1. 技术文章
  2. How to enable TLSv1.3 for OkHttp 3.12.x on Android 8/9?

How to enable TLSv1.3 for OkHttp 3.12.x on Android 8/9?

六月ゝ 毕业季﹏ 提交于 2020-01-13 09:37:10

问题


I'm using OkHttp 3.12.2 on Android 9 (Pixel 2 device) and try to connect to an nginx 1.14.0 running with OpenSSL 1.1.1. The nginx is capable of TLSv1.3, I verified this with Firefox 66.0.2 on Ubuntu 18.04, Chrome 73.0 on Android 9 and ChromeOS 72.0.

However, OkHttp always negotiates TLSv1.2. I also tried to set a RESTRICTED_TLS ConnectionSpec, but it didn't help.

I did not find a specific instruction on how to get TLSv1.3 working on Android. I know that only Android 8 and 9 support TLSv1.3 out of the box; I'm fine for now with that restriction.

My experience from earlier TLS migrations is that I don't have to do anything except updating all involved components.


回答1:


The problem is likely, that the client or the certificate might not support TLS 1.3 in all situations - and then will fall back. Try running SSL test to verify that (it also performs checks for mobile clients, which might negotiate differently). Upgrading OhHttp to 3.13 or 3.14 (soon) might also be an option; here's the change log. even if Android should support it, the client needs to be configured, as well:

OkHttpClient client = new OkHttpClient.Builder()
    .connectionSpecs(Arrays.asList(ConnectionSpec.MODERN_TLS))
    .build();

Possible values there are: RESTRICTED_TLS, MODERN_TLS and (backwards) COMPATIBLE_TLS.




回答2:


As shown in official link, TLSv1.3 is supported from Android 10(Api Level 29) on wards. So to support TLSv1.3 in previous versions we can integrate the conscrypt library. Conscrypt security provider includes a public API for TLS functionality. For that we have to add the dependency,

dependencies {
  implementation 'org.conscrypt:conscrypt-android:2.2.1'
}

Here also we need OkHttp client as it supports conscrypt.

As documented in OkHttp,

OkHttp uses your platform’s built-in TLS implementation. On Java platforms OkHttp also supports Conscrypt, which integrates BoringSSL with Java. OkHttp will use Conscrypt if it is the first security provider.

After adding conscrypt dependency, in application class we just have to mention,

Security.insertProviderAt(Conscrypt.newProvider(), 1);

This can be helpful to provide support and enable TLS 1.3 in older android version (Api level <29).



来源:https://stackoverflow.com/questions/55539513/how-to-enable-tlsv1-3-for-okhttp-3-12-x-on-android-8-9

标签
android
okhttp
tls1.3
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!