Hello
have a good day
It has been almost a month that apparently some applications in Iran have found ssl problems.
If we disable the ssl verification function in Android, the application will work.
I wanted to know if you have stopped serving Iranians and IR domains?
Because apparently some of your servers in Iran give errors.
Thank you for your reply.
have a good day
1 Like
No. Please be specific about the errors you're seeing and the context in which they occur.
7 Likes
Hello
Android applications in Iran have been giving SSL errors for some time.
We put the site behind cloudflare and use cloudflare ssl, the applications work.
When we use letsencrypt ssl, the application does not work, but if we vpn to another country and use a non-Iranian IP, the application works well.
This means that some letsencrypt servers have filtered Iranians.
I disable the ssl verification part in the android application and it works with Iran IP and this shows that when it checks the ssl validity through the application, the servers drop the request.
Please check your firewall and server restrictions.
Thank you very much
1 Like
James asked for specific errors. Please provide error codes/messages and/or screenshots of the issues you're experiencing.
If you successfully got the certificates from LE — LE doesn't participate in the connections between your server(s) and client(s) anymore.
7 Likes
Howcome? A connection to a Let's Encrypt server is usually not required to access a site using a Let's Encrypt certificate, unless you have a mandatory OCSP checking set in your app and the OCSP request is being blocked.
Please show the exact error message.
4 Likes
I tested this problem in the software implemented with React.Native with the okhttp library and it has been 1 month since it can't connect to the server. The application works only when we disable verification or when it is placed behind cloudflare.
Also in another software that does not work less well in Android 8 phones. (It has been showing this problem for about 3 weeks and SSL gives an error.)
The software has made no difference and no updates have been made and only the applications give SSL errors.
There is no problem in viewing the site on Windows.
The software does not provide any errors that I can show you
It just won't connect to the server.
See why there is no problem when I use vpn and work with the application with a non-Iranian IP?
Do you have an example URL to test?
1 Like
Have your servers blocked OCSP checking for Iranian software on some of your servers?
Disabling OCSP (Online Certificate Status Protocol) checks can indeed introduce security risks to your connection. OCSP is a mechanism used to verify the current status of a digital certificate, ensuring that it hasn't been revoked since it was issued. By disabling OCSP checks, you're essentially removing this layer of validation, which can expose you to potential security threats.
When OCSP checks are disabled, your application won't be able to verify whether a certificate has been revoked due to a compromise or other security issues. This means that even if a certificate has been compromised, your application would still trust it, potentially allowing attackers to intercept or manipulate your network traffic without detection.
It's important to note that while disabling OCSP checks might solve connectivity issues in the short term, it can significantly weaken the overall security posture of your application. Security experts often emphasize the importance of maintaining robust security measures, including OCSP checks, to ensure the integrity and confidentiality of your communications.
The fact that numerous individuals across different cities have reported this issue underscores its significance and widespread impact. It's crucial for developers to address such concerns while maintaining a balance between usability and security, ensuring that their applications remain both functional and resilient against potential threats.
@ebrahimi9005 , welcome to the community!
The site is providing a very old, not in use any more cross-sign certificate. This certificate is very likely hardcoded into the configuration of the webserver. You may wish to fix this first.
tumbleweed:~ # openssl s_client -connect lohedana.ir:443 [40/624]
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = lohedana.ir
verify return:1
---
Certificate chain
0 s:CN = lohedana.ir
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 24 07:23:18 2024 GMT; NotAfter: May 24 07:23:17 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 7 19:21:40 2020 GMT; NotAfter: Sep 29 19:21:40 2021 GMT
---
4 Likes
Lets Encrypt is not going to be blocking your connections. The Iranian government has been actively blocking connections recently, though. You will see many recent topics in the Cloudflare Community from people unable to use Cloudflare Warp on Iranian networks. As long as the Iranian government continues to deliberately interfere with network traffic, there is little to nothing any outsiders can do to assist.
I'm not suggesting that you stop working with others here to better identify what is actually happening. I just want to set your expectations appropriately for the most likely outcome.
5 Likes
Are these two old?
padaapp.ir
www.ghbook.ir
1 Like
It is using Google certificate, not Lets'encrypt.
It is Lets'encrypt, and correctly configured.
4 Likes
Hi everyone
I have installed the latest version of certbot, version 2.9, on a Debian Linux server.
Website: www.ghbook.ir
I check the license of this site by the site below and get an A rating.
And it also supports TLS 1.3.
https://www.ssllabs.com/ssltest/analyze.html?d=www.ghbook.ir&latest
The problem is that this site does not work on mobile phones with Android 6.
And Android applications have stopped working.
You can see the pictures and license information attached.
Yes, this was announced last summer. Please see this blog post
4 Likes
The simplest fix is to try a different (ACME) CA for your certificates, one who's trusted root is available in the required versions of Android. I don't know which ones work where so you would need to test but, your choices include ZeroSSL, BuyPass Go and Google Trust Services
5 Likes
Hello
thanks for your answer
I learned something from your speech
It's that devices before Android 7 have problems with your certificate.
There are two solutions
- Notify customers with low Android to upgrade their phone
- I should use another company's certificate so as not to lose my customers
Did I understand correctly?
1 Like