The TinyTinyRSS clients that weren't compatible:

• https://f-droid.org/en/packages/org.ttrssreader/
• https://f-droid.org/en/packages/org.fox.tttrss/

The browser that wasn't compatible:

• LineageOS built-in Jelly browser version 8.1.0: https://www.apkmirror.com/apk/lineageos/lineageos-jelly-browser/lineageos-jelly-browser-8-1-0-release/lineageos-jelly-browser-8-1-0-android-apk-download/

@fpletz @nh2 What was the justification for removing chacha20 ciphers in? de8008a

It seems like either a change was accidentally added to the git commit, or a sneak modification of the cipher list, because neither the commit message nor the PR mentioned this.

We should perhaps discuss what the cipher list should be, and then document the choices made (what ciphers are excluded, which ones are included) in the description for sslCiphers.

In my eyes, there's no reason to exclude ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305 to the cipher list.

My LineageOS version is a bit old: 15.1-20180709-NIGHTLY-cheeseburger. That might have an effect on the apps too? Unfortunately I haven't been able to update my OS. But anyway, it'd be nice if the web sites and services worked, if they can without compromising security.

@fpletz @nh2 What was the justification for removing chacha20 ciphers in? de8008a

It seems like either a change was accidentally added to the git commit, or a sneak modification of the cipher list, because neither the commit message nor the PR mentioned this.

We should perhaps discuss what the cipher list should be, and then document the choices made (what ciphers are excluded, which ones are included) in the description for sslCiphers.

In my eyes, there's no reason to exclude ECDHE-ECDSA-CHACHA20-POLY1305 and ECDHE-RSA-CHACHA20-POLY1305 to the cipher list.

Chacha20-Poly1305 seems to be a part of the following term, it was not removed as you stated.

❯ openssl ciphers -v 'EECDH+aRSA+AESGCM'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

It was removed from the nixos option nginx.sslCiphers in the commit I referenced above.

It was removed from the nixos option nginx.sslCiphers in the commit I referenced above.

No, it was not.

Old default:

❯ openssl ciphers -v 'EDH+CHACHA20:EDH+AES:EECDHE+CHACHA20:ECDHE+AES:+AES128:-DSS' | grep CHACHA
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD

New default:

❯ openssl ciphers -v 'EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL' | grep CHACHA
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD

Strike that. I misread what you were trying to convey

Just bumped into this too! For some reason my old iPhone running iOS 10 stopped being able to access my website due to some nixpkgs update (can't figure out which one though). I'd really like to know the reason why this suddenly doesn't work anymore. But the fix here looks good to me (not an expert though) and it fixes the problem!

It even looks like TLSv1.2 doesn't work at all without this, because openssl s_client -connect infinisil.com:443 -tls1_2 -servername infinisil.com resulted in

140060813575232:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
  handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40

Not sure why, because looking at the supported ciphers before this commit clearly shows some TLSv1.2 ones:

$ openssl ciphers -v 'EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-ARIA256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
DHE-RSA-ARIA128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ARIA256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(256) Mac=AEAD
ECDHE-ARIA128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ARIAGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1

Ping @fpletz

I think that the cipher and TLS defaults should track Mozilla's TLS configuration generator; it's the most reliably up-to-date source of configurations over the range of security-compatibility in my opinion. I use the Intermediate ciphers in my nginx configuration and experience no issues with TLS v1.2.

I can confirm that the cipher list from that configuration generator for the intermediate setting works on my iPhone, link: https://ssl-config.mozilla.org/#server=nginx&version=1.16.1&config=intermediate&openssl=1.1.1d&guideline=5.4

That is quite interesting. I ran into a similar issue after having upgraded a machine from 19.09 to 20.03 with an Android app but haven't got time to look into this yet. This might be related to an OpenSSL update.

Thanks for the PR and comments, I'm going to look into what's causing this ASAP.

I agree with @emilazy that we should probably move to Mozilla's recommendations.

Ok, this regression is really weird. It is not related to the OpenSSL version because the current ciphers won't work with nginx compiled with either libressl or OpenSSL 1.0.2. Also, I confirmed that this works on 19.09 but fails on 20.03 even though we have the same versions of nginx (1.16.1) and OpenSSL (1.1.1d) on both branches.

I'm not sure if it's worth bisecting because we should update the cipher suites anyway. I would propose to update the ciphers according to the Mozilla's Intermediate recommendations. Since we had some ciphers that are now considered weak, we should even backport this to 19.09.

Right!? I tried to start bisecting the issue too, because I was pretty sure updating my nixpkgs from c3414919a539d06a73c41f90dcf2f346523ae585 to ea79a83 caused it, but even after reverting to the old version it wasn't fixed. Reverting a couple more nixpkgs updates I've done didn't seem to help either. Really weird, I feel like there's an impurity lingering somewhere

This also affects qutebrowser and thereby likely any qtwebengine-based system. https://www.ssllabs.com/ssltest/analyze.html marks TLS 1.2 as "not supported". Is it possible that what we are witnessing relates to browser efforts to deprecate old TLS versions, maybe deprecating ciphers which previously propped up our TLS 1.2 support? That would at least explain why bisecting doesn't help, if the regression stems from a client change rather than a server one.

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/ssl-issue-with-haskell-server-on-nixos/6086/2

I really think we should switch over to the Mozilla intermediate cipher set ASAP to resolve these issues in a future-proof and dependably secure way, and probably backport it to 20.03 too.

If nobody else feels like doing that I'll try and get it done within the next week.