-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Real world Android 4.4.2 doesn't handle TLS 1.2 #258
Comments
Indeed. Android 5.0: https://developer.android.com/about/versions/android-5.0-changes.html
https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
https://en.wikipedia.org/wiki/Android_version_history
http://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/
|
For Android, I obtained client capabilities by running an emulator to launch each of the available Android versions. It's possible that the image was "contaminated" and TLS 1.2 enabled even if that's not the default. I'll have to look into it again. |
After some search I think that the problem is that most smartphone vendors did not ship stock Android, this article clearly states that Samsung replaced the default browser by its own flavor of Chrome 28: |
Thanks for your analysis. I think that, strictly speaking, there is no such thing as Android. We have many, many variations instead. |
sorry to necropost, but @frkay did you do dig more into the issue? It would be interesting for us if there are any highly-used Android 4.4 devices that support only TLS 1.0 and nothing newer as we plan to deprecate TLS 1.0 in my company. Thanks! |
its not working on 4.4.4 and 4.4.2 |
Hello,
the wikipedia page about TLS has a web browser support table:
https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
it states that the Android 4.4-4.4.4 browser (not Chrome) has TLS 1.1 and 1.2 disabled by default, SSL Labs reports that TLS 1.1 and 1.2 are supported https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2, on a real world Samsung Galaxy S4 mini running Android 4.4.2 I noticed that TLS 1.1 works and that TLS 1.2 is disabled (and did not find a way to enable it), I will add screenshots later on (not my phone). This is somewhat disturbing, I don't know if other KitKat phones behave this way, but perhaps SSL Labs should add a foot note concerning Android 4.4.2, since what is currently reported is misleading for at least some Android devices.
On the other hand when IE 8-10 / Win 7 are reported to handle only TLS 1.0 this is effectively the default behaviour but enabling TLS 1.1+ is not that difficult. Regarding Android 4.4.x I'm a bit lost now, could you use the SSL browser test to gater real world results and give a better picture of how TLS is configured on KitKat devices? PCI DSS 3.1 has set the end of June 2016 deadline for TLS 1.0 and it looks like Android 4.4 will still be in use by then.
Cheers
The text was updated successfully, but these errors were encountered: