[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OpenSSL disables TLS 1.0 and 1.1

On Fri, Aug 11, 2017 at 04:11:16PM +0200, Kurt Roeckx wrote:
> On Fri, Aug 11, 2017 at 01:34:53PM +0200, Sven Hartge wrote:
> > Marco d'Itri <md@linux.it> wrote:
> > > On Aug 09, Sven Hartge <sven@svenhartge.de> wrote:
> > 
> > >> Looking at https://developer.android.com/about/dashboards/index.html
> > >> there is still a marketshare of ~25% of smartphones based on Android
> > >> 5.0 and 5.1 and 16% based on 4.4. So this change would (at the
> > >> moment) block ~40% of Android smartphones from connecting to any WLAN
> > >> using PEAP or TTLS.
> > 
> > > Android 5.x should support TLS 1.2:
> > > http://caniuse.com/#search=TLS
> > 
> > The Browser, yes. But not the components doing the WPA stuff:
> > 
> > ,----
> > | Aug  9 20:09:13 ds9 radiusd[4179992]: (12924) Login incorrect (eap_ttls: TLS Alert write:fatal:protocol version): [owehxperia] (from client ap01 port 54 cli 30-39-26-xx-xx-xx)
> > | Aug  9 20:09:24 ds9 radiusd[4179992]: (12928) eap_ttls: ERROR: TLS Alert write:fatal:protocol version
> > | Aug  9 20:09:24 ds9 radiusd[4179992]: tls: TLS_accept: Error in error
> > `----
> > 
> > Only recompiling openssl with TLS1.0 and TLS1.1 enabled allowed my phone
> > to connect successfully.
> Any idea if this actually works with newer android phones?
> Could someone report this to Google? I consider everything broken
> by this a security issue

You are working based on assumptions that are unfortunately not true.

Let me give you some data:

According to Google, as of today 9% of Android devices run Android
releases first released in 2012 or earlier that are no longer
supported by Google.[1]

According to Google, there are more than 2 billion active Android 

Do the math, and you end up at nearly 200 million devices running 
Android releases no longer supported by Google.

Extrapolating the above numbers in the growing smartphone market,
half a billion active Android devices with the above WPA problem
when buster releases in mid-2019 might be a low estimate.[3]

> and hope that Google will fix it in all releases they still support.

An update from Google for an Android release does not automatically 
result in firmware updates being available for all devices running
this Android release.

The situation regarding the speed of firmware updates, and whether they
are available at all, is bad for many high-end Android devices.

And for cheap Android devices there might be no updates available at all.

For many people in the first world and most people elsewhere even
a cheap € 100 smartphone is a major investment, not something that
will be thrown away after 2 years.

All this is a very unfortunate situation, but nothing Debian can change.

Everyone providing a service that is also used by Android phones
(e.g. webserver, wireless access point) faces the reality that
a significant share of the customers is using ancient Android
releases with a firmware that are several years old.

It doesn't matter whether something works with newer Android phones,
or what you consider a security issue.

The only thing you would achieve would be to force people to move
away from Debian to distributions that are still able to interact
with devices running ancient and highly insecure Android firmwares.

> Kurt


[1] https://developer.android.com/about/dashboards/index.html
[2] https://twitter.com/Google/status/864890655906070529
[3] this assumes all devices with Android < 6 are affected
    by this specific problem


       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to: