thunderbird-android icon indicating copy to clipboard operation
thunderbird-android copied to clipboard
verified publisher icon thunderbird

Fix autodiscovery ssl for lets encrypt

Open wmontwe opened this issue 1 year ago • 6 comments

This update fixes the problem preventing Android 7.0 and earlier versions from connecting to Let's Encrypt signed domains due to their new root certificate, as discussed in issue #7646.

This leaves out changes to the SSL connections using TrustedSocketFactory and need to be addressed in a different fix.

wmontwe avatar Feb 19 '24 15:02 wmontwe

There's always a chance that this is (or will be due to a library upgrade) less secure than the platform behavior. We should probably limit replacing the TrustManager to older Android versions.

I think limiting this to older Android versions works for Let's Encrypt, in case there are other missing certificates, we might need to reconsider. This could also be resolved by switching to the Conscrypt TrustStore.

wmontwe avatar Feb 20 '24 10:02 wmontwe

Here is a list of certificates used in modern Android versions: https://android.googlesource.com/platform/system/ca-certificates/+/refs/heads/main/files

wmontwe avatar Feb 20 '24 11:02 wmontwe

We might also need to check image loading and webview.

wmontwe avatar Feb 20 '24 11:02 wmontwe

We might also need to check image loading and webview.

I'd say that's a rather low priority. Let's not spend too much time on fixing everything on very old Android versions.

cketti avatar Feb 20 '24 12:02 cketti

Could it be affecting Android 8.0.0 as well?

After installing K-9 Mail version 6.603 on Android 8.0.0 and entering my email address + password + Next... I see no autodiscovery attempt (server side), it just ask for Imap or Pop account (client side) and when choosing Imap it just set email account incoming server setting to something like:

imap.myemaildomain.co.uk SSL/TLS port 993

...but those are not my server settings, the imap. record do not exist in my case. I suppose it is reverting to local app default settings, rough guess hardcoded in the app...

In Thunderbird Desktop on Windows the settings are properly detected via autodiscovery with the exact same account details.

We use a Let's Encrypt certificate with R3 > ISRG Root X1 validation path on our server, so I was wondering if this bug may be at play on Android 8 and K-9 Mail somehow is unable to validate the certificate to establish connection? Or if it may be due to another bug in the app.

I tried to install the CA cert https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem which was added in User Security Certificate in Android but that did not resolve the issue.

richardleger avatar Feb 20 '24 16:02 richardleger

@richardleger: K-9 Mail 6.603 doesn't support autoconfig.

cketti avatar Feb 20 '24 17:02 cketti

As there is no activity on this issue, I'll close this until there is consensus on how to approach this issue.

wmontwe avatar Apr 24 '24 09:04 wmontwe