There is a minimum API level required, TLS 1.1 and 1.2 only works for API 16+. I propose this:
String sslVersion = "SSL"; if(Build.VERSION_SDK_INT >= Build.VERSION_CODES.JELLY_BEAN) { sslVersion = "TLSv1.2"; } ctx = SSLContext.getInstance(sslVersion);
And most part of brokers should be compatible with TLS 1.2.
Regards
David Portilla
Hi,
Do you think we should give options? And if so which?
Or would it just be better to force it to use TLSv1.2?
Kind regards,
James Sutton Software Engineer - IoT Foundation - MQTT Open Source Projects Technical Trojan - Wimbledon Project |
| | Hursley Park Hursley, SO212JN United Kingdom |
IBM United Kingdom Limited Registered in England and Wales with number 741598 Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU
----- Original message ----- From: Manuel Domínguez Dorado <manolodd@xxxxxxxxx> Sent by: paho-dev-bounces@xxxxxxxxxxx To: General development discussions for paho project <paho-dev@xxxxxxxxxxx> Cc: Subject: Re: [paho-dev] Android service: security issues Date: Thu, Sep 3, 2015 8:49 PM
2015-09-03 21:37 GMT+02:00 David Portilla Abellán <dportilla12@xxxxxxxxx>:
Hi all,
When creating a MqttAndroidClient using SSL it is not possible to choose the protocol. This is because the method getSSLSocketFactory creates the SSLContext with this line:
ctx = SSLContext.getInstance(“SSL”);
This will force to SSL 3.0 or lower, and these versions have known vulnerabilities. I propose to add a parameter in the method for choosing the version, or force to “TLSv1.2" (but this implies Android API's 16+).
Another improvement I’d like to propose is client authentication with TLS. For this, it is needed to modify the same method to read a private key, create a KeyManager and load it in the ssl context. I already tested it and it works fine.
Regards.
David
_______________________________________________ paho-dev mailing list paho-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/paho-dev --
|