Trying to login from Riot Android app: "outdated TLS security protocol" error

[jeromecc]

Hi!

Thanks for this amazing playbook. Worked like a charm.

I just installed on medica.im with fairly a standard configuration (almost all default) on Ubuntu 18.04. I could create a user, connect through the server's riot.medica.im web interface.

Trying to login from the Android app (downloaded from the Playstore) gave me this error.

Your device is using an outdated TLS security protocol, vulnerable to attack, for your security you will not be able to connect

This is related to SSLHandshakeException in the riot-android code https://github.com/vector-im/riot-android/blob/a57581ca0d1e33a0a3cb9dbfce185fa50e9e6fc4/vector/src/main/java/im/vector/activity/LoginActivity.java

I will investigate further. I guess it has to do with the nginx TLS configuration.

I'm pretty sure it's not related to my phone because i reinstalled the app today and connection to matrix.org works seamlessly.

Thanks.

[aaronraimist]

What version of Android? If you are using a fairly old version of Android it may not support modern TLS protocols.

[jeromecc]

Thing is i can connect to my usual matrix.org account on this phone with the most recent version of the app. I am connected right now. Would it work with matrix.org and not with the server i just installed thanks to matrix-docker-ansible-deploy
?
Android 4.4.2

So even though the error message talks about a "device", the original exception is just a vague TLS handshake exception. Logically it should come from the server. I updated my issue to mention that the OS is Ubuntu 18.04

[aaronraimist]

Yeah that is quite an old version of Android. Matrix.org may support that but by default the playbook doesn't. You'll have to do research and determine what modifications you need to make if you want to use it with that version of Android but as the error says it is going to be less secure. element-hq/riot-android#1376 (comment) appears to have a working nginx config.

[jeromecc]

element-hq/riot-android#1376 (comment) we found the same comment ;-) thanks for your help i guess i will add a few ciphers

Maybe I could send a PR to update the docs to warn about this potential pitfall?

[aaronraimist]

👍

[jeromecc]

i realize my phone is old from a dev point of view but according to Google it still represents 7.6% of the Android user base.
4.4 | KitKat | 19 | 7.6%
https://developer.android.com/about/dashboards

riot android app advertises "Requires Android 4.1 and up" on the Playstore. That is 10.6 % of all Android users...

[jeromecc]

adding this in inventory/host_vars/matrix.medica.im/vars.yml
matrix_nginx_proxy_ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
has solved my problem. I can login into my server with the android app on Android 4.4.2 (Samsung Galaxy Note 2 GT-N7100).

I didn't change the list of ciphers in the playbook code. I will test with cipher change only (without adding TLSv1).
Wouldn't it be great to make the cipher lists (inside roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2 but also matrix-riot-web.conf.j2, matrix-synapse.conf.j2 etc) configurable in the vars.yml file to facilitate tweaking for people who want to test on older Android versions?

[spantaleev]

Sure!
Making the cipher list configurable would be nice for this and other use cases.
We should still default it to something secure and useful to most people though.

---

I'm also thinking it might be useful to build a doc/faq.md document with various troubleshooting questions and answers like this:

Question: Logging in from an Android device gives me the following error: Your device is using an outdated TLS security protocol, vulnerable to attack, for your security you will not be able to connect

Answer: You're on an old version of Android which doesn't support the default TLS security settings configured by the playbook. Ideally, you would upgrade those old devices, so that they use a newer and more secure protocol. If you'd rather accommodate such old devices right now, at the expense of security for everyone else on your server, you can tweak the nginx protocol list like this (example): matrix_nginx_proxy_ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"

Various other questions (common and not so common) often come up and it would be useful to have them all answered somewhere like that.

[jeromecc]

Thank you very much for your answer @spantaleev. I am writing the FAQ right now. Before I send the PR, could you explain "at the expense of security for everyone else on your server"? A new Android device supporting TLSv1.3 and running the official Riot Android app would connect with TLSv1 if available protocols are "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"? Wouldn't it be considered a TLS downgrading bug? I would assume that the Java library or riot-android would choose the highets encryption security level available rather than the lowest one. Am I wrong?

I thought the lowering of security would only be for people who have an older device and of course for people communicating with them. You can argue that someone invited to an encrypted room with Android 4.4 would somewhat (metadata only I guess because texts are encrypted with another protocol anyway) lower the security of the whole room (and all the participants), but are you sure it would lower the security for the whole server? Maybe we should file an issue with upstream? I was thinking about something like a warning attached to users who connect with lower than recommended ciphers/TLS protocols. This could be a useful information for people participating in a sensitive conversation in an encrypted room. "We let you in there, but we tag you so that other people comunicating with you understand that you could lower or endanger their privacy."

[aaronraimist]

Prefixing this to say I am not a security expert but...

I would assume that the Java library or riot-android would choose the highets encryption security level available rather than the lowest one.

Yes I assume it would however like you said, theoretically an attacker could MITM you by forcing your clients to connect with an old version of the TLS protocol, a downgrade attack, and then decrypt everything going to and from any client and your server using some flaw in an old version of TLS. This could affect everyone, not just the users running old versions.

For example see this article: https://p16.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack. I've quoted the most important part.

All modern browsers support SSLv3 up to TLSv1.2, but will use the highest version supported by a server. A middleman cannot directly modify any packets sent in the handshake, but a middleman can intercept and drop certain packets. By tricking the browser into thinking that the server does not support a given version of SSL/TLS, an attacker can downgrade the negotiated version.

[jeromecc]

I am aware of past TLS 1.0 (and SSLv3) MITM vulnerabilities such as BEAST but there are no known vulnerabilities leading to MITM in the current version of TLSv1. So an attempt at MITM would trigger a bad certificate warning and be thwarted. That is why my configuration gets a decent A grade on SSL labs.
Of course, with my old phone that cannot be upgraded or even updated, it's another story (still the 4.4.2 version is older than BEAST so i guess it has the patch).

There is a well known software workaround to enable TLS 1.1 and TLS 1.2 on Android 4.1+, do you know if riot-android is implementing it? It would solve all issues because getting rid of 0,5% of Android users (<4.1) to improve the security of 99,5% of users seems like a very reasonable thing to do.

[aaronraimist]

This issue can probably be closed. The TLS protocol's are now configurable but the default for the playbook is moving towards more modern versions of TLS. f18037a