Old Google phone

Using a old Google phone for backup.

Doesn’t seem to like Rick’s site also Rcomp.

Error
Couldn’t establish a secure connection.

ArtWorks, Icon Bar, CJE Rool Ok.

Any ideas Tks

The RComp server seems to only support https connections using TLS 1.2 – is your phone that old?

[Edit: As does Rick’s site. Peruse https://www.ssllabs.com/ssltest]

My iPad Mini (iOS 7) doesn’t work on my site either.

It’s not so much the TLS version (which may be technically supported), it’s the lack of SNI (which is something I asked to have added to AcornSSL).

If you’re using a version of Android old enough that it doesn’t support this, you probably ought not put it online at all. What’s the Android version and the date of the most recent security update? (Settings → About phone (or somesuch))

[ https://en.wikipedia.org/wiki/Server_Name_Indication ]

– is your phone that old?

Sometimes old is less vulnerable – there’s a feature in recent (years) Java that isn’t there in older versions (that certain¹ manufacturers hang on to using). Because the feature isn’t in the older versions, they don’t have the vulnerability.²

The feature in those newer versions is causing a bit of mayhem right now.

¹ OK, you guessed many are medical.

it’s the lack of SNI (which is something I asked to have added to AcornSSL).

I’ve just looked, and the AcornSSL source here has SNI enabled, I think – and I don’t think I changed it.

How do we test to see whether it works?

I don’t understand what is deficient (with one exception, next paragraph) or what, if anything, is being asked for. I’ve just successfully fetched the sites https://rcomp.co.uk and https://heyrick.eu/index.html with a noddy BASIC app in a TaskWindow, which calls the Acorn URL module, which in turn calls AcornSSL to do https fetches. A Wiresalmon capture confirms that TLS 1.2 is being used; the fetches are not downgraded to http.

There is no prospect of AcornSSL using TLS 1.3 until mbedTLS does, and that’s work in progress, which will change its API and therefore require some time for AcornSSL to catch up. So TLS 1.3 is the known deficiency.

I don’t understand what is deficient

Assuming we’re talking about your phone here, you haven’t helped yourself by simply describing your device as “old Google phone”. I asked you days ago to say what version of Android it is using (add in who made it and what software you’re using). [edit: wake up Rick!]

So… generic response…

There are two potential problems. The first, as mentioned, is they older devices (before Android 4, but third party software may differ) do not support SNI. That’s a mechanism that allows multiple certificates to apply to one IP address and for the device to be able to select the correct certificate for the site in question. This is essential as most smaller sites share IP addresses (one actual server, many sites).

The second problem is that the trusted root data may not be sufficiently up to date. It seems to me the older builds of Android simply never seem to update this, so while it can work with new certificates, it will have certificate issuers that are completely unknown to it. One of my older Android phones has no idea about Let’s Encrypt, and no SNI, which makes it pretty useless these days.

How do we test to see whether it works?

Easy. My site. Shared IP, requires SNI. It works.

I started this thread – not Dave H.

Android 4.3

Have been using the Phone out on the Cliffs – signal can be weak – browser has a handy feature – stopping downloading of pictures.

Seems strange that the ‘Armbok’ site works but not ‘RComp’.

I started this thread – not Dave H.

Yeah… Shouldn’t write messages before my third morning tea… :-/

Seems strange that the ‘Armbok’ site works but not ‘RComp’.

Do you mean this? https://www.riscoscomputers.co.uk/

Android 4.3

That will probably fail on most modern sites. As far as I’m aware, TLS 1.2 came in something around Android 4.4.something, and was mainstream for Android 5. Though third party browsers may do things differently.
Ditto iOS 8 or 9 is when that supported SNI and/or TLS 1.2, making those older devices less and less useful for the same reason.

browser has a handy feature – stopping downloading of pictures.

On my (more powerful) device, I use Firefox 60 (before they screwed up the plugins). Images over 128k are blocked (tap to fetch), cookies auto deleted, third party scripts blocked… you’d be surprised how slick it is, and how awful it is for those few sites that don’t play well with an older Firefox so need to be seen on Chrome, which even with the blocking turned on is still festooned with adverts, pop-ups, hundreds of kilobytes of JavaScript pulled in from god knows where, and freaking autoplay videos that are about an inch and a half in size.
The benefit of auto deleting cookies, also, is that I don’t need to wade through a mass of cookie options where s**tty Americans have taken a very liberal interpretation of “Legitimate interest” and have dozens that would need to be disabled one by one. Instead I can just accept whatever cookies they throw. Twenty seconds later, they’ll be gone. ;)

I should clarify that my interest is in AcornSSL. Why was it mentioned? What’s the story? Was SNI not in some earlier versions, and added in later?

’cos it seems to work now.

Why was it mentioned?

I think it was in the case of “my phone doesn’t work but RISC OS does!?” without entirely realising that the RISC OS crypto sockets stuff is newer than most domestic devices being sold right now (it is based upon the current mbedTLS stuff). So while RISC OS may do a lot of things in a thirty year old way, it does TLS all shiny and modern. ;-)

Android 4.3, on the other hand, is eight years old. That’s an eternity in a world where software is considered horribly out of date if it’s eight months old.

Was SNI not in some earlier versions

I don’t have the first versions to hand to check, so I’m not sure if SetSessionHost was added (fairly early on) or if it was there but nobody really knew about this new SWI. The documentation of this SWI was updated in an early release.
It certainly wasn’t in any original AcornSSL, because it didn’t exist back then.

Ah, thanks – though not actually a SWI, but a socket option, SO_ACORNSSL_HOSTNAME?

Android 4.3 – you might want to ask google how to enable TSv1.2 on that oldie… there is quite a bit on that topic to be found it seems.

I can’t assist with this since I do not use Android for the simple reason that quite a few suppliers support their devices for some 2 years only and even then more often than not a bit too slow for me since especially on a smart phone I expect security fixes to be there fast.