Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to enable TLSv1.3 for OkHttp 3.12.x on Android 8/9?

I'm using OkHttp 3.12.2 on Android 9 (Pixel 2 device) and try to connect to an nginx 1.14.0 running with OpenSSL 1.1.1. The nginx is capable of TLSv1.3, I verified this with Firefox 66.0.2 on Ubuntu 18.04, Chrome 73.0 on Android 9 and ChromeOS 72.0.

However, OkHttp always negotiates TLSv1.2. I also tried to set a RESTRICTED_TLS ConnectionSpec, but it didn't help.

I did not find a specific instruction on how to get TLSv1.3 working on Android. I know that only Android 8 and 9 support TLSv1.3 out of the box; I'm fine for now with that restriction.

My experience from earlier TLS migrations is that I don't have to do anything except updating all involved components.

like image 338
Andreas Avatar asked Apr 05 '19 16:04

Andreas


2 Answers

As shown in official link, TLSv1.3 is supported from Android 10(Api Level 29) on wards. So to support TLSv1.3 in previous versions we can integrate the conscrypt library. Conscrypt security provider includes a public API for TLS functionality. For that we have to add the dependency,

dependencies {
  implementation 'org.conscrypt:conscrypt-android:2.2.1'
}

Here also we need OkHttp client as it supports conscrypt.

As documented in OkHttp,

OkHttp uses your platform’s built-in TLS implementation. On Java platforms OkHttp also supports Conscrypt, which integrates BoringSSL with Java. OkHttp will use Conscrypt if it is the first security provider.

After adding conscrypt dependency, in application class we just have to mention,

Security.insertProviderAt(Conscrypt.newProvider(), 1);

This can be helpful to provide support and enable TLS 1.3 in older android version (Api level <29).

like image 112
Dhaval Shah Avatar answered Sep 19 '22 08:09

Dhaval Shah


The problem is likely, that the client or the certificate might not support TLS 1.3 in all situations - and then will fall back. Try running SSL test to verify that (it also performs checks for mobile clients, which might negotiate differently). Upgrading OhHttp to 3.13 or 3.14 (soon) might also be an option; here's the change log. even if Android should support it, the client needs to be configured, as well:

OkHttpClient client = new OkHttpClient.Builder()
    .connectionSpecs(Arrays.asList(ConnectionSpec.MODERN_TLS))
    .build();

Possible values there are: RESTRICTED_TLS, MODERN_TLS and (backwards) COMPATIBLE_TLS.

like image 26
Martin Zeitler Avatar answered Sep 18 '22 08:09

Martin Zeitler