AndroidClientHandler TLS 1.1 and 1.2 support on Android 4.1 to 4.4 #1615

leonluc-dev · 2018-04-30T15:11:44Z

Currently the AndroidClientHandler only supports TLS 1.1 and TLS 1.2 on API Level 20 or up.

However, the SslSocket instances that Java.Net.HttpURLConnection (and by extension AndroidClientHandler) utilizes do have support for TLS 1.1 and 1.2, but they are disabled by default on API Level 16 to 19 (Android 4.1 to 4.4).

This is shown in the following screenshot when such a socket is examined during runtime on Android 4.1 to 4.4 (screenshot is API Level 17/Android 4.2):

Currently I solved this by subclassing AndroidClientHandler and implementing a custom SSLSocketFactory that builts upon the default implementation.

using Javax.Net.Ssl;
using Xamarin.Android.Net;

namespace MyAndroidApp.HelperClasses
{
    public class MyAndroidClientHandler : AndroidClientHandler
    {
        TlsSSLSocketFactory _customTlsSSLSocketFactory = new TlsSSLSocketFactory();
        protected override System.Threading.Tasks.Task SetupRequest(System.Net.Http.HttpRequestMessage request, Java.Net.HttpURLConnection conn)
        {
            if (conn is HttpsURLConnection sslConn)
            {
                if (Android.OS.Build.VERSION.SdkInt < Android.OS.BuildVersionCodes.Lollipop)
                    //Enable support for TLS v1.2 through custom TLS socketfactory
                    sslConn.SSLSocketFactory = _customTlsSSLSocketFactory;
            }
            return base.SetupRequest(request, conn);
        }


        private class TlsSSLSocketFactory : SSLSocketFactory
        {
            readonly SSLSocketFactory factory = (SSLSocketFactory)Default;

            public override string[] GetDefaultCipherSuites()
            {
                return factory.GetDefaultCipherSuites();
            }

            public override string[] GetSupportedCipherSuites()
            {
                return factory.GetSupportedCipherSuites();
            }
            public override Java.Net.Socket CreateSocket(Java.Net.InetAddress address, int port, Java.Net.InetAddress localAddress, int localPort)
            {
                return EnableTlsOnSocket(factory.CreateSocket(address, port, localAddress, localPort));
            }

            public override Java.Net.Socket CreateSocket(Java.Net.InetAddress host, int port)
            {
                return EnableTlsOnSocket(factory.CreateSocket(host, port));
            }

            public override Java.Net.Socket CreateSocket(string host, int port, Java.Net.InetAddress localHost, int localPort)
            {
                return EnableTlsOnSocket(factory.CreateSocket(host, port, localHost, localPort));
            }

            public override Java.Net.Socket CreateSocket(string host, int port)
            {
                return EnableTlsOnSocket(factory.CreateSocket(host, port));
            }

            public override Java.Net.Socket CreateSocket(Java.Net.Socket s, string host, int port, bool autoClose)
            {
                return EnableTlsOnSocket(factory.CreateSocket(s, host, port, autoClose));
            }

            public override Java.Net.Socket CreateSocket()
            {
                return EnableTlsOnSocket(factory.CreateSocket());
            }

            private Java.Net.Socket EnableTlsOnSocket(Java.Net.Socket socket)
            {
                if(socket != null && (socket is SSLSocket sslSocket))
                {
                    sslSocket.SetEnabledProtocols(sslSocket.GetSupportedProtocols());
                }
                return socket;
            }

           protected override void Dispose(bool disposing)
           {
                factory.Dispose();
                base.Dispose(disposing);
           }
        }
    }

}

It's based on a solution originally provided for ModernHttpClient
This allows the AndroidClientHandler to support TLS 1.1 and TLS 1.2 on pre-API 20 Android versions.

Does this solution have any major caveats to it, or could this possibly be implemented in AndroidClientHandler itself?

The text was updated successfully, but these errors were encountered:

Context: xamarin#1615 It turns out that the older platforms do support TLS 1.1 and 1.2 protocols but that they don't enable it by default. Thanks to code provided by https://github.com/gameleon-dev in the issue linked to above we now support it too. Updated the TLS 1.2 tests to enable them on platforms >= 16

grendello · 2018-09-14T14:27:20Z

PR incorporating the code from OP is up, thanks @gameleon-dev!

Context: xamarin#1615 It turns out that the older platforms do support TLS 1.1 and 1.2 protocols but that they don't enable it by default. Thanks to code provided by https://github.com/gameleon-dev in the issue linked to above we now support it too. Updated the TLS 1.2 tests to enable them on platforms >= 16

grendello · 2018-09-17T18:23:04Z

Fixed in: d8f1783

jonpryor assigned grendello May 3, 2018

grendello mentioned this issue Sep 14, 2018

Enabled TLS 1.1 and 1.2 support on platforms >= 16 and <= 20 #2185

Merged

jonpryor closed this as completed in d8f1783 Sep 17, 2018

xamarin locked as resolved and limited conversation to collaborators Jun 8, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AndroidClientHandler TLS 1.1 and 1.2 support on Android 4.1 to 4.4 #1615

AndroidClientHandler TLS 1.1 and 1.2 support on Android 4.1 to 4.4 #1615

leonluc-dev commented Apr 30, 2018 •

edited

grendello commented Sep 14, 2018

grendello commented Sep 17, 2018

AndroidClientHandler TLS 1.1 and 1.2 support on Android 4.1 to 4.4 #1615

AndroidClientHandler TLS 1.1 and 1.2 support on Android 4.1 to 4.4 #1615

Comments

leonluc-dev commented Apr 30, 2018 • edited

grendello commented Sep 14, 2018

grendello commented Sep 17, 2018

leonluc-dev commented Apr 30, 2018 •

edited