On Fri, Aug 11, 2017 at 04:11:16PM +0200, Kurt Roeckx wrote: > On Fri, Aug 11, 2017 at 01:34:53PM +0200, Sven Hartge wrote: > > Marco d'Itri <m...@linux.it> wrote: > > > On Aug 09, Sven Hartge <s...@svenhartge.de> wrote: > > > > >> Looking at https://developer.android.com/about/dashboards/index.html > > >> there is still a marketshare of ~25% of smartphones based on Android > > >> 5.0 and 5.1 and 16% based on 4.4. So this change would (at the > > >> moment) block ~40% of Android smartphones from connecting to any WLAN > > >> using PEAP or TTLS. > > > > > Android 5.x should support TLS 1.2: > > > http://caniuse.com/#search=TLS > > > > The Browser, yes. But not the components doing the WPA stuff: > > > > ,---- > > | Aug 9 20:09:13 ds9 radiusd[4179992]: (12924) Login incorrect (eap_ttls: > > TLS Alert write:fatal:protocol version): [owehxperia] (from client ap01 > > port 54 cli 30-39-26-xx-xx-xx) > > | Aug 9 20:09:24 ds9 radiusd[4179992]: (12928) eap_ttls: ERROR: TLS Alert > > write:fatal:protocol version > > | Aug 9 20:09:24 ds9 radiusd[4179992]: tls: TLS_accept: Error in error > > `---- > > > > Only recompiling openssl with TLS1.0 and TLS1.1 enabled allowed my phone > > to connect successfully. > > Any idea if this actually works with newer android phones? > > Could someone report this to Google? I consider everything broken > by this a security issue
You are working based on assumptions that are unfortunately not true. Let me give you some data: According to Google, as of today 9% of Android devices run Android releases first released in 2012 or earlier that are no longer supported by Google.[1] According to Google, there are more than 2 billion active Android devices.[2] Do the math, and you end up at nearly 200 million devices running Android releases no longer supported by Google. Extrapolating the above numbers in the growing smartphone market, half a billion active Android devices with the above WPA problem when buster releases in mid-2019 might be a low estimate.[3] > and hope that Google will fix it in all releases they still support. An update from Google for an Android release does not automatically result in firmware updates being available for all devices running this Android release. The situation regarding the speed of firmware updates, and whether they are available at all, is bad for many high-end Android devices. And for cheap Android devices there might be no updates available at all. For many people in the first world and most people elsewhere even a cheap € 100 smartphone is a major investment, not something that will be thrown away after 2 years. All this is a very unfortunate situation, but nothing Debian can change. Everyone providing a service that is also used by Android phones (e.g. webserver, wireless access point) faces the reality that a significant share of the customers is using ancient Android releases with a firmware that are several years old. It doesn't matter whether something works with newer Android phones, or what you consider a security issue. The only thing you would achieve would be to force people to move away from Debian to distributions that are still able to interact with devices running ancient and highly insecure Android firmwares. > Kurt cu Adrian [1] https://developer.android.com/about/dashboards/index.html [2] https://twitter.com/Google/status/864890655906070529 [3] this assumes all devices with Android < 6 are affected by this specific problem -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed