mvysny / photocloud-frame-slideshow

Android Digital Photo Frame
https://www.android-photo-frame.eu
15 stars 1 forks source link

Nextcloud connecton failes with SSLv3 error #123

Closed feutl closed 4 years ago

feutl commented 4 years ago

One of my tablets started (don't know exactly when) throwing an SSL handshake error to my Nextcloud instance.

All my multiple clients are using the same Nextcloud instance and they work except this one ;)

Error message as a screenshot photoframe

The device is a ODroid-C1 Android: 4.4.4 Kernel: 3.10.33 Photocloud-Frame: 1.13.16

I tested Firefox on this device, and was able to connect to the Nextcloud instance.

Thanks for any hint and help :)

mvysny commented 4 years ago

Hi! I'm guessing that it was actually your nextcloud that got updated, or something in front of nextcloud which decodes https into http . The problem is that sslv3 is deprecated since it's unsafe: https://ma.ttias.be/rfc-7568-ssl-3-0-is-now-officially-deprecated/ . It could be that nextcloud stopped supporting sslv3. If memory serves right, Android 4.4.4 did not support newer protocols than sslv3.

It sounds to me that you will either have to upgrade your tablet, or it's possible to specifically allow sslv3 on your server.

feutl commented 4 years ago

The funny thing is, I even have an older tablet with an android version you even do not support any more, and this one still works. But yes, letsencrypt certs do get renewed regularly. I just thought, photoframe enforces SSL or can handle this differently.

Also funny, Firefox on the same device, just works opening my nextcloud instance. So do no know if it really is a Android API issue.

feutl commented 4 years ago

After some analyzes - seems I need to make some adjustments with those "older" devices. Replacing them seems the only option. As far as I have understood. Thanks

mvysny commented 4 years ago

The funny thing is, I even have an older tablet with an android version you even do not support any more, and this one still works.

Okay that sounds pretty weird :-D Even though according to https://ankushg.com/posts/tls-1.2-on-android/

despite documentation suggesting otherwise, not all devices on Android 4.1+ actually support TLS 1.2.

Could it be that your tablet is one of those without a proper support for TLS 1.2? (That's a successor protocol to sslv3)

Also funny, Firefox on the same device, just works opening my nextcloud instance. So do no know if it really is a Android API issue.

Hmm could it be that Firefox packages its own ssl library which does support TLS 1.3? That could explain this behaviour. PhotoCloud uses the Android built-in https support, and that one might lack support for TLS, falling back to sslv3. I wonder whether it's possible to show the protocol used in the Android Firefox browser?

After some analyzes - seems I need to make some adjustments with those "older" devices. Replacing them seems the only option. As far as I have understood.

Alternatively you can either use plain http (of course that's unsecure and prone to MitM attacks with possibility for the attacker to learn your password, however if the tablet is at all times connected to the same wifi network as your nextcloud server then that's okay). Alternatively you can try to reconfigure your NextCloud server to accept sslv3.

Please let me know whether this answers your question :+1:

feutl commented 4 years ago

After some reading, I must assume that my Odroid C1 is one of this "very special" devices :) I do upgrade the machine to a newer one, and doing so I also ensure that I use an Android Version which is at least 5 or much higher. Thanks for the help, the issues is "resolved" 💃

feutl commented 4 years ago

@mvysny After some reading and testing with the devices I found, you should considering raising your minimum Android Limit to 5. The TLS 1.2 implementation, which gets enforced more often by different vendors, does not work properly on any device with a lower android version than 5.

So perhaps you can just enforce using 5, and document that as well, I assume in the future more "older" devices with 4.4 are unable to use HTTPS connections because of TLS1.2

mvysny commented 4 years ago

Thanks! There are users using PhotoCloud on older tablets, accessing their photo collection via Samba (Windows Share) or other means which do not require TLS1.2. Increasing minimum Android version would cut these people off. Therefore I'd like to keep the current minimum.

That being said, it's really good to have this issue documented, since all Android 4.4 users may run into this at some point. I've added this information into the FAQ at http://www.android-photo-frame.eu/faq.html

I'm also pasting the error message here in plain text, so that users can google this more easily.

The full error message reads:

Failed to connect. Please make sure that the server is running, is accessible from your phone and your OwnCloud config.php's
trusted_domain list contains 'xxx'.
Error. java.io.IOException: list / failed: -1: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL
handshake aborted: ssl=0x6cb36970: Failure in SSL library, usually a protocol error.
error 14077410:SSL routines: SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741
0x6a45d74:0x00000000)
AlphaCactus commented 2 years ago

It appears that Dropbox API has also stopped supporting TLS 1.x. https://www.dropboxforum.com/t5/Dropbox-API-Support-Feedback/Reminder-The-Dropbox-API-will-no-longer-accept-TLS-1-0-or-1-1/td-p/582785

A remote user took of photo of the error so I can't see the entire error message on screen, but the part I can read says shows in small text along the top of the display: Warning: error while polling for photos, showing cached photos until the stream+WIFI comes back online: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb7e5c910; Failure in {… illegible in photo … } usually a protocol error… Then in large text in the middle of the screen. The stream failed, retrying. Please wait.

Would it be possible to get a list of services (if any exist) in addition to the Windows Samba Share) which are still supported on these older devices?