[Nextcloud 21 + Debian 10] SSL initialization error android 10 app

Operations · May 21, 2021, 11:00am

I am running Nextcloud 21 on Debian 10 with apache.
Build from scratch. My first time

Everytime is working fine, ssllabs gives me an A+.

My only problem (so far ) is that my android app keeps saying SSL initialization error. And because of that or as a separate issue the app hangs a lot. The asks me to wait to shutdown the app constantly.

Now i have found that this change to “ssl_ecdh_curve prime256v1;” instead of “ssl_ecdh_curve secp384r1 should be the solution.

But i am not sure how to do this.

When i look at /etc/letsencrypt/options-ssl-apache.conf (This is the correct file right? ) i see:

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:$
SSLHonorCipherOrder off
SSLSessionTickets off

Which i put there, so that is fine. But would do i need to change? I am not seeing ssl_ecdh_curve secp384r1. So i am not sure what to do now.

Reiner_Nippes · May 21, 2021, 1:03pm

github.com

ReinerNippes/nextcloud/blob/nextcloud-reloaded/roles/webserver/templates/apache/nextcloud.conf.j2#L18


      
              Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains; preload"
          {% endif %}
              SSLEngine on
              SSLCompression off
              # Requires Apache >= 2.4.11
          	SSLSessionTickets Off
          
              SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
              SSLCipherSuite "HIGH+kEECDH+AESGCM:HIGH+kEECDH:HIGH+kEDH:HIGH:!aNULL"
          {% if (ansible_os_family == 'Debian') %}
              SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
          {% endif %}
              SSLHonorCipherOrder on
              
              ServerAdmin admin@{{ nextcloud_fqdn }}
              ServerName {{ nextcloud_fqdn }}
          
              <FilesMatch "\.php$">
                  SetHandler "proxy:unix:{{ php_socket[ansible_distribution] }}|fcgi://localhost"
              </FilesMatch>
              DocumentRoot {{ nextcloud_www_dir }}

Operations · May 21, 2021, 2:19pm

@Reiner_Nippes,

Thanks for quick answer.

When i paste this in:

{% if (ansible_os_family == ‘Debian’) %}
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
{% endif %}

I get an error trying to restart apache2. When i only add the yellow part, i am able to restart apache. Shouldn’t it also work when i add the 3 lines i mentioned?

The SSL error is gone but the android app stills hangs a lot.

I have to admit the app is uploaden a lot of pictures but this should be fine right…

Reiner_Nippes · May 23, 2021, 7:09pm

nope. sorry. the lines with {% … %} are jinja templates from my ansible playbook. my ansible playbook detects if it is executed on a debian system and adds the command.

yes. this may take a while.