[k-9-mail] android nugget (>= 7.0 && < 7.1.1) issue with ECDSA keys other than secp256r1

Sat, 22 Apr 2017 17:29:59 -0700 

For us mere mortals there is a problem with nugget (android 7) that is 
alleged to be fixed in 7.1.1 that affects K-9.

This is not a K-9 problem but a temporary workaround could be supported in 
K-9.  More on that later.

The problem occurs when upgrading to a new phone running nugget, aka 
android version 7.  The one I upgraded to is an LG but this applies to any 
phone running nugget (other than nexus which may already have this fixed in 
7.1.1 which is in beta).  The time lag for a carrier and phone vendor to 
upgrade from 7.0 to 7.1.1 is likely to be very long.

A tshark trace of a working connection contains this:

            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 8
                Elliptic Curves Length: 6
                Elliptic curves (3 curves)
                    Elliptic curve: secp256r1 (0x0017)
                    Elliptic curve: secp384r1 (0x0018)
                    Elliptic curve: secp521r1 (0x0019)

For the phone running android 7.0 the trace contains:

            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 4
                Elliptic Curves Length: 2
                Elliptic curves (1 curve)
                    Elliptic curve: secp256r1 (0x0017)

These are in the TLS Client Hello sent by the phone to the IMAP server.  
Somehow Google dropped secp384r1 and secp521r1 in 7.0 and then apparently 
added it back in 7.1.1 (see post in 
https://github.com/haiwen/seadroid/issues/599 "typingArtist commented on 
Nov 27, 2016" or article Google Screwed Up Secp384r1 ECC Certificates 
<https://zitseng.com/archives/12787>).

There might be a chance for a workaround if a copy of openssl can be 
included in the K-9 distribution for android >= 7.0 and < 7.1.1.  The 
chrome and firefox browsers are unaffected because they do bring along 
their own crypto.

It would be nice if Google created a 7.0.1 version with just a few fixed 
like this and try to get phone vendors and carriers to push this out more 
quickly, but that could be slow.

In the mean time I have this otherwise nice new phone that can't contact my 
IMAP servers (to fetch) or MTAs (to send mail).

Any chance of a workaround in K-9?

Curtis

-- 
You received this message because you are subscribed to the Google Groups "K-9 
Mail" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to