SUMMARY kdeconnect android app should support TLS 1.2 in order to provide good/better security. Because this is a remote control application, I would consider this a security sensitive application, and expect it to use relatively strong encryption. TLS 1.0 and 1.1 are being actively deprecated for credit card processing, and by all major browsers. These older TLS versions includes weaker cipher, and SHA1 which make it potentially vulnerable to downgrade attacks. https://redmondmag.com/articles/2018/10/15/browsers-drop-support-for-tls-1.aspx Android 4.1 added TLS 1.2 support back in 2012. So this imply dropping for Android 4.0, which current markshare is 0.3% https://www.statista.com/statistics/271774/share-of-android-platforms-on-mobile-devices-with-android-os/ STEPS TO REPRODUCE 1. Connect a phone using kdeconnect for Android, to a linux computer using the GSConnect gnome-shell extension 2. Capture traffic using Wireshark 3. Verify TLS version OBSERVED RESULT TLSv1.0 EXPECTED RESULT TLSv1.2 or TLSv1.3 SOFTWARE/OS VERSIONS Android: 7.1 Linux: Debian 9 gnome-shell 3.30.1 ADDITIONAL INFORMATION
Hi, Could you please confirm which version includes the fix? I checked updates using F-Droid to ensure I was using the latest available ie KDE Connect 10.0.1, however it appears the issue persist. Using Wireshark again I see the Gnome Shell extension initiates the connections with a Client Hello with TLS version 1.2, however the phone replies with the Server Hello with TLS version 1.0. This suggest my computers does attempt a TLS connection with version 1.2, but the application is only able to reply with version 1.0
The fix is currently in master and not released yet