3

The support for TLS v1.2 was added in Android 4.2, but it wasn't enabled by default. This issue was quite easy to fix with OkHttp 3.x by providing a custom SSLSocketFactory implementation to the OkHttp client:

OkHttpClient okHttpClient = new OkHttpClient();
okHttpClient.setSocketFactory(new MySSLSocketFactory());

In my case the custom socket factory was setting the enabled protocols like this:

private static final String[] TLS_PROTOCOLS = new String[]{ "TLSv1.1", "TLSv1.2" };

public MySSLSocketFactory(final KeyManager[] keyManagers, final TrustManager trustManager) throws KeyManagementException, NoSuchAlgorithmException {
  final SSLContext sslContext = SSLContext.getInstance(TLS);
  sslContext.init(keyManagers, new TrustManager[]{ trustManager }, null);
  // ...
}

// ...

private Socket enableTLSOnSocket(final Socket socket) {
  if (socket instanceof SSLSocket) {
    ((SSLSocket) socket).setEnabledProtocols(TLS_PROTOCOLS);
  }
  return socket;
}

In the latest OkHttp 3.11 we can read

Fix: Prefer TLSv1.2 where it is available. On certain older platforms it is necessary to opt-in to TLSv1.2

I was trying to check relevant commits (probably this one) but I'm not sure if it addresses the same issue as the custom factory does.

So my question is: is it safe to remove custom SSLSocketFactory when OkHttp 3.11+ is used to keep TSL 1.2 usage on old Android devices?

LR89
  • 397
  • 1
  • 4
  • 14

1 Answers1

2

I've tested the latest (3.11) OkHttp version with default socket factory

final SSLContext sslContext = SSLContext.getInstance(TLS); sslContext.init(keyManagers, new TrustManager[]{ trustManager }, null); sslContext.getSocketFactory();

Unfortunately, TLSv1.2 isn't preferred even though it is available. For now, I have to keep using my own implementation of SSLSocketFactory which includes TLSv1.2.

Marcin Paszylk
  • 36
  • 1