Note that WebSockets require TLS 1.2 (TLS 1.3 is not supported) in documentation

[cguess]

Submit feature requests to http://www.mattermost.org/feature-requests/. File non-security related bugs here in the following format:

Summary

Issue in one concise sentence. Documentation should note that when the iOS app attempts to create a websocket connection with a server only supporting TLS 1.3, it will never succeed.

Environment Information

• Device Name: iPhone X
• OS Version: 10.15.1
• Mattermost App Version: 1.32.2
• Mattermost Server Version: 5.24.0

Steps to reproduce

1. Set up NGINX as a reverse proxy for the Mattermost server, terminating SSL
2. Assure that NGINX is set up only for TLS1.3 using recommendations from Mozilla (https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&guideline=5.4)
3. Connect with desktop app/web browser and everything will work fine
4. Connect with mobile app and "Connecting..." will stay up forever. Other requests work fine
5. Switch to TLS1.2 as well (https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.4) Everything will work now

Expected behavior

It'd make sense to ensure that the app supports the strongest and most up to date TLS versions

Observed behavior

SSLHandshake fails (according to system logs on device)

Possible fixes

At least add this to the documentation either in this repo or in the server documentation

[enahum]

@grundleborg do you know if this is the WS on the server or is it just that the client does not seem to support it ?

[cguess]

For what it's worth, the websockets connect from the browser just fine (including verified in the developer tools).

[grundleborg]

@enahum since the TLS is being terminated at Nginx in this example, I don't think the server has anything to do with it. Also see @cguess comment above mine.

[enahum]

Thanks @grundleborg

@cguess thanks for letting us know, I’ll incestigate, in case is needed we are going to have to report this to the react native team.

Would yo be interested in drafting and submitting a PR to update the docs to clarify that TLS 1.3 does not work with the mobile app websocket?

[cguess]

Will do.

-Christopher Guess cguess@gmail.com US/WhatsApp/Signal: +1 262.893.1037 PGP: AAE7 5171 0D82 B45B

On Mon, Jul 13, 2020 at 8:55 AM Elias Nahum notifications@github.com wrote:

Thanks @grundleborg https://github.com/grundleborg

@cguess https://github.com/cguess thanks for letting us know, I’ll incestigate, in case is needed we are going to have to report this to the react native team.

Would yo be interested in drafting and submitting a PR to update the docs to clarify that TLS 1.3 does not work with the mobile app websocket?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mattermost/mattermost-mobile/issues/4557#issuecomment-657543398, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACOYQXHWNDPYUSGSDCPXHTR3L73LANCNFSM4OW3CYHA .

[gidoBOSSftw5731]

Hey, can we fix this? why can we not use TLSv1.3 on only SOME platforms and still get marginal functionality. At this point, TLSv1.3 is a critical feature for security, particularly since it removes many old ciphers that could be a large security hole in misconfigured servers (among which there are certainly many). TLSv1.3 also improves speed dramatically with its shorter handshake, which is required for you to compete with larger services which "just work" and are "seamless", or even "magic". I dont understand how this could even happen programmatically but it sorely disappoints me. Opening my server to less secure and higher cost non-elliptic curve cryptography is honestly testing my loyalty to mattermost, and is honestly just sad.

[enahum]

@DSchalla can you help verify this? Also check this thread I found, could it be related? https://developer.apple.com/forums/thread/132286

Based on the code in RN implementation, it looks like the right values are being set https://github.com/facebook/react-native/blob/master/Libraries/WebSocket/RCTSRWebSocket.m#L506

[jaydeland]

Jira ticket for this issue: DOPS-175: MM server with TLS 1.3 (To Do)

[seanm]

I guess since this ticket is still open, this is still an issue today?

I've had TLSMinVer set to 1.3 for a long time, and no one ever complained. But the other day I changed my Let's Encrypt certs from RSA to ECDSA and since then coworkers using the iOS/Android app cannot connect, but using any browser from any OS works fine.

Is what I'm seeing the same as this ticket?

[kz159]

Can someone please add this to documentation? I've spent two days fighting this and when i've added TLSv1.2 to nginx(where TLSv1.3 only) it worked like a charm No more annoying bar that says connecting, finally

[amyblais]

@kz159 Do you have an idea on where in the documentation you'd expect to find this information? Would you be open to creating a docs issue for this here https://github.com/mattermost/docs/issues (I can also help create an issue if you'd prefer)?

[enahum]

The upcoming mobile v2 should support TLS1.2 and TLS 1.3 for websocket connections

[kz159]

@amyblais sure! and i would love to take some help with this, how we will deal with this?

[kz159]

@amyblais here, can you review? https://github.com/mattermost/docs/issues/6070

[amyblais]

Looks good, thank you!

[kz159]

Happy to help! Thank you for mattermost!

[larkox]

Closing since this is solved for V2.