Reputation: 25
TLS Client Hello request contains unknown version in iOS or Android
I have noticed that my native mobile applications for iOS and Android had stoped work due unknown reason on some providers in Russia. My quick research with Wireshark shows me the reason of this behaviour (I was wrong - see my post update below):
if a TLS Client Hello packet contains unknown version in supported_version field, it is blocked by provider's DPI and my backend server doesn't receive it.
But at the same time when I try to make the same REST API request from JS browser or Insomnia, it works and TLS Client Hello packet don't contains any "unknown versions".
Unknown version of TLS randomly changes every time, it may be: 0xbaba, 0xcaca, 0x1a1a and so on - any of 0xaa template.
I am not sure, but suspect, what this filtering is happens due Government Firewall equipment that most providers in our country start to use, because on the networks without this equipment this problem is not takes place. Therefore unfortunately I can not fix this problem on provider's side.
How can I force my Swift and Kotlin applications to not use this unknown version inside TLS protocol?
UPDATE: It seems, unsupported version in not the reason of this behaviour. It is also contained in packets when I open this URL in Safari on the same device.
But I've found another difference in TLS packets:
This packet is blocked (my App):
This packet is passed (Safari):
UPDATE2: Setting NSExceptionRequiresForwardSecrecy=NO solved this problem.
Upvotes: 1
Views: 459
Answers (1)
Reputation: 114984
Although you have now determined that the problem is resolved by disabling the requirement for forward secrecy, I will leave my explanation regarding your original question of the unknown TLS versions.
Original answer
These are GREASE values and are intended to weed out systems that don't correctly support unknown TLS versions.
It looks like it is doing its job and whatever filtering system(s) they have deployed has exactly the bug that GREASE is meant to find.
Unfortunately there is nothing you can on your side except try and report the problem to the providers.
Upvotes: 2
Related Questions
- certificate for this server is invalid
- Swift - The certificate for this server is invalid
- Wrong SSL version used in Dtls handshake on HelloVerifyRequest
- iOS 13 TLS issue
- Error when trusting HTTPS certificate using okhttp in Kotlin
- TLS Connection on iOS swift handshake issue
- TLS V 1.1 and TLS V 1.2 iOS issue
- iOS 10, Swift 3 API call SSL error
- IPHONE SSL HTTPS was working with http
- SSL iOS9 SSLHandshake failed. I checked with openssl & my server works with tls 1.2V