FYI - added text to some existing android bug reports. Missing ECC definitions <https://issuetracker.google.com/issues/37065167> issues/37065167
There is another bug report that is more specific but was closed as not reproducible. I asked that it be reopened or merged. SSLProtocolException: SSL handshake failed on Android N/7.0, missing support for elliptic curves. <https://issuetracker.google.com/issues/37122132> These are both specific to Google dropping ECC curves in the crypto library. This could be fixed in K-9 by bringing along a crypto library rather than using the system library as Chrome and Firefox do. Curtis On Saturday, April 22, 2017 at 8:29:35 PM UTC-4, Curtis Villamizar wrote: > > For us mere mortals there is a problem with nugget (android 7) that is > alleged to be fixed in 7.1.1 that affects K-9. > > This is not a K-9 problem but a temporary workaround could be supported in > K-9. More on that later. > > The problem occurs when upgrading to a new phone running nugget, aka > android version 7. The one I upgraded to is an LG but this applies to any > phone running nugget (other than nexus which may already have this fixed in > 7.1.1 which is in beta). The time lag for a carrier and phone vendor to > upgrade from 7.0 to 7.1.1 is likely to be very long. > > A tshark trace of a working connection contains this: > > Extension: elliptic_curves > Type: elliptic_curves (0x000a) > Length: 8 > Elliptic Curves Length: 6 > Elliptic curves (3 curves) > Elliptic curve: secp256r1 (0x0017) > Elliptic curve: secp384r1 (0x0018) > Elliptic curve: secp521r1 (0x0019) > > For the phone running android 7.0 the trace contains: > > Extension: elliptic_curves > Type: elliptic_curves (0x000a) > Length: 4 > Elliptic Curves Length: 2 > Elliptic curves (1 curve) > Elliptic curve: secp256r1 (0x0017) > > These are in the TLS Client Hello sent by the phone to the IMAP server. > Somehow Google dropped secp384r1 and secp521r1 in 7.0 and then apparently > added it back in 7.1.1 (see post in > https://github.com/haiwen/seadroid/issues/599 "typingArtist commented on > Nov 27, 2016" or article Google Screwed Up Secp384r1 ECC Certificates > <https://zitseng.com/archives/12787>). > > There might be a chance for a workaround if a copy of openssl can be > included in the K-9 distribution for android >= 7.0 and < 7.1.1. The > chrome and firefox browsers are unaffected because they do bring along > their own crypto. > > It would be nice if Google created a 7.0.1 version with just a few fixed > like this and try to get phone vendors and carriers to push this out more > quickly, but that could be slow. > > In the mean time I have this otherwise nice new phone that can't contact > my IMAP servers (to fetch) or MTAs (to send mail). > > Any chance of a workaround in K-9? > > Curtis > > -- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
