I am using volley framework for making network requests. I am trying to
enable TLS1.2 support for phone running on API version 19 (4.4.2).
as per SSL socket documentation TLS 1.2 is supported but not enabled by
default. As per recommendation on various android blogs I tried using
custom sslsocket factory to enable TLSv1.2. My code looks like following
public class TLSSocketFactory extends SSLSocketFactory {
private SSLSocketFactory internalSSLSocketFactory;
public TLSSocketFactory() throws KeyManagementException,
NoSuchAlgorithmException {
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, null, null);
internalSSLSocketFactory = context.getSocketFactory();
}
@Override
public String[] getDefaultCipherSuites() {
return internalSSLSocketFactory.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return internalSSLSocketFactory.getSupportedCipherSuites();
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose)
throws IOException {
return enableTLSOnSocket(internalSSLSocketFactory.createSocket(s, host, port,
autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException,
UnknownHostException {
return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int
localPort) throws IOException, UnknownHostException {
return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port,
localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress
localAddress, int localPort) throws IOException {
return enableTLSOnSocket(internalSSLSocketFactory.createSocket(address, port,
localAddress, localPort));
}
private Socket enableTLSOnSocket(Socket socket) {
if(socket != null && (socket instanceof SSLSocket)) {
((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
}
return socket;
}
}
I use this TLS socket factory to get volley request Que as following
HttpStack stack = null;
if (Build.VERSION.SDK_INT >= 9) {
try {
if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.KITKAT) {
// Use a socket factory that removes sslv3 and add TLS1.2
stack = new HurlStack(null, new TLSSocketFactory());
} else {
stack = new HurlStack();
}
} catch (Exception e) {
stack = new HurlStack();
Log.i("NetworkClient", "can no create custom socket factory");
}
}
mContext = applicationContext;
if (mRequestQueue == null) {
mRequestQueue = Volley.newRequestQueue(applicationContext, stack);
}
.....
VolleyRequest volleyRequest = new VolleyRequest(request, future,
getRequestMethod(request));
mRequestQueue.add(volleyRequest);
when i see socket returned by enableTLSOnSocket() in debugger it appears as
screen shot attached. It shows enabled protocol for socket are TLSv1.1 and
TLSv1.2. Although setEnabledProtocols() does not affect protocols listed
undress parameter and it still stays at TlsV1 and sslv3.
when i see Client hello message packet on server side.I see client announces
TlsV1 protol instead of TLS1.2. So i an bit confused why server does not see
TLS1.2 but client sees it?
more over i observed if i run same test on device running android 5.0 (API 20)
or above the structure of socket variable is totally different.
<https://lh3.googleusercontent.com/-obmfkybzIX0/VgQnzeb2lUI/AAAAAAAAAH4/UZAB8ikEwr8/s1600/Screen%2BShot%2B2015-09-23%2Bat%2B4.02.59%2BPM.png>
can some one help me finding out what i am missing and why sever sees TLSV1
even though client side socket on debug shows TLSv1.2.
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-security-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to android-security-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
