Jeff, your solution worked like a charm. The server is now seeing TLSv1.2 requests.
Thanks a bunch. On Monday, July 7, 2014 7:35:05 PM UTC-7, Jeffrey Walton wrote: > > > So, I either need to figure out how to > > do HTTP requests over an existing socket or figure out how to get > TLSv1.2 > > working with the existing HttpsUrlRequest. Any suggestions would be > much > > appreciated. > Try using SSLSocketFactory, and call setEnabledProtocols to ensure > only TLS 1.2 is available. > > Java enables SSLv3 (even when asking for TLS), and disables TLS 1.1 > and TLS 1.2 (prior to Java 8). I'm not sure if Android suffers the > same, though. but it sounds like it. > > To work around Java 7 and below's choices, I use SSLSocketFactoryEx to > set protocols and ciphers. Its already wired for ChaCha/Poly1305 > ciphers, and its wired for TLS 1.3. But it still needs support from > the platform (perhaps Java 9). See > http://stackoverflow.com/a/23365536/608639. > > Jeff > > public static void main(String[] args) throws Exception { > > SSLSocketFactoryEx factory = new SSLSocketFactoryEx(null,null,null); > > String[] supportedProtocols = factory.getDefaultProtocols(); > System.out.println("Protocols: " + supportedProtocols.length); > for(int i = 0; i < supportedProtocols.length; i++) > { > System.out.println(" " + supportedProtocols[i]); > } > > System.out.println(); > > String[] supportedCiphers = factory.getDefaultCipherSuites(); > System.out.println("Ciphers: " + supportedCiphers.length); > for(int i = 0; i < supportedCiphers.length; i++) > { > System.out.println(" " + supportedCiphers[i]); > } > > System.out.println(); > > URL url = new URL("https://www.google.com:443";); > > HttpsURLConnection connection = (HttpsURLConnection) > url.openConnection(); > connection.setSSLSocketFactory(factory); > connection.setRequestProperty("charset", "utf-8"); > > InputStream input = connection.getInputStream(); > InputStreamReader reader = new InputStreamReader(input, "utf-8"); > BufferedReader buffer = new BufferedReader(reader); > > String cipher = connection.getCipherSuite(); > System.out.println("Cipher: " + cipher); > System.out.println(); > > String line; > while ((line = buffer.readLine()) != null) { > System.out.println(line); > } > } > > On Mon, Jul 7, 2014 at 10:21 PM, Eamon Doyle <[email protected] > <javascript:>> wrote: > > Hi all. I'm trying to write an app that uses TLSv1.2 but I am having a > bear > > of a time getting it to work. I was able to get an SSLSocket to use > TLSv1.2 > > by doing as follows: > > > > SSLCertificateSocketFactory sslSocketFactory = > (SSLCertificateSocketFactory) > > SSLCertificateSocketFactory.getDefault(0); > > sslSocketFactory.setKeyManagers((KeyManager[])getMyKeyManagers()); > > sslSocketFactory.setTrustManagers((TrustManager[])getMyTrustManagers()); > > SSLSocket s = > > (SSLSocket)sslSocketFactory.createSocket(InetAddress.getByName(host), > 443); > > s.setEnabledProtocols(new String[] {"TLSv1.2"} ); > > sslSocketFactory.setHostname(s,"foo.com"); > > SSLSession session = s.getSession(); > > > > However, I don't know of way to do HTTP requests or use an HTTP client > with > > a socket that's already created. So, I tried using an > HttpsUrlConnection as > > follows (error handling omitted for brevity): > > > > KeyManager[] keyManagers = getMyKeyManagers(); > > TrustManager[] trustManagers = getMyTrustManagers(); > > SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); > > sslContext.init(keyManagers, trustManagers, null); > > > > URL url = new URL("https://foo.com/bar";); > > HttpsURLConnection urlConnection = null; > > urlConnection = (HttpsURLConnection)url.openConnection(); > > urlConnection.setSSLSocketFactory(sslContext.getSocketFactory()); > > urlConnection.connect(); > > > > The server is set to reject any connection that doesn't attempt TLSv1.2. > I > > sniffed the server port with Wireshark and it shows that in the > SSLSocket > > case, my app tries and succeeds with TLSv1.2 but the HttpsUrlConnection > > fails because it only tries TLSv1. So, I either need to figure out how > to > > do HTTP requests over an existing socket or figure out how to get > TLSv1.2 > > working with the existing HttpsUrlRequest. Any suggestions would be > much > > appreciated. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
