.2/DHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/webdav/file.ext HTTP/1.1" 207 835 "-" "Mozilla/5.0 (Android) ownCloud-android/3.2.1"
    

    Here my nginx's configuration, nothing of special, just ugly ciphers at end of ssl_ciphers 😕

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    

    I Hope to be able to remove AES128 ciphers to keep strong crypto configuration

    Maybe I need to do something on my davdroid ? Do you have EC with your davdroid ?

    Thank you !


  • developer

    @jujubickoille On Android 7, DAVdroid does not change the available ciphers. It just uses what's available by Android.



  • I dunno what Davdroid change or don't but, with davdroid, I cannot have strongger than a poor AES128. cf my nginx configuration and my logs.

    It's same with the smartphone of my wife and I've no problem with other apps ( Nextcloud app, Chrome, Samsung webbrowser... ) with these phones or with others devices ( when I access to my calendar with my computer using nextcloud Calendar app ).

    So, for me, the problem can be only from davdroid because only davdroid use this cipher ( and if I remove it from my nginx's conf, I got SSL error when I sync my davdroid ).

    How can I give you some constructive informations ? A debug file with and without AES enabled in Nginx can be interresting for you ?

    Thank you !


  • developer

    @jujubickoille Can you provide a test account which works with other Android 7 apps, but doesn't work with DAVdroid?



  • Hi all,

    I can confirm I have the same issue using DavDroid on Nextcloud last version hosted by Nginx. If I keep this week AES128 cipher, DavDroid can synchronise properly.

    But if I remove it and keep strong encryption, DavDroid will flood my phone with SSL handshake failure notification.

    I'm using a Galaxy S6 with Android7.

    I have no difficulties with others apps with or without AES128.

    I will post my nginx SSL configuration and some screenshot of DavDroid error on my phone later.


  • developer

    @ap0p0 Screenshots won't be of any use. Even debug info and logs probably won't be helpful, because they will just say that there are incompatible ciphers.

    Can you provide a test account that works with the NC app on Android 7, but does not work with DAVdroid on Android 7?



  • I prefer to not have my nextcloud unsynced with davdroid clients.

    But if you can make you own nginx web server with SSL configuration like below, you should reproduce the issue:
    ssl on;
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_dhparam xxxxxxxxxxxxx;
    ssl_ecdh_curve secp384r1;
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

    ssl_certificate_key xxxxx;
    ssl_certificate xxxxxx;
    ssl_trusted_certificate xxxxxx;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver_timeout 3s;


  • developer



  • Thank you for your quick answer. I added this, removed AES128 cipher, restarted nginx and I did a caldav/cardav sync. No SSL failure on my phone so I can confirm it's OK with strong crypto!!

    Thanks! 🙂



  • @rfc2822 I've add the prime256v1 curve in my nginx, remove weak cipher and it work too !

    Thank you very much, now I use TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 So it's really great =))

    I didn't see there topics, I'm sorry but I think it will be helpfull !

    many thanks rfc2822 !