On Tue, Dec 21, 2021 at 03:00:27PM +0100, Diederik de Haas wrote: > On Monday, 20 December 2021 23:32:57 CET A. F. Cano wrote: > > > FreedomBox 21.9 (2021-09-18) removed support for SSLv3, TLSv1 and > > > TLSv1.1. > > > > > > https://wiki.debian.org/FreedomBox/ReleaseNotes#FreedomBox_21.9_.282021-09 > > > -18.29 > > > > > > After upgrading to 21.9, I also found my tt-rss Android client (1.301- > > > fdroid) stopped working (SSLProtocolException:SSL handshake) on my > > > old phone frozen in time at Android 4.3. I think older phones stuck at > > > older versions of Android are just out of luck. > > > > Well, that explains it. Thanks for clarifying. > > https://salsa.debian.org/freedombox-team/freedombox/-/commit/ > 956b17da062715990024684be6c969c4e40d21c7 is the commit where that happened. > > You _could_ remove "-TLSv1.1" from the SSLProtocol line (39), but do realize
You answered my question before I even got to ask it! I replaced the line: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 with SSLProtocol all But nothing changed, even after: /etc/init.d/apache2 restart /etc/init.d/uwsgi restart /etc/init.d/apache-htcacheclean restart /etc/init.d/apache2 reload Not even after a full reboot. I'm still getting the same SSL errors and the output of the tests from ssllabs.com still give me an A+ with the same results. The only other reference I found to SSL security is in freedombox.conf: # Disable ciphers that are weak or without forward secrecy. SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 But I have no idea what to do with this. Should I just comment it? or should certain cyphers be added or removed? Which ones? > that if you do that, you ARE compromising the security of your freedombox! > (which you can verify by doing another test at ssllabs.com) Understood. I only want to connect once successfully so I can load my addressbook/calendar/todo list on the "new" phone so I have something usable while I upgrade the old one. > I agree with the freedombox decision to disable TLSv1.1* and lower by default > and if you decide to change the configuration, only do it as a temporary > thing > to give you some extra time to upgrade your phone's OS, after which you > should > disable TLSv1.1 again. Absolutely. > > Disappointing, as radicale was workin quite nicely. > > I understand it's inconvenient, but what it actually showed you is that the > security of your phone's OS is bad. > >From https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0 : > "In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced > they > would deprecate TLS 1.0 and 1.1 in March 2020." > There's a good chance various things already stopped working for you and > it'll > only get 'worse' for you, but better for security, over time. This "new" phone is so locked up that I don't think it can even be rooted (Samsung Galaxy mega GT-I9152) but the old one (Galaxy S SGH-T959) is already rooted and newer versions of lineage OS are available, so I'll upgrade it. > HTH > > *) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982745 Thank you very much for taking the time to reply. I learned something very useful. Augustine _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss