0

I am developing a native android app in java, that needs to communicate with a server, which is very old and only have TLSv1 connectivity with limited number of cipher suites available.

Building the app using Android Studio Chipmunk (2021.2.1) compileSDK 31 minSDK 19 targetSDK 25

My code as follows:

System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2,SSL3");
TrustManager[] trustAllCerts = new TrustManager[] {
  new X509TrustManager() {
    public java.security.cert.X509Certificate[] getAceptedIssuers() {
      return null;
    }
    public void checkClientTrusted(X509Certificate[] certs, String authType) {}
    public void checkServerTrusted(X509Certificate[] certs, String authType) {}
  }
};

ExecutorService ex = Executors.newSingleThreadExecutor();
Callable<String> connectedCallableTask = () -> {
  SSLContext sslContext = SSLContext.getInstance("TLSv1");
  sslContext.init( null, trustAllCerts, new java.security.SecureRandom());
  SSLSocket sslSocket = (SSLSocket) sslFactory.createSocket(serverip, serverport);
  sslSocket.startHandshake();

  ...
  ...
}
Future<String ContentFuture = ex.submit(connectedCallableTask);
...
...

The code stopped/crashed at sslSocket.startHandshake();

After researched for a while, I found out the cipher suites from the client is not accepted by the server.

After I talked to others, they shared a wireshark packets to me. One of the Cipher Suites the server accepts is "TLS_RSA_WITH_RC4_128_MD5". So, I thought I can simply add the following ciper suites in my client side code:

SSLParameters params = new SSLParameters();
params.setProtocols(new String[] {"TLSv1"});
params.setCipherSuites(new String[] {"TLS_RSA_WITH_RC4_18_MD5"});
sslSocket.setSSLParameters(params);
sslSocket.startHandshake();

It throws me an exception: Unsupported Cipher Suites

What could I do to connect to the old server, which I have no idea whats in there.

David Kwan
  • 1
  • `TLS_RSA_WITH_RC4_18_MD5` is considered insecure for many years and thus not available anymore in modern TLS stacks, i.e. there is no way to enable it. If you can communicate with this broken server depends if the server also supports some more modern ciphers. This isn't known from your post though. If this is a public accessible web server you might check it out with [SSLLabs](https://ssllabs.com/ssltest/analyze.html). – Steffen Ullrich Jun 05 '22 at 15:17
  • Thank you for the comment. It isn't a website, but a physical server. is there anyway we can know more about the server box? – David Kwan Jun 05 '22 at 15:36
  • *"It isn't a website, but a physical server"* - Websites ultimately also run on physical servers. The question is, if it is reachable by a web browser from the internet. – Steffen Ullrich Jun 05 '22 at 15:40

0 Answers0