No safe ciphers supported

[RubenKelevra]

Actual behaviour

No connections possible with secure ciphers

Expected behaviour

Secure ciphers supported

Steps to reproduce

1. create a server with safe ciphers
2. start android app
3. try to connect

   Environment data

Android version: latest stable

Device model: exchangeable

Stock or customized system: native android

Nextcloud app version: latest today

Nextcloud server version: 9.0.51

Nginx cipher config

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!MD5:!aNULL:!EDH:!RC4:!DSS;
ssl_prefer_server_ciphers on;

[AndyScherzinger]

cc @LukasReschke

Do we have any environments to test this scenario Lukas or could you @RubenKelevra provide us with a test account so we can debug this matter? Another things is that I am not sure if this is a client matter since many people in the forums had client problems while using nginx since it seems the nginx configuration has to be rather specific.

[LukasReschke]

Please provide us with a link to your domain, @RubenKelevra.

[RubenKelevra]

@LukasReschke https://cloud.itu2015.de

Just enter this as domain and the Android App says "SSL connection error" or similar.

This domain entered on chrome on the same device works. After removing my explicit ssl-ciphers this works also in the app.

[LukasReschke]

What Android version are you using?

[AndyScherzinger]

@LukasReschke and @RubenKelevra here is the stack trace I get when trying the URL and to me this seems to be a configuration issue to some extend:

08-30 18:07:25.201 25775-25831/com.nextcloud.android.beta E/GetRemoteStatusOperation: Connection check at https://cloud.itu2015.de: SSL exception
  javax.net.ssl.SSLHandshakeException: Handshake failed
      at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
      at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.verifyPeerIdentity(AdvancedSslSocketFactory.java:248)
      at com.owncloud.android.lib.common.network.AdvancedSslSocketFactory.createSocket(AdvancedSslSocketFactory.java:185)
      at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
      at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
      at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
      at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
      at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:222)
      at com.owncloud.android.lib.common.OwnCloudClient.executeMethod(OwnCloudClient.java:192)
      at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.tryConnection(GetRemoteStatusOperation.java:89)
      at com.owncloud.android.lib.resources.status.GetRemoteStatusOperation.run(GetRemoteStatusOperation.java:194)
      at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
      at com.owncloud.android.operations.GetServerInfoOperation.run(GetServerInfoOperation.java:81)
      at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:136)
      at com.owncloud.android.services.OperationsService$ServiceHandler.nextOperation(OperationsService.java:489)
      at com.owncloud.android.services.OperationsService$ServiceHandler.handleMessage(OperationsService.java:425)
      at android.os.Handler.dispatchMessage(Handler.java:102)
      at android.os.Looper.loop(Looper.java:154)
      at android.os.HandlerThread.run(HandlerThread.java:61)
   Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x75c5e0c1c0: Failure in SSL library, usually a protocol error
  error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:610 0x75d494eca0:0x00000001)
  error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:764 0x75d720ef76:0x00000000)
      at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
      at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
        ... 20 more

Or the SSL library can't handle this, don't know since I am not an SSL expert. My test is latest beta run on an Nexus5X with Android 7.0

[RubenKelevra]

@LukasReschke none, this was done on a phone of a friend which runs on android 7

[RubenKelevra]

@AndyScherzinger which infos do you need additional? :)

[AndyScherzinger]

@RubenKelevra I don't need any, the URL is fine for me looking at it from a client perspective, to try to further debug this matter. Not sure if anyone from the server/core team can support this matter, so cc @MorrisJobke @rullzer @nickvergessen

[rullzer]

I can't reproduce this on my android (with the same cipher list for nginx) it is running android 6.

This seems to be something not related to the server part but to the webserver config.

[RubenKelevra]

@rullzer I quoted the full full ssl-config of this server. I think it's might be related to "ssl_ecdh_curve secp384r1;" or a 4096 bit dhkey might be to large ... Actually Android since 4.x should support this options. :)

ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
resolver 8.8.8.8;
ssl_stapling on;
ssl_stapling_verify on;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

ssl_certificate /etc/nginx/certs/cloud.itu2015.de.crt;
ssl_certificate_key /etc/nginx/certs/cloud.itu2015.de.key;

ssl_dhparam /etc/nginx/certs/cloud.itu2015.de.dh4096.pem;
ssl_trusted_certificate /etc/nginx/certs/startssl-ca-certs.pem;

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!MD5:!aNULL:!EDH:!RC4:!DSS;
ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Public-Key-Pins 'max-age=5184000; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="';

[RubenKelevra]

@rullzer if you run your nginx with openssl please confirm the very latest version is installed, I use LibreSSL on all Servers because OpenSSL had no support for ChaCha20 until the very last version.

