[BUG] clarify config for FreshRSS, EasyRSS and TLS 1.3

[oupala]

Describe the bug

On my configuration, I had apache configured to serve only pages under TLS, and only TLS 1.3.

I also use EasyRSS (from F-Droid) on my android to read my feeds.

It appears that the configuration on my server is not compliant with my android device or with EasyRSS, as EasyRSS cannot use FreshRSS's api when the server is configured to serve only page with TLS 1.3.

The difficult part here is that EasyRSS is not correctly handling the error and say that the username or the password is wrong. In fact, the username and the password were perfectly right, so was the FreshRSS api url. The only solution was to enable TLS 1.2 so that EasyRSS can use the api of FreshRSS

To Reproduce Steps to reproduce the behavior:

1. install FreshRSS
2. configure apache to serve pages under TLS 1.3
3. install EasyRSS on an android device
4. try to connect to the api of FreshRSS with EasyRSS
5. see that EasyRSS is getting an error about a wrong username or password

Expected behavior

I was expecting everything to work well, and that EasyRSS can connect to the api of FreshRSS.

Additional context

I suppose the problem comes from EasyRSS as I was able to use the web interface of FreshRSS using my Fennec (Firefox mobile) browser. Si I think it is not my android device that is reluctant to TLS 1.3.

As a consequence, there is 2 problems with EasyRSS:

• it does not support TLS 1.3 for TLS negociation
• it does not handle well any TLS negociation error and let it appear as a login/password error where it is in reality an http/tls configuration issue

I think the documentation of FreshRSS should spread a word about this limitation so no one else will loose hours trying to update his login and password...

I will also file this issue in FreshRSS issues, as the issue has impacts in FreshRSS *and EasyRSS.

[Frenzie]

I suppose the problem comes from EasyRSS as I was able to use the web interface of FreshRSS using my Fennec (Firefox mobile) browser. Si I think it is not my android device that is reluctant to TLS 1.3.

I think Firefox includes its own libraries, so it's certainly not a given that it isn't due to the Android device. Android didn't support TLS 1.3 until Android 10, so if you have an older version it won't work. (Presumably it's not too hard to include the relevant libraries to enable support on something like Android 5+ or 6+, though with Android you never know.)

[oupala]

I'm running Android 7.1.2 (lineage os) so I believe my android does not support TLS 1.3 natively.

But if @Frenzie is right, if Firefox can include support for TLS 1.3, I think it should also be possible to do so for EasyRSS.

If I understand it correctly, EasyRSS can use the embedded libraries of android in order to manage HTTP and TLS, or it can take in charge its own libraries and not rely on the librariesof android. Am I right?

In the meantime, it should be added in the doc that users should pay attention to the TLS version as it can make EasyRSS not to work with a FreshRSS instance.

[Frenzie]

If I understand it correctly, EasyRSS can use the embedded libraries of android in order to manage HTTP and TLS, or it can take in charge its own libraries and not rely on the librariesof android. Am I right?

Firefox is a very different kind of app. But for EasyRSS it might be possible with https://github.com/google/conscrypt or equivalent.

[quantenzitrone]

I'm running FreshRSS through caddy as a reverse proxy, which serves TLS 1.2 and 1.3 by default. I can also confirmed that via openssl s_client rss.example.com:443 -tls1_2.

I still have the same problem, that, despite my password being definitely correct, it tells me the password is incorrect.