Complete
over 2 years ago

The initial issue was resolved.

However we are still currently working on some additional changes to WiFi later on in the year.

TLS Certificate issue with Fenix 7 and Epix (Gen 2)

Runcasts users who recently upgraded to the Fenix 7 or Epix Gen 2 are reporting that their connections are suddenly not working correctly. It's returning and error code '0' which comes from Communications.makeWebRequest and maps to UNKNOWN_ERROR.

I know from past experience that this can often be caused my TLS issues so have built a tool to verify this available here: https://apps.garmin.com/en-US/apps/1f8aecd2-d37f-49ec-bcdd-f19feb9e8994 (the source code is also available to inspect, linked from the store page).

It appears that Runcasts Sectigo certificate is not being accepted by the Fenix 7 or Epix 7, while as far as I can tell, it's accepted by other devices in the fleet, including the Fenix 6.

I'll include (2) pics, one of a Fenix 6 where all the tests are green and one from a Fenix 7 where the Sectigo certificate fails.

For context, I originally used Let's Encrypt, but that had similar issues of not working on some device + firmware combinations, so I went with a more standard certificiate, Sectigo, which has worked well. This is the first time I'm hearing reports of this particular cert not working.

The request would be to update the certificate store on the watch so that this certificate works.

As a note, when testing this, make sure you're connecting through WI-Fi and not Bluetooth to the phone. This can be a confounding factor, if it connects using the phone, then presumably it uses the cert store on the phone which is often up-to-date / complete. However, with Wi-Fi, it uses the whatever's on the watch, and that, in general, has been more limited.

rconradharris
Parents
  • over 2 years ago in reply to Brad.ConnectIQ

    I have the same problem. But there doesn't seem to be a problem with the certificate (I have two sites and they both use Let's Encrypt, the first works and the second doesn't). I've been trying to figure out what the difference is between those sites and there seems to be a problem with the cipher suite. 

    The first website supports cipher suites, which are already considered weak today (request to this website works). The second only supports strong cipher suites (all HTTP requests fails with response code 0).

    This means that the new devices only support "dangerous" cipher sites and do not support secure ones.

    This problem is only with Fenix 7 and Epix 2 (I tried Forerunner 645 and it works without problems).

    These are cipher suites that are supported on the website that does not work:

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    These are cipher suites used by website that works:

    TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_ARIA_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CCM
TLS_RSA_WITH_AES_128_CCM_8
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_ARIA_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
TLS_RSA_WITH_AES_256_CCM
TLS_RSA_WITH_AES_256_CCM_8
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

    I also checked @rconradharris server (Runcast) and it also seems to support only the strong cipher suites.

    If you want to try this, just make any HTTPS request (using WIFI - this is important!) to this URL: "songlate . com/test.json"  (remove spaces).

Comment
  • over 2 years ago in reply to Brad.ConnectIQ

    I have the same problem. But there doesn't seem to be a problem with the certificate (I have two sites and they both use Let's Encrypt, the first works and the second doesn't). I've been trying to figure out what the difference is between those sites and there seems to be a problem with the cipher suite. 

    The first website supports cipher suites, which are already considered weak today (request to this website works). The second only supports strong cipher suites (all HTTP requests fails with response code 0).

    This means that the new devices only support "dangerous" cipher sites and do not support secure ones.

    This problem is only with Fenix 7 and Epix 2 (I tried Forerunner 645 and it works without problems).

    These are cipher suites that are supported on the website that does not work:

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    These are cipher suites used by website that works:

    TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_ARIA_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CCM
TLS_RSA_WITH_AES_128_CCM_8
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_ARIA_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
TLS_RSA_WITH_AES_256_CCM
TLS_RSA_WITH_AES_256_CCM_8
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

    I also checked @rconradharris server (Runcast) and it also seems to support only the strong cipher suites.

    If you want to try this, just make any HTTPS request (using WIFI - this is important!) to this URL: "songlate . com/test.json"  (remove spaces).

Children
No Data