performRequest()_hurlstack.png suggests that in that scenario you're using
GMSCore Security Provider's TLS/SSL stack. If you are indeed installing
this provider during application's start up, then you shouldn't need to
enable TLSv1.1 and TLSv1.2 -- they are enabled by default in this
provider's TLS/SSL implementation.
Please provide the dump of ClientHello or the first TLS record transmitted
by the client.
Alex
On Thu, Sep 24, 2015 at 12:53 PM Kunal Shah <kunal.msha...@gmail.com> wrote:
> Hi Alex,
>
> * volley is configured to use hurl stack.
> *i debuted through the code and observed content of object within
> performRequest method of hurl stack and send socketRequest method of http
> engine, I see TLS being present at both the places.
>
> *I will be posting wireshark scientist soon but it showed something like
> "PROTOCOL: TLSV1"
> please see attachments.
>
> *please note that sever do support TLS1.2, when app runs on os version
> greater or equal to 5.0
>
> Thanks,
> Kunal
>
> On Thursday, September 24, 2015 at 12:03:04 PM UTC-5, Alex Klyubin wrote:
>
>> * Please provide the contents of ClientHello or the TLS record containing
>> it.
>> * Are you sure Volley (or the underlying HTTP stack it's configured to
>> use) does not modify settings on SSLSocket instances returned by
>> SSLSocketFactory provided to it?
>> * What HTTP stack did you configure Volley to use?
>>
>> Alex
>>
>> On Thu, Sep 24, 2015 at 9:44 AM Kunal Shah <kunal....@gmail.com> wrote:
>>
> I am using volley framework for making network requests. I am trying to
>>> enable TLS1.2 support for phone running on API version 19 (4.4.2).
>>> as per SSL socket documentation TLS 1.2 is supported but not enabled by
>>> default. As per recommendation on various android blogs I tried using
>>> custom sslsocket factory to enable TLSv1.2. My code looks like following
>>>
>>>
>>> public class TLSSocketFactory extends SSLSocketFactory {
>>>
>>> private SSLSocketFactory internalSSLSocketFactory;
>>>
>>> public TLSSocketFactory() throws KeyManagementException,
>>> NoSuchAlgorithmException {
>>> SSLContext context = SSLContext.getInstance("TLS");
>>> context.init(null, null, null);
>>> internalSSLSocketFactory = context.getSocketFactory();
>>> }
>>>
>>> @Override
>>> public String[] getDefaultCipherSuites() {
>>> return internalSSLSocketFactory.getDefaultCipherSuites();
>>> }
>>>
>>> @Override
>>> public String[] getSupportedCipherSuites() {
>>> return internalSSLSocketFactory.getSupportedCipherSuites();
>>> }
>>>
>>> @Override
>>> public Socket createSocket(Socket s, String host, int port, boolean
>>> autoClose) throws IOException {
>>> return enableTLSOnSocket(internalSSLSocketFactory.createSocket(s, host,
>>> port, autoClose));
>>> }
>>>
>>> @Override
>>> public Socket createSocket(String host, int port) throws IOException,
>>> UnknownHostException {
>>> return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host,
>>> port));
>>> }
>>>
>>> @Override
>>> public Socket createSocket(String host, int port, InetAddress localHost,
>>> int localPort) throws IOException, UnknownHostException {
>>> return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port,
>>> localHost, localPort));
>>> }
>>>
>>> @Override
>>> public Socket createSocket(InetAddress host, int port) throws IOException {
>>> return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host,
>>> port));
>>> }
>>>
>>> @Override
>>> public Socket createSocket(InetAddress address, int port, InetAddress
>>> localAddress, int localPort) throws IOException {
>>> return enableTLSOnSocket(internalSSLSocketFactory.createSocket(address,
>>> port, localAddress, localPort));
>>> }
>>>
>>> private Socket enableTLSOnSocket(Socket socket) {
>>> if(socket != null && (socket instanceof SSLSocket)) {
>>> ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1",
>>> "TLSv1.2"});
>>> }
>>> return socket;
>>> }
>>> }
>>>
>>> I use this TLS socket factory to get volley request Que as following
>>>
>>>
>>> HttpStack stack = null;
>>>
>>> if (Build.VERSION.SDK_INT >= 9) {
>>> try {
>>> if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.KITKAT) {
>>> // Use a socket factory that removes sslv3 and add TLS1.2
>>> stack = new HurlStack(null, new TLSSocketFactory());
>>> } else {
>>> stack = new HurlStack();
>>> }
>>> } catch (Exception e) {
>>> stack = new HurlStack();
>>> Log.i("NetworkClient", "can no create custom socket factory");
>>> }
>>> }
>>>
>>> mContext = applicationContext;
>>> if (mRequestQueue == null) {
>>> mRequestQueue = Volley.newRequestQueue(applicationContext, stack);
>>> }
>>>
>>>
>>> .....
>>>
>>> VolleyRequest volleyRequest = new VolleyRequest(request, future,
>>> getRequestMethod(request));
>>> mRequestQueue.add(volleyRequest);
>>>
>>>
>>>
>>> when i see socket returned by enableTLSOnSocket() in debugger it appears
>>> as screen shot attached. It shows enabled protocol for socket are TLSv1.1
>>> and TLSv1.2. Although setEnabledProtocols() does not affect protocols
>>> listed undress parameter and it still stays at TlsV1 and sslv3.
>>>
>>>
>>> when i see Client hello message packet on server side.I see client
>>> announces TlsV1 protol instead of TLS1.2. So i an bit confused why server
>>> does not see TLS1.2 but client sees it?
>>>
>>>
>>> more over i observed if i run same test on device running android 5.0 (API
>>> 20) or above the structure of socket variable is totally different.
>>>
>>>
>>>
>>> <https://lh3.googleusercontent.com/-obmfkybzIX0/VgQnzeb2lUI/AAAAAAAAAH4/UZAB8ikEwr8/s1600/Screen%2BShot%2B2015-09-23%2Bat%2B4.02.59%2BPM.png>
>>>
>>> can some one help me finding out what i am missing and why sever sees TLSV1
>>> even though client side socket on debug shows TLSv1.2.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Android Security Discussions" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to android-security-discuss+unsubscr...@googlegroups.com.
>>>
>> To post to this group, send email to android-secu...@googlegroups.com.
>>
>>
>>> Visit this group at
>>> http://groups.google.com/group/android-security-discuss.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to android-security-discuss+unsubscr...@googlegroups.com.
> To post to this group, send email to
> android-security-discuss@googlegroups.com.
> Visit this group at
> http://groups.google.com/group/android-security-discuss.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-security-discuss+unsubscr...@googlegroups.com.
To post to this group, send email to android-security-discuss@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
