Android: determine TLS support of device programmatically

Question

So the host I use has recently disabled TLS 1.0, so for any device that doesn't support TLS 1.0 I need to use http rather than https (nothing sensitive is sent anyway... I just prefer to use SSL for everything where possible).

It appears that TLS 1.1/1.2 has been supported since API 16, but not enabled by default since around API 20 or 21. There are conflicting reports about exactly when the default was switched. See e.g. here (suggests from API 20) and here (suggests from API 21). And it seems that some devices even pre API 20 have TLS 1.1/1.2 support enabled, probably because the manufacturer tweaked things to make this happen.

I know that it's possible to enable TLS 1.1/1.2 on those devices that support it (see e.g. here), and maybe it's even possible to do it via Play Services as described here.

But I'd rather not have the hassle of implementing these sorts of hacks (and dealing with any issues from users), and just accept that any device running my app that does not already support TLS 1.1/1.2 should use http rather than https. As I said, nothing that would be classed as "sensitive" is communicated anyway. Over time, the number of devices that don't support TLS 1.1/1.2 will diminish.

So, with that said, is there a way of programmatically determining what TLS versions are supported by the device?

At the moment I just use the API version for this check ("use https from API 21 onwards"), but it would be better to check for TLS support more explicitly because some older devices will also support TLS 1.1/1.2.

Answer 1

So, with that said, is there a way of programmatically determining what TLS versions are supported by the device?

Try this:

SSLParameters sslParameters;
try {
    sslParameters = SSLContext.getDefault()
            .getDefaultSSLParameters();
} catch (NoSuchAlgorithmException e) {
    // ...
}

// SSLv3, TLSv1, TLSv1.1, TLSv1.2 etc.
sslParameters.getProtocols();

Answer 2

Using the security Provider as mentioned is the best approach, and using the snippet from @nandsito is great for debugging (especially on older devices such as Samsung Galaxy S3 which by default has SSLv3 and TLSv1, but not TLSv1.1 and TLSv1.2).