drop support for pre-android 5?

[segler-alex]

for all of you who remember the okhttp downgrade to keep android 4 working, now the story continues. (#646)
now also the server starts fu**ing us. some days ago people started noticing connection errors on older phones (#681) After investigating this, i noticed that the newest version of certbot changed the default settings of apache server in a way that it disallows even TLSv1.1

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLOptions +StrictRequire

after reverting it back to the old one it worked again. the only reason the other servers still worked is, that they use the certbot provided by the distribution which basically does not get version upgrades, but for security reasons. so they did not do this change. for now it is working again, but this is no long term solution, also because it is a good thing that older unsecure tls versions get kicked out.

to play devils advocate here, we could just ignore security. we are just doing radio station lists. nobody cares about what you are listening to...

but in my opinion i would rather have a real solution, because i can't now when it will become important...

i found an article that there is a way to basically tell Google Play Services to upgrade the device to support TLS 1.2 (https://developer.android.com/training/articles/security-gms-provider)

fun Context.installTls12() {
  try {
      ProviderInstaller.installIfNeeded(this)
  } catch (e: GooglePlayServicesRepairableException) {
      // Prompt the user to install/update/enable Google Play services.
      GoogleApiAvailability.getInstance()
          .showErrorNotification(this, e.connectionStatusCode)
  } catch (e: GooglePlayServicesNotAvailableException) {
      // Indicates a non-recoverable error: let the user know.
  }
}

But this is of course no solution for us, because it will not work on a lot of FDroid people out there.

I found another article that is saying that android 4 devices basically support tls1.2, but are not enabling it. we could just force enable it, but it may not work on some devices. i am currently researching how to do this.
(square/okhttp#2372)

please share your thoughts on this.

[werman]

From what I see in that okhttp thread there is no reports of workaround not working, so we could safely implement it.

And what are current stats of user's Android version?

[segler-alex]

https://developer.android.com/about/dashboards

[werman]

I mean for RadioDroid.

[segler-alex]

on my old phone (4.4) the fix does not work :(

[segler-alex]

i checked again, it is actually 4.2.2
but the article says, it still should work starting from 4.1

[werman]

If this really doesn't work, then from my point of view you can leave tls 1.1 enabled, we don't move any really private information around, and the clients which support tls1.2 will use it.

[segler-alex]

i merged it, even if it does not help all people, it may help more than now

[segler-alex]

it seems we are late to this game, i found a lot of people who did change this in 2018 :)

[segler-alex]

i have now a working solution at least for my phone on the play store version.