[Freedombox-discuss] Cannot connect to radicale from phones after installing new image.
A. F. Cano
afc54 at comcast.net
Wed Dec 22 19:17:25 GMT 2021
On Tue, Dec 21, 2021 at 03:00:27PM +0100, Diederik de Haas wrote:
> On Monday, 20 December 2021 23:32:57 CET A. F. Cano wrote:
> > > FreedomBox 21.9 (2021-09-18) removed support for SSLv3, TLSv1 and
> > > TLSv1.1.
> > >
> > > https://wiki.debian.org/FreedomBox/ReleaseNotes#FreedomBox_21.9_.282021-09
> > > -18.29
> > >
> > > After upgrading to 21.9, I also found my tt-rss Android client (1.301-
> > > fdroid) stopped working (SSLProtocolException:SSL handshake) on my
> > > old phone frozen in time at Android 4.3. I think older phones stuck at
> > > older versions of Android are just out of luck.
> >
> > Well, that explains it. Thanks for clarifying.
>
> https://salsa.debian.org/freedombox-team/freedombox/-/commit/
> 956b17da062715990024684be6c969c4e40d21c7 is the commit where that happened.
>
> You _could_ remove "-TLSv1.1" from the SSLProtocol line (39), but do realize
You answered my question before I even got to ask it! I replaced the
line:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
with
SSLProtocol all
But nothing changed, even after:
/etc/init.d/apache2 restart
/etc/init.d/uwsgi restart
/etc/init.d/apache-htcacheclean restart
/etc/init.d/apache2 reload
Not even after a full reboot. I'm still getting the same SSL errors and
the output of the tests from ssllabs.com still give me an A+ with the same
results.
The only other reference I found to SSL security is in freedombox.conf:
# Disable ciphers that are weak or without forward secrecy.
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
But I have no idea what to do with this. Should I just comment it? or
should certain cyphers be added or removed? Which ones?
> that if you do that, you ARE compromising the security of your freedombox!
> (which you can verify by doing another test at ssllabs.com)
Understood. I only want to connect once successfully so I can load my
addressbook/calendar/todo list on the "new" phone so I have something
usable while I upgrade the old one.
> I agree with the freedombox decision to disable TLSv1.1* and lower by default
> and if you decide to change the configuration, only do it as a temporary thing
> to give you some extra time to upgrade your phone's OS, after which you should
> disable TLSv1.1 again.
Absolutely.
> > Disappointing, as radicale was workin quite nicely.
>
> I understand it's inconvenient, but what it actually showed you is that the
> security of your phone's OS is bad.
> >From https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 :
> "In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they
> would deprecate TLS 1.0 and 1.1 in March 2020."
> There's a good chance various things already stopped working for you and it'll
> only get 'worse' for you, but better for security, over time.
This "new" phone is so locked up that I don't think it can even be
rooted (Samsung Galaxy mega GT-I9152) but the old one (Galaxy S SGH-T959) is
already rooted and newer versions of lineage OS are available, so I'll
upgrade it.
> HTH
>
> *) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982745
Thank you very much for taking the time to reply. I learned something
very useful.
Augustine
More information about the Freedombox-discuss
mailing list