Missing support for TLS1.3

Good evening everybody,

I just was messing around with my nginx configuration to update it to support TLSv1.3.
With that I realised that my SFOS (currently running 3.3.0.16 on my xperia 10 plus) does NOT support TLSv1.3 and neither does alien-dalvik.
Is an update for that planned?

8 Likes

Gecko 52 should bring support for this. So the browser update coming soon ™ will provide support for it. As for the rest of the system. I have no clue to be honest. I think TLSv1.2 could come to AD but if 1.3 will be supported … we’ll see.

1 Like

TLSv1.2 should already be supported, at least apps & browsers do in both environments (ad and sfos) with my servers which only support TLSv1.2 and TLSv1.2.

TLSv1.3 is a must have, my own servers all run on TLSv1.3 already and any mobile device should support it asap.

Openssl version 1.0.2o shipped with sfos 3.4.0.24 does not support tls v1.3
Hopefully 1.1.1+ will be shipped with the next sfos version.

I guess this is a good sign in this direction

2 Likes

Here was a recent (official) update to that topic, see bullet point 4)

3 Likes

@fridlmue thx for the hint! note to myself: should read meeting logs

1 Like

I just updated to Sailfish OS 4.0.1, however Telepathy/XMPP still tries to use TLS1.0?

Feb 04 21:11:36 tension [3319]: [W] unknown:0 - tp-qt 0.9.8 WARN: Nested PendingReady for true failed with "org.freedesktop.Telepathy.Error.NetworkError" : "WOCKY_CONNECTOR_ERROR_TLS_SESSION_FAILED (#7): TLS handshake error: Handshake failed: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version"

:frowning_face:

1 Like

hm, I like that it is posted but do not like the post. I cannot get online via xmpp too (against Prosody)

Same error here.
As a quick and dirty workaround I removed telepathy-gabble (pkcon remove telepathy-gabble) and installed the telepathy-gabble-plus package from openrepos. This way I got back a working xmpp until the normal telepathy-gabble package gets fixed.

2 Likes

Thanks for flagging this up with the error message @paulvt. I’ve logged it as a bug internally.

1 Like

Yeah, I couldn’t get it installed from some reason (I use noonien’s openrepos repo), but after manually installing telepathy-gabble and installing telepathy-gabble-plus it works again, great! (I don’t recall having to do that uninstall before.)

I have the same case that SFOS cannot connect to ejabberd after upgrade to SF 4.0.x. Through all SF upgrade cycles from 1.x to 3.x XMPP worked fine. After upgrade to 4.0.x I only see these errors in ejabberd log:

Failed to secure c2s connection: TLS failed: SSL_do_handshake failed: error:somenumber:SSL routines:tls_early_post_process_client_hello:unsupported protocol

Thought that I’d try your workaround.

But how did you manage to to “pkcon remove telepathy-gabble”? In my case (running as root) it ends up with Fatal error: this request will destroy your system (my free transaltion).

I didn’t get any errors. Not sure what I did different. Maybe It’s that I first tried to install telepath-gabble-plus through storeman and only after this failed I tried to remove the telepathy-gabble by hand. If I remeber correctly the remove command not only removed the telepathy-gabble. It also finished the failed installation of telepathy-gabble-plus. Maybe I got no error message because pkcon substituted the missing dependencies form the telepathy-gabble with the telepathy-gabble-plus dependencies because I already had the repository active and had tried to install the package, which was blocked by the installed telepathy-gabble.
But this is a bit of speculation on my side.

Another day, another attempt! This time the removal of telepathy-gabble worked and the installation of telepathy-gabble-plus tehreafter was possible. Immediately xmmp connection to ejabberd was picked up and held messages started to flow in. Thanks!