letsencrypt SSL Error for Push and Bug repport

[ipoupaille]

I am using unifiedpush for notification (fcm.distibutor.unifiedpush.org). I do not receive notification anymore since at least 1 month. When I test notifications, everything is ok except Push test (Tester le push in french). The error written is SSL error (Erreur SSL in french). When I try to send a bug repport (Rapport d’anomalie…), I got a SSL handshake error.

My device is on android 7.0 (not my fault…) I know that there is some problems with this version and lets encrypt certificats.

[SpiritCroc]

I can't talk about the unifiedpush FCM distributor, I won't test that since I'd recommend using the gplay-variant's inbuilt FCM distributor in SchildiChat. That said, I can reproduce this issue on Android 7 (and it doesn't even seem to show the inbuilt FCM as option :thinking: ).

@su-ex: looks like schildi.chat may be set up too secure for Android 7? Sending rageshakes on Android 7 to s2.spiritcroc.de works, but not to rageshake.schildi.chat. openssl s_client -showcerts -connect rageshake.schildi.chat:443 shows some differences to openssl s_client -showcerts -connect s2.spiritcroc.de:443 here, not sure what exactly the issue is though. // Actually, login to the schildi.chat homeserver is also broken on Android 7, but spiritcroc.de works

[SpiritCroc]

Update: inbuilt FCM not showing on Android 7 fixed in https://github.com/SchildiChat/SchildiChat-android/commit/91cff797f090febbab26010704ae85fe8665db6b . With that, we have the same ssl issue when using sygnal.schildi.chat obviously, which we'll see what we can do later.

[SpiritCroc]

Issue was that schildi.chat was configured to only support secp384r1 as ssl_ecdh_curve, which Android 7.0 doesn't support. So setting it to prime256v1:secp384r1 fixed it.

Some relevance notes:

• 26 out of 1551 users who have installed the app from the Play Store are on Android 7.0, and are thus likely affected. That's roughly 1.7% of users.
• Both older and later versions than Android 7.0 are not affected...