Quaternion icon indicating copy to clipboard operation
Quaternion copied to clipboard

Published 20 hours ago verified publisher icon quotient-im

Quaternion Cannot Connect to TLS 1.3 Server (macOS)

Open sindastra opened this issue 3 years ago • 3 comments

Description

Using Quaternion on macOS 11, I cannot connect to a home server that uses TLS 1.3 exclusively.

Steps to reproduce

  • Run Quaternion on macOS 11
  • Try to connect to home server that uses TLS 1.3 exclusively

Logs

quotient.jobs: Sent GET https://***REDACTED***/_matrix/client/r0/login
quotient.jobs: No valid HTTP headers from GET https://***REDACTED***/_matrix/client/r0/login
quotient.jobs: "GetLoginFlowsJob" status NetworkError: SSL handshake failed

Additional Info

You probably use the built-in macOS libraries, right? Nowadays, macOS uses LibreSSL, which does not support TLS 1.3! The only remedy, I'm aware of, is to build and bundle OpenSSL with Quaternion.

Version information

0.0.95.1 downloaded from GitHub releases

sindastra avatar Jan 27 '22 19:01 sindastra

Since OpenSSL is necessary to build libQuotient with E2EE support, I guess bundling OpenSSL with Quaternion is the way to go, as much as I hate it (because it means that I'm supposed to refresh that bundle every time OpenSSL gets a CVE fix...)

KitsuneRal avatar Nov 20 '22 17:11 KitsuneRal

macOS Ventura (released at the end of October) ships with LibreSSL 3.3.6

My understanding is that should mean TLS 1.3 is supported now (https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.0-relnotes.txt) however I set my homeserver to use only TLS 1.3 and still got the SSL handshake failed error

aaronraimist avatar Nov 21 '22 02:11 aaronraimist

Not having macOS I can't check if the problem is still around; but from what I gather, it all boils down to the question of OpenSSL that Qt is built with and also the encryption mechanism chosen by Qt at runtime.

Quaternion used to use the official build of Qt from its FTP server; I think they used OpenSSL 1.1 until Qt 6.4.x (the version used as of this writing). I have no idea if OpenSSL is actually used at runtime though: Qt documentation says that Secure Transport is prioritised on macOS if it's available. Secure Transport, in turn, is considered legacy and Apple discourages its use; and it doesn't support TLS 1.3. I'm not really sure if it's possible to force usage of the OpenSSL backend but one way to check if that actually causes problems is to put away the Secure Transport plugin that comes in the Quaternion bundle and see if that helps matters (provided that the OpenSSL plugin is around, of course).

KitsuneRal avatar Jul 22 '23 18:07 KitsuneRal