Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] Android service: security issues

There is a minimum API level required, TLS 1.1 and 1.2 only works for API 16+. I propose this:

String sslVersion = "SSL";
if(Build.VERSION_SDK_INT >= Build.VERSION_CODES.JELLY_BEAN) {
     sslVersion = "TLSv1.2";
}
ctx = SSLContext.getInstance(sslVersion);

And most part of brokers should be compatible with TLS 1.2.

Regards

David Portilla


On 08 Sep 2015, at 14:05, James Sutton1 <james.sutton@xxxxxxxxxx> wrote:

Hi,
 
I've noticed it too and raised a bug for it: https://bugs.eclipse.org/bugs/show_bug.cgi?id=476863
 
Do you think we should give options? And if so which?
 
Or would it just be better to force it to use TLSv1.2?
 
Kind regards,
 
James Sutton
Software Engineer - IoT Foundation - MQTT Open Source Projects
Technical Trojan - Wimbledon Project

Phone: 01962 815438 | Extension: x372454
E-mail: james.sutton@xxxxxxxxxx
Personal Website: www.jsutton.co.uk
Find me on:      
IBM

Hursley Park
HursleySO212JN
United Kingdom
 
IBM United Kingdom Limited Registered in England and Wales with number 741598 Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU
 
 
----- Original message -----
From: Manuel Domínguez Dorado <manolodd@xxxxxxxxx>
Sent by: paho-dev-bounces@xxxxxxxxxxx
To: General development discussions for paho project <paho-dev@xxxxxxxxxxx>
Cc:
Subject: Re: [paho-dev] Android service: security issues
Date: Thu, Sep 3, 2015 8:49 PM
 
Hi David,
 
try using "TLS" instead of "SSL". I've an example in github.

https://github.com/manolodd/mqtt_tls_selfsigned_certificate
 
Hope it helps.
 
 
2015-09-03 21:37 GMT+02:00 David Portilla Abellán <dportilla12@xxxxxxxxx>:
Hi all,

When creating a MqttAndroidClient using SSL it is not possible to choose the protocol. This is because the method getSSLSocketFactory creates the SSLContext with this line:

ctx = SSLContext.getInstance(“SSL”);

This will force to SSL 3.0 or lower, and these versions have known vulnerabilities. I propose to add a parameter in the method for choosing the version, or force to “TLSv1.2" (but this implies Android API's 16+).

Another improvement I’d like to propose is client authentication with TLS. For this, it is needed to modify the same method to read a private key, create a KeyManager and load it in the ssl context. I already tested it and it works fine.

Regards.

David



_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev



--
---
Manuel Domínguez Dorado
ingeniero ARROBA ManoloDominguez PUNTO com
http://www.ManoloDominguez.com
_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev
 

_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev

Back to the top