Login/Register
How do I tell the TLS version in Android Volley
Asked Answered
Solved androidsslhttpsandroid-volleysslsocketfactory
P

3

10

My project has been using Android Volley network framework for a long time, but recently I found a SSL 3.0 protocol bug published on the Internet.

I want to know how can I find out what's the TLS version my project used, and how to confirm whether the library is updated.

Here is my source code fragment: 

HttpStack stack = new HurlStack();
Network network = new BasicNetwork(stack);
mHttpRequestQueue = new RequestQueue(new NoCache(), network);
mHttpRequestQueue.start();

I think the point is in HurlStack class, and it depends on org.apache.http package, but I can't figure out where TLS/SSL configuration is.

Pawnshop answered 7/7, 2015 at 13:7 Comment(3)
There is no TLS 3.0, I assume you mean SSL 3.0.Henleigh
@Henleigh yes, SSL3 and TLS1.Pawnshop
I traced source code, and only found this: context = SSLContext.getInstance("TLS");Pawnshop
P
20

You may modify the version of TLS used in Volley by creating a custom HTTPStack and setting the stack in the Volley.newRequestQueue(context, httpStack) method in Volley.java. Although, you only need to do this for Android versions 16-19. Before v16, TLS 1.2 isn't supported and after v19, TLS 1.2 is enabled by default. So, you should focus on manually setting TLS to 1.2 for Android versions 16-19.

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN
    && Build.VERSION.SDK_INT <= Build.VERSION_CODES.KITKAT) {
    try {
      ProviderInstaller.installIfNeeded(getContext());
    } catch (GooglePlayServicesRepairableException e) {
      // Indicates that Google Play services is out of date, disabled, etc.
      // Prompt the user to install/update/enable Google Play services.
      GooglePlayServicesUtil.showErrorNotification(e.getConnectionStatusCode(), getContext());
      // Notify the SyncManager that a soft error occurred.
      syncResult.stats.numIOExceptions++;
      return;
    } catch (GooglePlayServicesNotAvailableException e) {
      // Indicates a non-recoverable error; the ProviderInstaller is not able
      // to install an up-to-date Provider.
      // Notify the SyncManager that a hard error occurred.
      syncResult.stats.numAuthExceptions++;
      return;
    }

    HttpStack stack = null;
    try {
      stack = new HurlStack(null, new TLSSocketFactory());
    } catch (KeyManagementException e) {
      e.printStackTrace();
      Log.d("Your Wrapper Class", "Could not create new stack for TLS v1.2");
      stack = new HurlStack();
    } catch (NoSuchAlgorithmException e) {
      e.printStackTrace();
      Log.d("Your Wrapper Class", "Could not create new stack for TLS v1.2");
      stack = new HurlStack();
    }
    requestQueue = Volley.newRequestQueue(context, stack);
} else {
  requestQueue = Volley.newRequestQueue(context);
}

And then use a TLSSocketFactory class which extends SSLSocketFactory like the one Florian Krauthan created here, where the v1.2 TLS protocol is enabled: https://gist.github.com/fkrauthan/ac8624466a4dee4fd02f#file-tlssocketfactory-java

Phototaxis answered 23/11, 2015 at 15:0 Comment(4)
I had to also upgrade the Security provider as per blog.dev-area.net/2015/08/17/… before it worked on my 4.4 deviceAudriaaudrie
@Diederik's point is VERY important. The code must handle the security code provider's update. In my case, even the security provider was updated already by another app, i still had to include the code in my own app to make TLS work.Bloodthirsty
@Bloodthirsty I've updated answer to include checking to ensure the security provider has the latest updates. For others out there, you can read more from the official docs on this here: developer.android.com/training/articles/… This can either be done synchronously (like it is in my answer) or asynchronously. But, it MUST be done.Phototaxis
Android complains that HttpStack is deprecated. I implemented the asynchronous version of your link and it works without the HttpStack and TLSSocketFactory on the emulator with API 19. Is it ok to just skip that part?Ml
H
1

On Android the used TLS version mostly depends on the used Android version. Apache Volley bases on Apache Http Client which bases on HttpsUrlConnection, therefore the standard SSL/TLS SSLSocketFactory is used.

On Android below 4.3 usually only SSLv3 and TLS 1.0 are supported. On later versions TLS 1.1 and 1.2 are often supported but disabled.

Starting with Android 5 TLS 1.1 and TLS 1.2 are supported and enabled by default

Henleigh answered 8/7, 2015 at 8:5 Comment(3)
Then where can I find TLS version in my source code?Could you point it out the precise position? I need to confirm completely that.Pawnshop
As long as you don't set-up an custom SSLSocketFactory your code does not specify the TLS version. That is all done in the Android API runtime code.Henleigh
There should be a way to enable TLS v1.2 for Volley for Android versions 16-20 since it's supported but not enabled by default. Could you point us to Volley documentation where this may be possible? Unfortunately, saying "That is all done in the Android API runtime code", is not very helpful. The OkHttp library offers the ability to set the TLS version: #29250130Phototaxis
B
0

@w3bshark's answer worked for me. But Before using that code, Make sure you include the code to update Security Provider. In my case, TLS didn't work until i update security provider. Following is the code to update it. 

private void updateAndroidSecurityProvider() {
    try {
        ProviderInstaller.installIfNeeded(this);
    } catch (GooglePlayServicesRepairableException e) {
        Log.e("Test321", "PlayServices not installed");
    } catch (GooglePlayServicesNotAvailableException e) {
        Log.e("Test321", "Google Play Services not available.");
    }
}
Bloodthirsty answered 10/10, 2017 at 11:51 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.