Compatibility of some Android phones

marciozomeralves · April 29, 2020, 3:26am

Hello,
I’m having problems with the jitsi server installed locally with some android phone models. Some cell phones do not connect through the application.
But when he meets him.jit.si soon he connects.
I suspect it is in the certificate. I generated based on the model below. Does meet.jit.si use this one below?

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH+CHACHA20:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;

Thanks in advance,
Marcio

gpatel-fr · April 29, 2020, 6:59am

using this script the list is currently:

|tls1:|ECDHE-RSA-AES256-SHA|
|tls1:|ECDHE-RSA-AES128-SHA|
|tls1:|AES256-SHA|
|tls1:|AES128-SHA|
|tls1_1:|ECDHE-RSA-AES256-SHA|
|tls1_1:|ECDHE-RSA-AES128-SHA|
|tls1_1:|AES256-SHA|
|tls1_1:|AES128-SHA|
|tls1_2:|ECDHE-RSA-AES256-GCM-SHA384|
|tls1_2:|ECDHE-RSA-AES128-GCM-SHA256|
|tls1_2:|ECDHE-RSA-AES256-SHA384|
|tls1_2:|ECDHE-RSA-AES128-SHA256|
|tls1_2:|ECDHE-RSA-AES256-SHA|
|tls1_2:|ECDHE-RSA-AES128-SHA|
|tls1_2:|AES256-GCM-SHA384|
|tls1_2:|AES128-GCM-SHA256|
|tls1_2:|AES256-SHA256|
|tls1_2:|AES128-SHA256|
|tls1_2:|AES256-SHA|
|tls1_2:|AES128-SHA|

It may not be certificate related; if you use a turn server check it has valid certificates.

marciozomeralves · April 30, 2020, 7:42pm

Thank you for the answer.
The Chrome browser certificate states that it is a valid certificate.
Below I put the settings that I changed according to your recommendation in the ssl.conf file inside nginx on the docker.
I followed the pattern that was in the configuration separating ssl_protocols and ssl_ciphers.
Should I write the code exactly like this?

session settings

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

Diffie-Hellman parameter for DHE cipher suites

ssl_dhparam /config/ngnix/dhparams.pem

ssl certs

ssl_certificate /etc/letsencrypt/live/meet…(my domain)…/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/meet…(my domain)…/privkey.pem;

protocols

#ssl_protocols TLSv1.2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDH+CHACHA20:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;

ssl_ciphers ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;

headers

add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection “1; mode=block”;

Thank you,
Marcio