Android 7 with lets encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: online.smartedoo.co.ke

I ran this command:

It produced this output:

My web server is (include version): apache 2.4.41

The operating system my web server runs on is (include version):
Ubuntu 16.04
My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I have a bitnami site with letsencrypt and i’m experiencing issues. Warning: Android 7.0 clients (not browsers) can only use curve prime256v1 this suggests that i need to have prime256v1 and even with the apache directive ```
SSLOpenSSLConfCmd ECDHParameters prime256v1

any help to resolve this would be appreciated

Hi @smart_edoo

are you sure this is the problem?

I use a EC P-384 too, no problem (with the check-your-website and all other subdomains + my main domain). And Ssllabs doesn't report that problem with Android 7:

https://www.ssllabs.com/ssltest/analyze.html?d=online.smartedoo.co.ke

Android 4.0.4 EC 384 (SHA256) TLS 1.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 4.1.1 EC 384 (SHA256) TLS 1.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 4.2.2 EC 384 (SHA256) TLS 1.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 4.3 EC 384 (SHA256) TLS 1.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH secp256r1 FS
Android 4.4.2 EC 384 (SHA256) TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
Android 5.0.0 EC 384 (SHA256) TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Android 6.0 EC 384 (SHA256) TLS 1.2 > http/1.1 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS
Android 7.0 EC 384 (SHA256) TLS 1.2 > http/1.1 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
Android 8.0 EC 384 (SHA256) TLS 1.2 > http/1.1 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
Android 8.1 Server sent fatal alert: decode_error
Android 9.0 Server sent fatal alert: decode_error

Instead, there are some curious errors with Android 8.1 and 9. That's really untypical, should never happen.

But you see: All Android versions support EC 384.

PS: That older topic - I don't think it's relevant. Too much updates.


PPS: These errors: Server sent fatal alert: decode_error - is it possible your Tls.1.3 is broken?

Curious: My (Windows-) OpenSSL reports Tls.1.3, but no error.

Perhaps disable Tls.1.3, then recheck your domain.

@JuergenAuer
i’ve disabled tls 1.3 but still no change on the ssl labs test. Android 8 and 9 still not acting right tho the devices themselves seem to have no problem with connection

Assessed on: Fri, 14 Aug 2020 11:14:47 UTC

That's my check, so you see the old result. You have to recheck your domain.

looks like ssllab itself has problem now: it says even this forum itself or google have decode_error on bunch of clinets.
https://www.ssllabs.com/ssltest/analyze.html?d=community.letsencrypt.org&s=65.19.128.96&latest
https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=172.217.0.46&hideResults=on&ignoreMismatch=on

1 Like

But that's a different error:

Server sent fatal alert: handshake_failure

Expected, if Tls.1.0 and 1.1 is disabled.

That

Android 8.1 - TLS 1.3 TLS_CHACHA20_POLY1305_SHA256 ECDH x25519 FS
Android 9.0 - TLS 1.3 TLS_CHACHA20_POLY1305_SHA256 ECDH x25519 FS

looks curious (the -), but it's possible to connect.

If you have seen the decode_error, looks like a "work in progress".

Checking my own domain ( SSL Server Test: check-your-website.server-daten.de (Powered by Qualys SSL Labs) ) it's extremely slow

261.194 seconds

Older check: 70 seconds.

There is an EC 384 and only Tls.1.2, no problem.


a long image I captured on google.com when I run fresh test. it indeed looks like need some time to

2 Likes

Yep, that looks bad. So it's not an individual problem of some websites if a Google-check shows that error.

looks like it already has issue on their github

Hi @JuergenAuer
I disabled tls1.3 and even cleared the cache with ssl labs to do the check and confirmed it was disabled. This has not changed the android 7 issue so not sure what’s happening. On the plus side i’m getting a totally different error message now

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.