Several sites unreachable with Android 4.4 since Chain Changes

Hi,

https://community.letsencrypt.org/t/understanding-dst-root-expiry-and-the-older-default-cert-chain/164681/3 claims

"I use an old Android device, what do I need to do? Nothing! We’re trying to ensure that this change is completely invisible to end-users."

Well, this seems not to work with my Android 4.4 phone. There are several sites with Let's Encrypt certificates that are unreachable since October, the perhaps most well-known being stackoverflow.com.

The thread https://community.letsencrypt.org/t/understanding-dst-root-expiry-and-the-older-default-cert-chain/164681/34 recommends "removing the DST root cert (2e5ac55d.0)", but I don't even have this certificate on my phone.

Is there any cure?

TIA

Manfred

Do you have examples of sites not working? And also please show the corresponding error message in Android, preferably with a screenshot.

It's possible that site operators have decided not to implement the Android pre-7.1 compatibility. I.e.: don't use the default certificate chain but intentionally chose the alternative chain.

Do you have the new ISRG root ca on the device? Else removing DST root alone wouldn't work.

Also the old DST root file name might be different on your device.

That should not be necessary if the server uses the default "Android compatibility" chain. Of course the DST Root CA X3 should be available to Android and not be deleted to retain that compatibility.

If the server indeed uses the non-default, alternative chain without the Android compatibility, then manually installing the ISRG Root X1 root certificate might indeed help.

Which browser and version are you using?

We recently learned that stackoverflow.com (and example given in original post) uses the long chain but only with proper SNI host name. Without that it sends a faulty cert. Someone was going to contact them but seems like a problem still

See

Can you test with these two sites on that device and see if you can get to them?

• https://helloworld.letsencrypt.org
• https://valid-isrgrootx1.letsencrypt.org

They're just intended for testing, whereas testing with something like stackoverflow might surface other problems. (Like I don't think Stack Overflow supports TLS 1.0, whereas I think old Android doesn't support TLS 1.2)

Another test site that might be helpful to see the output of:

• https://www.ssllabs.com/ssltest/viewMyClient.html

Well, that's very odd (and stupid).. Why would someone send an ancient certificate chain and expired end leaf certificate for non-SNI connections? (Rhetorical question.)

Also, Android 4.4 should support SNI. At least, the Android browser does, according to a random site I googled...

I'm able to use:
Chrome 81.0.4044.138
Android 4.4.2
to Stackoverflow without any problem

and @Osiris

Right, sorry. The thread I linked to was for a custom app not handling stackoverflow right and it was not doing SNI right (among other things).

It does behave odd for non-SNI (or wrong host name) but probably not cause here.

It might be if @FredFour runs ancient non-default browsers on his Android perhaps..

Actually the default "Internet browser" is the one giving the problem:

You have to use Chrome (or other non-default) browser.

But that's not a TLS issue, right?

Yes, TLS issue.
And also trust issue.

I can't tell from the error message in your screenshot, I've got to take your word for it. Looks like a closed lock in it.

Good catch. And, oh good grief. When will these failure permutations end - yikes.

Does that "default browser" work on https://helloworld.letsencrypt.org? I have a hunch that the issue with old devices like this is mainly about TLSv1.0 going away industry-wide, rather than anything root/trust related.

The default is sooo bad, I can't even connect to SSLLabs.com

But https://helloworld.letsencrypt.org/ works!

TLSv1.0 issue.

According to SSLLabs, Android 4.4.2 supports up to TLSv1.2: Qualys SSL Labs - Projects / User Agent Capabilities: Android 4.4.2