[paho-dev] Android service: security issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[paho-dev] Android service: security issues

From: David Portilla Abellán <dportilla12@xxxxxxxxx>
Date: Thu, 3 Sep 2015 21:37:30 +0200
Delivered-to: paho-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/paho-dev>
List-help: <mailto:paho-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/paho-dev>, <mailto:paho-dev-request@eclipse.org?subject=unsubscribe>

Hi all,

When creating a MqttAndroidClient using SSL it is not possible to choose the protocol. This is because the method getSSLSocketFactory creates the SSLContext with this line:

ctx = SSLContext.getInstance(“SSL”);

This will force to SSL 3.0 or lower, and these versions have known vulnerabilities. I propose to add a parameter in the method for choosing the version, or force to “TLSv1.2" (but this implies Android API's 16+).

Another improvement I’d like to propose is client authentication with TLS. For this, it is needed to modify the same method to read a private key, create a KeyManager and load it in the ssl context. I already tested it and it works fine.

Regards.

David

Follow-Ups:
- Re: [paho-dev] Android service: security issues
  - From: James Sutton1
- Re: [paho-dev] Android service: security issues
  - From: Manuel Domínguez Dorado

Prev by Date: Re: [paho-dev] Adafruit MQTT library
Next by Date: Re: [paho-dev] Android service: security issues
Previous by thread: [paho-dev] Adafruit MQTT library
Next by thread: Re: [paho-dev] Android service: security issues
Index(es):
- Date
- Thread

Breadcrumbs