[rullzer]

I'm runnig dev-libs/openssl-1.0.2h-r2 (gentoo). I could debug more but then I'll need to setup stuff in a docker/VM since I don't want to mess with my life instance ;)

[RubenKelevra]

@rullzer allright, feel free if to ask if you need some further infos :)

[hucste]

Hi... I confirm this bad bogue. :( Please, see all this nextcloud thread where i wroted informations.

It appear app android need SSLv3 connections and SHA1 cipher to connect at server NC. If the server NC is correctly setted with ultra secured ciphers as 'EECDH+AES:+AES128:+AES256', those app Android can not connect. It's necessary to downgrade security SSL by adding ':SHA' as 'EECDH+AES:+AES128:+AES256:+SHA' to obtain connections! But...

# openssl ciphers -v 'EECDH+AES:+AES128:+AES256:+SHA'
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1

App Android can communicate only with 'ECDHE-RSA-AES128-SHA'.

I explain in other NC post why it's very bad.

[rullzer]

Can you connect to nextcloud via the browser with that cipher suite.

If not we blame android If you can well then it must be something in a lib we use to connect.

[AndyScherzinger]

@rullzer it might be Android or rather our client lib (which is very old, from the fork), see https://github.com/nextcloud/android-library/issues/17

[hucste]

@rullzer : Really ? have you read completly my post and all related informations? I dont know :( sorry, but I do not want to repeat myself!

[rullzer]

@hucste a missed your first link. Sorry for the noise

[hucste]

@rullzer: ok, thanks! :dancer:

[AndyScherzinger]

@RubenKelevra did you change the server config? Just asking since my phone can now establish a secure connection?!

[RubenKelevra]

@AndyScherzinger Since this bug is still around I had to, there are users which needs this server. But if you need a testing-url I can provide the same serverconfig as before on a different URL.

[RubenKelevra]

@all I can confirm the android-app does NOT need an SSLv3 connection, my Server is not capable of TLS connections below 1.2 for security-reasons. So just all new secure Perfect Forward Secrecy ciphers seems to be a problem as well as ChaCha20-Poly1305 which is very well supported by Android.

[RubenKelevra]

@hucste the sslv3 part only means this ciphers are introduced with sslv3, which does not mean they are limited to sslv3 handshakes.

[AndyScherzinger]

@RubenKelevra a test url would be awesome for debugging, investigating and testing this matter. Could you then also tells me the name of the used cipher of the test instance?

[RubenKelevra]

@AndyScherzinger line 16 in codeblock on comment Number 10

[AndyScherzinger]

so

ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!MD5:!aNULL:!EDH:!RC4:!DSS;

it is

@RubenKelevra what would be the test instance? :smiley:

[Gerii]

When the server admin changes the cipher suites to unsupported ciphers after the user has logged into the mobile app just fails silently, i.e. it looks like it tries to load something and then just returns the cached results instead of showing an error.

[jnaskali]

Just upgraded to Android 7 and NextCloud app can't connect due to "SSL initialization failed". This might be a more widespread problem soon.

[lanrat]

I'm having the same issue on Android 7 with both the NextCloud app and the NextCloud Beta app.

I was able to temporarily make it work by setting my SSL ciphers to the following in Nginx

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

This works by allowing some less secure ciphers which I am not a fan of. Hopefully a newer SSL library can be used to fix this issue.

[AndyScherzinger]

Hi @lanrat, we will have to see and check how this can be fixed. The ciphers are shipped the Android itself and depending on the Android version different ciphers are shipped and different ciphers are being activated by default on the OS level and the rest of the shipped ones could then be activated and used programmatically. Unfortunately we can't ask the server which cipher we should use and it also seems overly complicated and time consuming to tryout all available ciphers against the server to see which one works.

For that reason @oparoz published/tested a list of ciphers which are compatible with the clients: https://help.nextcloud.com/t/which-tls-config-is-supported-by-the-clients/3708

Beware that even if we would implement some kind of cipher detection/heuristic/algorithm the cipher itself comes with Android, so the OS might then not be supported by your server...

