[Android] TLSv1.1 and TLSv1.2 not enabled on Android <5 by default (although supported)

[rfc2822]

Since Android 4.2, Android's TLS implementation supports TLS v1.1 and TLS v1.2, but it's not enabled by default. So, it's not enabled in okhttp, too (because it just takes the SSLSocketFactory from SSLContext.getInstance('TLS')).

I have played around with ConnectionSpec, but as I have understood it, ConnectionSpec is to set the allowed TLS versions, ciphers etc. and not to manipulate the enabled protocols of SSL sockets – please correct me if I'm wrong.

For Android 5.0+, TLSv1.1/1.2 is used when possible as expected.

Maybe you'll consider enabling TLS v1.1 and TLS v1.2 for Android >= 4.2 < 5.0 too. You can find some details in my blog article: http://blog.dev001.net/post/67082904181/android-using-sni-and-tlsv12-with-apache. My current workaround is to use a compatibility socket factory.

If you know an easier solution to get TLSv1.1/1.2 on Android <5 with okhttp, please let me know.

See also http://stackoverflow.com/a/29252730

[SandroMachado]

I am facing the same issue, there any workaround to this?
Probably create a method for the okhttp to allow the set of an SSLEngine (https://github.com/koush/AndroidAsync/pull/394/files).

[swankjesse]

@nfuller thoughts?

[SandroMachado]

Maybe a better alternative should be allow the okhttp to set a custom SSLSocketFactory. This will allow to do create a custom SSLSocketFactory like this one https://gist.github.com/fkrauthan/ac8624466a4dee4fd02f#file-tlssocketfactory-java (http://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/)

This will allow the connection of any android device with Android 4.1 or higher to servers that only supports TLSv1.2 for security reasons.

[JakeWharton]

That API already exists!

https
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
://
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
square.github.io
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
okhttp
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/2.x/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
okhttp
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/com/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
squareup
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
okhttp
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
/
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-
https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/OkHttpClient.html#setSslSocketFactory-javax.net.ssl.SSLSocketFactory-

On Thu, Oct 29, 2015, 12:28 PM Sandro Machado notifications@github.com
wrote:

Maybe a better alternative should be allow to set a custom
SSLSocketFactory. This will allow to do create a custom SSLSocketFactory
like this one
https://gist.github.com/fkrauthan/ac8624466a4dee4fd02f#file-tlssocketfactory-java
(
http://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/
)

This will allow the connection of any android device with Android 4.1 or
higher to servers that only supports TLSv1.2 for security reasons.

—
Reply to this email directly or view it on GitHub
#1934 (comment).

[nfuller]

I'm mostly AFK for today but the usual way if you're coding against OkHttp APIs is to set an SSL socket factory on the client (as suggested above).

If you can use Google Play Services, then look at installing the dynamic security provider: it changes the default SSL socket factory for your whole app, which means you get a more up-to-date SSLSocketFactory by default with better ciphers and (I believe) the newer protocols enabled by default.

[SandroMachado]

@JakeWharton thanks, my bad. I didn't know that okhttp already have that api.
[Patching the Security Provider with ProviderInstaller](Patching the Security Provider with ProviderInstaller) fixed the issue, but as we know not every device has Google Play Services, so I tried an alternative approach and it also fixed the issue.

Thanks again.

OkHttpClient okHttpClient = new OkHttpClient();
okHttpClient.setSocketFactory(new SSLSocketFactoryCompat());

[swankjesse]

No action to take here.

[smithaaron]

Just wanted to point out for anyone stumbling across this
okHttpClient.setSocketFactory(new SSLSocketFactoryCompat());
did not work for me. It needed to be setSslSocketFactory