When I inspect the certificate chain for these failing hosts in a desktop browser, they appear identical to the X1 test site (using the R3 intermediate certificate). I'd like to understand what I need to do to make these work, as well.
Even more odd, the tests that fail are run by this sample app, which performs a simple GET request using URL.openConnection() in Java. However, these URLs do load in a WebView.. which, I believe, uses the same central key store.
Ultimately, I'd like to get these failing hosts to work in this sample app.. because a fix here will be applied to other/larger apps that are displaying the same networking behavior.
Please.. no trolls.. telling me that Android 4.x is too old. I always like my apps to support as many devices as possible. This should not only be possible, but it should be simple.. I just feel that I'm missing something obvious.
Others may wish to comment in more detail. But, I think you should review the below two topics to better understand the Let's Encrypt support for older Android and upcoming changes in that regard.
Pay special attention to this section and related links in that page
DST Root CA X3 will expire on September 30, 2021. That means those older devices that don’t trust ISRG Root X1 will start getting certificate warnings when visiting sites that use Let’s Encrypt certificates. There’s one important exception: older Android devices that don’t trust ISRG Root X1 will continue to work with Let’s Encrypt, thanks to a special cross-sign from DST Root CA X3 that extends past that root’s expiration. This exception only works for Android.
The DST cross-sign is expiring this year. The below topic explains this
Thanks for the reply. My understanding is that any cross-signed solution has either already expired or is bound to expire in the near future. Are you suggesting that installing the self-signed root X1 and X2 is not a viable path forward? It seems to work fine on my 4.4 test device.. with the caveats described.. that I'm attempting to fix.
Another quick observation that I find confusing.. is that unless I'm going blind.. I don't see either of the X1 or X2 root certificates included in the current Android source code repo. I assume they would be included in modern Android.. but where are they?
update: nevermind.. my search query was wrong.. they are included ( X1 and X2 )
update: since I'm rooted and I don't really care about this device.. here is a test that I just did:
removed all user-added certificates
which allowed me to remove the lock screen PIN
mounted /system for read/write
backed up the contents of the directory: /etc/security/cacerts
I think you're probably right. That last test.. where gitlab works (X2) but letsencrypt fails (X1) indicates that this is the problem. But.. the part that's confusing is.. why would the X1 test page work on this device?
update: I just checked the certificates page again to confirm.. but our assertion is wrong.. turns out that:
Iirc that version only do ECDH with server with ecdsa cert
As normal dh is mostly deprecated (because of logjam or so) if server is using rsa cert without static cipher it will fail
This is from my hat so may not right
Hi @wb407,
I just installed these two Root Certificates
ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) * Self-signed: der, pem, txt
and
ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2) * Self-signed: der, pem, txt
On my Verizon Motorola DROID MAXX
Android version 4.4.4
System version 24.21.7.obake-maxx0_verizon.Verizon.en.US
Android security patch level 2016-04-01
Kernel version 3.4.42-g2730d20 hudsoncom@ilclbld35 #1 Sat Apr 16 01:02:35 CDT 2016
Build date
Sat Apr 16 00:51:01 CDT 2016
Build number
SU6-7.7
And these all work fine from Android version 4.4.4 Chrome 37.0.2062.117
Hi @Bruce5051 ,
I appreciate your taking the time to test this yourself.
The issue that I described didn't seem to effect WebView (or Chrome) web browsers,
which was a mystery.. and I've since found a few obscure discussions on this topic,
which can all be summarized here.
Long-story-short.. WebView (and Chrome) somehow support more cipher suites that the native Android OS. SSL Labs only reports which ciphers WebView supports, which is a bit deceptive (imho).
In any case, the hosts that I list which fail tests with v2.x will now pass with v3.x..
because v3.0 includes Conscrypt v2.5.2,
which adds support for many modern cipher suites that Android 4.x does not natively support.
It would be nice if this wasn't necessary,
but it's a very reasonable compromise to guarantee support for older devices.
Since this is a forum about Let's Encrypt and its certificates,
I'll conclude/close this thread.. because the issue wasn't caused by the certificates,
but rather an issue with hosts requiring a limited set of cipher suites..
that older devices don't directly support.