[Gerii]

Unfortunately we can't ask the server which cipher we should use and it also seems overly complicated and time consuming to tryout all available ciphers against the server to see which one works.

Isn't that part of the TLS handshake?

[AndyScherzinger]

@LukasReschke @oparoz can you help us/me with this question(s)...not an TLS/SSL expert :'(

[oparoz]

Isn't that part of the TLS handshake?

Yes, both the client and server go through their ordered list of ciphers to find a common one.

So you just need to make sure that you have at least one match between what's listed on here: https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=7.0&key=139 and what's listed on your server. Everything on the line has to match. Per example Android 6 does not seem to support SHA384.

[freswa]

Hey nerds, I ran into the same issue since upgrading one of my devices to Android 7.

I have no solution so far, but I found the ciphers available in android from default SSLContext: https://developer.android.com/reference/javax/net/ssl/SSLEngine.html

Maybe that helps with debugging.

[bonanza123]

It seems that none of the ciphers from ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 are supported (via Mozilla Configurator on level modern). But after adding ECDHE-RSA-AES128-SHA it seems to be working.

[ReinForce-II]

BTW, no chipher is supported while using an ECC certificate.

[Schmuuu]

If I may jump in here: Users of my NC server use older Android smartphones like Galaxy S4 mini. With the android default browser and also with the NC app (latest release) I can't connect to the server. For me as well the super secure ciphers are the root cause of this problem. Using Mozilla Firefox on the S4 mini, I can connect to the server without any problems, which makes me think that Firefox brings its own cipher suites. And if Firefox browser can work, I think the NC android app could do this as well :)

Would it be possible to ship the most modern cipher suites in the NC android app as well?

I also use the "modern" ciphers that are suggested by the Mozilla SSL Configuration Generator: Ciphersuites: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Would love to obtain highest security and still allow my users to connect to the servers with their phones.

If necessary I open a new issue, but I thought it perfectly fits here - only that it is not Android 6 or 7.

[AndyScherzinger]

Does anyone have a server with the stronger ciphers only where the app can't do the connection? @mario implemented a fix which we would like to test.

[Schmuuu]

I have. Do you need the URL? If so how can I send you a private message then? Or is a new version released?

[AndyScherzinger]

@Schmuuu I would need the URL, no newly released version or nightly yet since I want to test this first, before released and potentially breaking HTTPS-URL logins. You can send me a PM, but only in the forum (https://help.nextcloud.com/), my username is andy. Thanks in advance for all your help :)

[mario]

If this does not work, I have other ideas :)

[AndyScherzinger]

I'd doesn't work on Android 4 and tested on Android 7 the fix isn't needed. So I am unsure if it is (worst case) an OS support issue but I'd say we could simply merge it and see if it helps, or at least push it to the nightlies and ask the community to test for the servers in question.

What do you think @mario?

[mario]

I have another idea so let me try that today and I'll tell you then :)

[gmx-git]

Hi guys, Have you had a breakthrough on this? I experience the same issue. (using Android 7.0)

[johenning]

ECDHE-RSA-AES128-SHA it seems to be working.

It also seems like dhparams >2048 are not supported. At least I didn't work with 4096 on my server.

[DriverXX]

There is a bug in Android 7.0 with this: ssl_ecdh_curve secp384r1;

Android 7.1 resolve this issue. In the meantime you can use: ssl_ecdh_curve prime256v1;

[geez0x1]

I'm also using the Mozilla modern cipher list, and a ECC cert: desktop Firefox is using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLSv1.2. My HTC One M7 with Lineage 14.x nightly didn't have any issues using the nextCloud app. My girlfriend's Moto G5 Plus (stock Android 7.0) has issues with the nextCloud client though. As far as I can tell from this thread, there is no workaround apart from weakening security, with is not an option as far as I'm concerned.

I suppose that custom ROM on her phone needs to come sooner than later then ^^

[tobiasKaminsky]

Unfortunately we do not have any influence what kind of ciphers are available on the devices... I think you can add multiple ciphers on server side so that the strongest are used if available, falling back to weakener ones if needed...

[manu-p]

Hi, sorry to dig up the subject but, not being a specialist, I keep wondering if there's anything that can be done on the client side to avoid that "SSL initialization failed" between the NC androif app v 3.2.1 on a 5.1.1 android phone trying to send files to a 13.0.4 NC instance hosted on 1and1 where I get no control on any security setup...

[cassdel]

Wow.. 2years.. and we still have issues with Samsung/Android and NC.