Warning: Android 7.0 clients (not browsers) can only use curve prime256v1


#1

If anyone experiences trouble with Android 7.0 clients other than Chrome and Firefox which are shipped with their own TLS stacks: It appears that there is a regression in Android 7.0 (said to be fixed in 7.1.1 at least) where the only elliptic curve available from the system TLS stack is prime256v1.

This affects both the list of curves for ECDHE key handshake as well as the supported curves for the ECC key of the server. The former can be easily fixed on the server by enabling prime256v1 but the latter requires the generation of a new key that doesn’t use any stronger curve.

Note that while Chrome (also on Android) already supports curve x25519, even in Android 7.1.1 the only supported curves for apps using the system stack are old standard curves.


#2

For the certificate, will it still fall back to the RSA certificate if the ECC certificate fails, assuming the server has both?


#3

The server should ensure that it doesn’t present a certificate that doesn’t match the client’s limitations, so it should present an alternative RSA certificate. Remember that the limitation applies to any (START)TLS service, so IMAP, SMTP, XMPP … are all affected.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.