Supported TLS ciphers?
Maybe interesting reading: http://stackoverflow.com/questions/18523784/ssl-tls-protocols-and-cipher-suites-with-the-androidhttpclient
And SSLv3 should be disabled, too.
Should be fixed with Android 5.0, thus existing workaround code should be conditional.
I know this topic is really old, but I’m using Android 7 and I still use a weak cipher AES128-GCM-SHA256 So I wanna know if you will do something to use a correct cipher on Davdroid ? I dunno why since 4 years there is no updates on this problem, maybe I need to do something on my phone ?
Thank you very much !
Is there an actual problem? DAVdroid uses the Android crypto-provider, so you will have exactly those ciphers available which are supported by your system.
Thank you for your quick reply !
Yes, my davdroid cannot use stronger than AES128-GCM-SHA256 cipher:
000.000.000.000 - User [24/Jul/2018:20:35:01 +0200] TLSv1.2/AES128-GCM-SHA256 "PROPFIND /remote.php/dav/calendars/User /Calendar/ HTTP/2.0" 207 1469 "-" "DAVdroid/1.11.5-ose (2018/07/01; dav4android; okhttp/3.10.0) Android/7.0"
Asus Zenfone 2
With same server, with same nextcloud instance, I’ve no cipher troubles with nexcloud app ( or others apps in general ) :
000.000.000.000 - User [26/Jul/2018:10:38:41 +0200] TLSv1.2/DHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/webdav/file.ext HTTP/1.1" 207 835 "-" "Mozilla/5.0 (Android) ownCloud-android/3.2.1"
Here my nginx’s configuration, nothing of special, just ugly ciphers at end of ssl_ciphers
ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
I Hope to be able to remove AES128 ciphers to keep strong crypto configuration
Maybe I need to do something on my davdroid ? Do you have EC with your davdroid ?
Thank you !
@jujubickoille On Android 7, DAVdroid does not change the available ciphers. It just uses what’s available by Android.
I dunno what Davdroid change or don’t but, with davdroid, I cannot have strongger than a poor AES128. cf my nginx configuration and my logs.
It’s same with the smartphone of my wife and I’ve no problem with other apps ( Nextcloud app, Chrome, Samsung webbrowser… ) with these phones or with others devices ( when I access to my calendar with my computer using nextcloud Calendar app ).
So, for me, the problem can be only from davdroid because only davdroid use this cipher ( and if I remove it from my nginx’s conf, I got SSL error when I sync my davdroid ).
How can I give you some constructive informations ? A debug file with and without AES enabled in Nginx can be interresting for you ?
Thank you !
@jujubickoille Can you provide a test account which works with other Android 7 apps, but doesn’t work with DAVdroid?
I can confirm I have the same issue using DavDroid on Nextcloud last version hosted by Nginx. If I keep this week AES128 cipher, DavDroid can synchronise properly.
But if I remove it and keep strong encryption, DavDroid will flood my phone with SSL handshake failure notification.
I’m using a Galaxy S6 with Android7.
I have no difficulties with others apps with or without AES128.
I will post my nginx SSL configuration and some screenshot of DavDroid error on my phone later.
@ap0p0 Screenshots won’t be of any use. Even debug info and logs probably won’t be helpful, because they will just say that there are incompatible ciphers.
Can you provide a test account that works with the NC app on Android 7, but does not work with DAVdroid on Android 7?
I prefer to not have my nextcloud unsynced with davdroid clients.
But if you can make you own nginx web server with SSL configuration like below, you should reproduce the issue:
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains; preload;”;
Have you tried
as described here? https://forums.bitfire.at/post/8331
Thank you for your quick answer. I added this, removed AES128 cipher, restarted nginx and I did a caldav/cardav sync. No SSL failure on my phone so I can confirm it’s OK with strong crypto!!
@rfc2822 I’ve add the prime256v1 curve in my nginx, remove weak cipher and it work too !
Thank you very much, now I use TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 So it’s really great =))
I didn’t see there topics, I’m sorry but I think it will be helpfull !
many thanks rfc2822 !