[Freedombox-discuss] Cannot connect to radicale from phones after installing new image.

A. F. Cano afc54 at comcast.net
Wed Dec 22 19:17:25 GMT 2021

On Tue, Dec 21, 2021 at 03:00:27PM +0100, Diederik de Haas wrote:
> On Monday, 20 December 2021 23:32:57 CET A. F. Cano wrote:
> > > FreedomBox 21.9 (2021-09-18) removed support for SSLv3, TLSv1 and
> > > TLSv1.1.
> > > 
> > > https://wiki.debian.org/FreedomBox/ReleaseNotes#FreedomBox_21.9_.282021-09
> > > -18.29
> > > 
> > > After upgrading to 21.9, I also found my tt-rss Android client (1.301-
> > > fdroid) stopped working (SSLProtocolException:SSL handshake) on my
> > > old phone frozen in time at Android 4.3.  I think older phones stuck at
> > > older versions of Android are just out of luck.
> > 
> > Well, that explains it.  Thanks for clarifying.  
> https://salsa.debian.org/freedombox-team/freedombox/-/commit/
> 956b17da062715990024684be6c969c4e40d21c7 is the commit where that happened.
> You _could_ remove "-TLSv1.1" from the SSLProtocol line (39), but do realize 

You answered my question before I even got to ask it!  I replaced the

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1


SSLProtocol all

But nothing changed, even after:

/etc/init.d/apache2 restart
/etc/init.d/uwsgi restart
/etc/init.d/apache-htcacheclean restart
/etc/init.d/apache2 reload

Not even after a full reboot.  I'm still getting the same SSL errors and
the output of the tests from ssllabs.com still give me an A+ with the same

The only other reference I found to SSL security is in freedombox.conf:

 # Disable ciphers that are weak or without forward secrecy.

But I have no idea what to do with this.  Should I just comment it? or
should certain cyphers be added or removed?  Which ones?

> that if you do that, you ARE compromising the security of your freedombox! 
> (which you can verify by doing another test at ssllabs.com)

Understood.  I only want to connect once successfully so I can load my
addressbook/calendar/todo list on the "new" phone so I have something
usable while I upgrade the old one.

> I agree with the freedombox decision to disable TLSv1.1* and lower by default 
> and if you decide to change the configuration, only do it as a temporary thing 
> to give you some extra time to upgrade your phone's OS, after which you should 
> disable TLSv1.1 again.


> > Disappointing, as radicale was workin quite nicely.
> I understand it's inconvenient, but what it actually showed you is that the 
> security of your phone's OS is bad.
> >From https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 :
> "In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they 
> would deprecate TLS 1.0 and 1.1 in March 2020."
> There's a good chance various things already stopped working for you and it'll 
> only get 'worse' for you, but better for security, over time.

This "new" phone is so locked up that I don't think it can even be
rooted (Samsung Galaxy mega GT-I9152) but the old one (Galaxy S SGH-T959) is
already rooted and newer versions of lineage OS are available, so I'll
upgrade it.

> *) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982745

Thank you very much for taking the time to reply.  I learned something
very useful.


More information about the Freedombox-discuss mailing list