Android devices with DoT configured; interaction with new default chain

ishan · September 30, 2021, 4:39pm

My DoT server also uses Letsencrypt. DoT on Android 9/10/11 devices is broken right now.
I have tested on some samsung devices and lots of Poco/Redmi devices.

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ishanjain.me
verify return:1
---
Certificate chain
 0 s:CN = ishanjain.me
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVTCCBD2gAwIBAgISAzLY9S1SlUIgeJ7uK7CKjLDNMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MzAxNDQyMjZaFw0yMTEyMjkxNDQyMjVaMBcxFTATBgNVBAMT
DGlzaGFuamFpbi5tZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMh
SyKvGCtadmYjjndhLLC+n9hbskbmTTP0+LFWWMTr61ViUeTio8mkATv4N/7emvRw
SwP+mYs3CXEjdy3lB94XwE2abTS0YcjFi6loJocmGExxuZUwoWP9eymkYQGOGKCS
SDFeovVQR6EHwLol4rEX/yvWTI56aRibNEGAThYOY9OrZH6SNJTlJw4yQh3A2M/I
uagCXc20iSGj4i1X5+ASaH1SIbbCQFa1gAKIdlMEgMBj57qvC92jxp4oPziku5Uh
ACcnbiv18KegiMsOXkOFZubyDykkNgC8W1ws48UTIm+73MxltiIQi5GQGBlZPftT
yg9l5yyTV6+bVzyLKzMCAwEAAaOCAn4wggJ6MA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUNjcYFWt2fONni2YDHOyVqFsBqZ4wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA
5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu
by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w
TQYDVR0RBEYwRIIOKi5kbnMuaXNoYW4ucHeCCiouaXNoYW4ucHeCDiouaXNoYW5q
YWluLm1lgghpc2hhbi5wd4IMaXNoYW5qYWluLm1lMEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAXNxDkv7mq0VE
sV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF8N18EZQAABAMARzBFAiEA7s02NVlm
7dywJL5Vat/rJyxk7YJqEu02LAGVfmJjie0CIBVQgxagCeYFgcRp8WDHF/AjaZNl
vbvJCTQMKTkA0ovlAHcA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMA
AAF8N18EXQAABAMASDBGAiEAp3a9GM+xC6yPAu+H/A5ng7vv/C4zNj82zfPrSNP8
034CIQDw9j3T6lPADGrrCOHQSlmackQ4wOtj0f8T/2kS/kCEyDANBgkqhkiG9w0B
AQsFAAOCAQEAiiaV/7ZI7BHPz7ABj/8tOMCw/IHqnogFeOz0JM7LphI8a8r9qteP
oagzO4FVKcdXIhmGQpG3bX6XZAV1PeBN/ukR4sNMjrYD/aT35P1BWeHjglApLlW7
qywGE1wOzo+c5yjRIIJpFCTeqXf6rIqBijZcrPjY+1HQs3zgQLC13f5p3TAkm45K
MIDeODEZ12YASmWJe3HPL4oFV1e/XA6txKGoK0rm7TkiWBscsugw+jU+hRPpfirw
oZ7QZZHJygkTpO312N2FtHyawQf/8MSzNmSXgX0BYs80OCm3AWysguDdO7BKpnDA
cSro07jWl7LwpcCpz/JH2gGRJfdydAcabw==
-----END CERTIFICATE-----
subject=CN = ishanjain.me

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4605 bytes and written 378 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: 36D06AA4D6D55C354126026886B76A28F934A630A7C77F1F2183B217B00B0DA2
    Session-ID-ctx:
    Resumption PSK: 57B1BBAA214241845F17AF0610778ADE232B8308AEEF256BE64A9D1E37493264
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 23 d8 e3 1a c9 78 42 fc-17 74 b5 10 25 d7 8b ee   #....xB..t..%...
    0010 - 79 9f d3 0b 6a fb 9b 0e-fd 71 18 4c b6 ee 64 93   y...j....q.L..d.
    0020 - 92 2f 59 83 5b 11 f2 89-53 f4 f4 5f 6a fe fb 3a   ./Y.[...S.._j..:
    0030 - b8 f5 56 8f 52 5a 60 cd-8e 25 81 8a df 09 87 9c   ..V.RZ`..%......
    0040 - 03 85 43 ab ba b1 ba fb-54 b6 db 7b f8 1a 86 ef   ..C.....T..{....
    0050 - cf e5 85 97 2c 95 f3 77-99 1b f2 37 73 22 c1 6e   ....,..w...7s".n
    0060 - a4 63 93 cc 86 3e 23 29-93 a6 64 2d ca ed eb e3   .c...>#)..d-....
    0070 - 4e                                                N

    Start Time: 1633019911
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Topic		Replies	Views
Understanding DST Root expiry and the older default cert chain Help	36	3449	December 8, 2021
Certificate chain stopped working on older android devices Help	6	575	September 17, 2021
Cert Chain issue Help	5	479	May 26, 2023
Several sites unreachable with Android 4.4 since Chain Changes Help	34	5716	December 21, 2021
Reported 'expired certificate' when using DNS-over-tls on an android with letsencrypt cert Help	4	1520	July 29, 2022

Android devices with DoT configured; interaction with new default chain

Related topics