Several sites unreachable with Android 4.4 since Chain Changes

I can reach SSLLabs.com when using Chrome.
But not with the "default Internet browser".

3 Likes

No issue with the Google Android 4.4.2 Android Studio emulator image:

Sure, it looks terrible, but no TLS problems..

3 Likes

Yup, the default Android browser on real-world 4.4 builds will only support TLSv1.0.

Well this depends. If you look at official documentation - SSLSocket  |  Android Developers - we can see that Android 4.4 does support TLSv1.2 in the underlying BoringSSL implementation, but it's not enabled by default - the app has to request it explicitly in case it uses the Android glue-code. The default browser doesn't do this and is thus limited to TLSv1.0.

The first Android version that had TLSv1.2 enabled by default is 4.4W (Android Wear).

The emulators are inaccurate here. I've experienced this in the past while debugging broken BoringSSL builds present in Android 7.0. It appears that the emulator uses different BoringSSL binaries and/or glue code under the hood here and therefore does not represent real-world devices in this regard.

6 Likes

Circling back @FredFour

As you see, there has been much technical discussion. Getting back to your original request - can you describe which browser and version you are using? You were asked this by @rg305 back in post #5 but understandably that may have gotten lost since then.

I will try to recap some key points ... Rudy found the default "Internet Browser" on his old android device did not work for stackoverflow and others. But, it was not related to certs but that this browser only uses a very old version of a communications protocol (TLS V1.0) which is not often supported by websites today. He did find that using Chrome allowed access to the same websites that the android "Internet Browser" did not (since Chrome does support modern day TLS versions).

This is why it is important for us to understand how you are trying to connect to these sites. It may appear like one problem when it is actually something else. There may also be certificate issues with some sites (not stackoverflow though) but we won't know without further details from you.

Knowing your browser, version, and a clear description of the error would be very helpful. A couple more websites that are problems for you would also be helpful. Thanks

3 Likes

Hello everybody,

I'm a bit overwhelmed by the flood of postings I caused with my question .

Ok, here we go:

  1. I normally use firefox 49.0.

  2. https://helloworld.letsencrypt.org and https://valid-isrgrootx1.letsencrypt.org are ok in the Android browser, fail with "expired certificate" on firefox. Perhaps looking for a newer (but Android 4.4-compatible!) firefox might help here, however:

  3. https://stackoverflow.com fails on both browsers ("expired certificate" on firefox, "SSL connection error" on Android browser), two other examples that do the same are https://tauschen-in-koeln.de, https://iris.noncd.db.de/wbt/js/index.html?bhf=8011160.

I have installed ISRG Root X1 as a user certificate. I do not find DST Root CA X3, only DST ACES CA X6. Perhaps reinstalling DST Root CA X3 (from where?) might do some good?

Thanks a lot for all your efforts!

Manfred

3 Likes

firefox in all platform brings own root store, likely not have isrg x1 in their root store? (IIRC android firefox doesn't have esr version right?

3 Likes

That's the likely issue. Firefox both uses its own verifier and ships its own trust store.

Based on the certificate compatibility page, ISRG Root X1 is included in Mozilla Firefox >= 50.0, so that Firefox is likely too old to have it. As it uses a different verifier, it can't use the standard compatibility extension we use on Android.

Manually installing certificates also has no effect, again because Firefox doesn't care about the platform trust store. On Firefox Desktop you can manually install certificates into Firefox, but that option doesn't seem to exist on mobile.

I highly recommend upgrading that Firefox, which will both fix the compatibility issue and significantly improve security.

PS: It looks like recent Firefox versions require Android 5 and up. But you should be able to install at least Firefox 60+.

5 Likes

OR
Try using the Chrome browser.

2 Likes

Hello Orangepizza & Nummer378,

yes, Firefox 60 can access all the sites mentioned. This is what we all hoped, and perhaps to test this might have helped to shed some light, but it isn't the crucial point.

In fact, I must get Android, not firefox, to accept Let's encrypt certificates. Specifically the certificate of iris.noncd.db.de. The reason for this is that I use a timetable app (called Bahnhoftafel) that gets its data from iris.noncd.db.de; most probably the app displays that data just by opening the corresponding web page using the engine of the built-in Android browser.

Sorry for the bad news...

1 Like

Well you've already answered that:

Checking iris.noncd.db.de, it rather looks like that server does not support TLSv1.0. The app you're using must explicitly enable TLSv1.2 in Android 4.4, otherwise it won't be able to connect.

So I don't think this is a certificate issue, but rather an issue with the app not being configured to enable TLSv1.2 (on old Androids). You could try contacting the developers about this.

[Also, even if it were a certificate issue, this would likely also be something that they would have to fix (by manually specifying trust anchors in their app]).

5 Likes

You could try speaking to the operators of iris.noncd.db.de to see if they can turn TLSv1.0 back on [highly unlikely].
OR
You could also try inserting a proxy-in-the-middle [one that you can operate yourself] to handle the TLSv1 to TLSv1.2 requirement mismatch.

3 Likes

Checking iris.noncd.db.de, it rather looks like that server does not support TLSv1.0. The app you're using must explicitly enable TLSv1.2 in Android 4.4, otherwise it won't be able to connect.

So I don't think this is a certificate issue, but rather an issue with the app not being configured to enable TLSv1.2 (on old Androids). You could try contacting the developers about this.

Well, since the Android browser cannot access iris.noncd.db.de and as mentioned the app probably just hands a url over to this browser, it's probably not the app but the browser that has to be configured for TLS 1.2, which Google surely won't do for me. Looks like I'm out of luck. (Besides the proxy proposed by rg305.)

Can you say anything about my third example site, https://tauschen-in-koeln.de? TLS 1.2, too?

Thanks a lot!

2 Likes

Even if the app uses a webview, it may be able to patch that up locally by patching the local Provider (this may or may not work though...). It's true that this will only affect the local app process (as opposed to a system-wide setting), but unless your app opens an external app, that's fine (an external app would appear as an independent activity). Apps that want to display a webpage without rendering it themselves normally use a webview, which is not an external app. However I have doubts that this is the case here, as the given server is likely just an API (where a webview would be useless), so the app most likely just talks https via one of the many APIs available. OkHttp for example explicitly allows us to configure this.

You can check all websites you like via one of the many (great) online tools available, for example SSLLabs. As per the latest scan result, that server supports TLSv1.2 and TLSv1.3 only.

This is common nowadays, as TLSv1.0 is legacy (published in 1999) with many known weaknesses. Industry standards recommend/mandate to turn this off and TLSv1.0 (and 1.1) is constantly fading away.

5 Likes

Yes, I know this website, but since I'm not familiar with this SSL stuff, I'm easily getting confused by what I find there. For example, https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2 tells me that Android 4.4.2 does support TLS 1.2, whereas I learn from you that it must be explicitly enabled...

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.