0

I have been using some code which implements https communication with a server without problem on Android 5.1.1 for many years, but the same code will not connect on Android 7.1.1. The server that I'm communicating with only supports SSLv3 (which is of course vulnerable to POODLE), and so many https implementations won't connect if SSLv3 is the highest available protocol.

I'm wondering whether at some point between Android 5.1.1 and 7.1.1, support for SSLv3 was disabled in Android's socket implementation because of the vulnerability. Here's my code to create the original SSL context - I've tried changing the protocol string to e.g. TLSv1 or SSLv3, but to no avail.

SSLContext sslContext = SSLContext.getInstance("TLS");

If this is indeed the problem, is there any way to force Android to allow SSLv3 please?

Any help gratefully received.

Andrew

Andrew17856
  • 161
  • 13
  • Based on what is here https://developer.android.com/reference/javax/net/ssl/SSLContext.html SSLv3 should work correctly, it will be removed from the next Android O release – MatPag Jul 17 '17 at 20:24
  • Thanks. Testing on another phone, it seems to affect Android 6+. Seems similar to here: https://github.com/amitshekhariitbhu/Fast-Android-Networking/issues/22 I'll have to do some more debugging to work out what is going on. – Andrew17856 Jul 17 '17 at 20:49
  • I think this might have something to do with it. https://stackoverflow.com/q/33546496/3052279 – Andrew17856 Jul 17 '17 at 21:14
  • yeah probably it's related. should be solvable buying a new certificates from the authorities trusted by Android and install it in the server (but sincerely i'm not 100% sure it will works without testing) Or trying to add the custom certificate to the Android certificates at runtime, maybe more infos here https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html and here https://developer.android.com/training/articles/security-config.html – MatPag Jul 17 '17 at 21:34

0 Answers0