New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Android] TLSv1.1 and TLSv1.2 not enabled on Android <5 by default (although supported) #1934

Closed
rfc2822 opened this Issue Oct 19, 2015 · 8 comments

Comments

6 participants
@rfc2822
Copy link
Contributor

rfc2822 commented Oct 19, 2015

Since Android 4.2, Android's TLS implementation supports TLS v1.1 and TLS v1.2, but it's not enabled by default. So, it's not enabled in okhttp, too (because it just takes the SSLSocketFactory from SSLContext.getInstance('TLS')).

I have played around with ConnectionSpec, but as I have understood it, ConnectionSpec is to set the allowed TLS versions, ciphers etc. and not to manipulate the enabled protocols of SSL sockets – please correct me if I'm wrong.

For Android 5.0+, TLSv1.1/1.2 is used when possible as expected.

Maybe you'll consider enabling TLS v1.1 and TLS v1.2 for Android >= 4.2 < 5.0 too. You can find some details in my blog article: http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv12-with-apache. My current workaround is to use a compatibility socket factory.

If you know an easier solution to get TLSv1.1/1.2 on Android <5 with okhttp, please let me know.

See also http://stackoverflow.com/a/29252730

@SandroMachado

This comment has been minimized.

Copy link

SandroMachado commented Oct 29, 2015

I am facing the same issue, there any workaround to this?
Probably create a method for the okhttp to allow the set of an SSLEngine (https://github.com/koush/AndroidAsync/pull/394/files).

@swankjesse

This comment has been minimized.

Copy link
Member

swankjesse commented Oct 29, 2015

@nfuller thoughts?

@SandroMachado

This comment has been minimized.

Copy link

SandroMachado commented Oct 29, 2015

Maybe a better alternative should be allow the okhttp to set a custom SSLSocketFactory. This will allow to do create a custom SSLSocketFactory like this one https://gist.github.com/fkrauthan/ac8624466a4dee4fd02f#file-tlssocketfactory-java (http://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/)

This will allow the connection of any android device with Android 4.1 or higher to servers that only supports TLSv1.2 for security reasons.

@JakeWharton

This comment has been minimized.

Copy link
Collaborator

JakeWharton commented Oct 29, 2015

That API already exists!

https
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
://
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
square.github.io
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
okhttp
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/2.x/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
okhttp
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/com/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
squareup
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
okhttp
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-

On Thu, Oct 29, 2015, 12:28 PM Sandro Machado notifications@github.com
wrote:

Maybe a better alternative should be allow to set a custom
SSLSocketFactory. This will allow to do create a custom SSLSocketFactory
like this one
https://gist.github.com/fkrauthan/ac8624466a4dee4fd02f#file-tlssocketfactory-java
(
http://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/
)

This will allow the connection of any android device with Android 4.1 or
higher to servers that only supports TLSv1.2 for security reasons.


Reply to this email directly or view it on GitHub
#1934 (comment).

@nfuller

This comment has been minimized.

Copy link
Collaborator

nfuller commented Oct 29, 2015

I'm mostly AFK for today but the usual way if you're coding against OkHttp APIs is to set an SSL socket factory on the client (as suggested above).

If you can use Google Play Services, then look at installing the dynamic security provider: it changes the default SSL socket factory for your whole app, which means you get a more up-to-date SSLSocketFactory by default with better ciphers and (I believe) the newer protocols enabled by default.

@SandroMachado

This comment has been minimized.

Copy link

SandroMachado commented Oct 29, 2015

@JakeWharton thanks, my bad. I didn't know that okhttp already have that api.
[Patching the Security Provider with ProviderInstaller](Patching the Security Provider with ProviderInstaller) fixed the issue, but as we know not every device has Google Play Services, so I tried an alternative approach and it also fixed the issue.

Thanks again.

OkHttpClient okHttpClient = new OkHttpClient();
okHttpClient.setSocketFactory(new SSLSocketFactoryCompat());
@swankjesse

This comment has been minimized.

Copy link
Member

swankjesse commented Oct 30, 2015

No action to take here.

@smithaaron

This comment has been minimized.

Copy link

smithaaron commented Jun 17, 2016

Just wanted to point out for anyone stumbling across this
okHttpClient.setSocketFactory(new SSLSocketFactoryCompat());
did not work for me. It needed to be setSslSocketFactory

pitiphong-p added a commit to omise/omise-android that referenced this issue Oct 4, 2016

chakrit added a commit to omise/omise-android that referenced this issue Oct 5, 2016

Enable TLS 1.2 in Android prior to 5.0.0 (#15)
* Enable TLS 1.2 in Android prior to 5.0.0

For more information please go to square/okhttp#1934

* Throws the `GeneralSecurityException` up to the Activity

This enable our API consumer can handle the thrown exception by themselve.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment