Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable TLS 1.2 on pre-lollipop devices #77

Merged
merged 2 commits into from
May 31, 2017
Merged

Enable TLS 1.2 on pre-lollipop devices #77

merged 2 commits into from
May 31, 2017

Conversation

sarahsnow1
Copy link
Member

Overview

Enables TLS 1.2 on pre-lollipop devices and updates the sample activity to log requests in debug mode

Proposed Changes

TLS 1.2 is disabled by default on devices running OS versions below 5.0. Coupled with Fastly upgrading to TLS 1.2, SSL is broken on devices running pre-lollipop OS versions. This change enables TLS 1.2 as recommended here: square/okhttp#2372 (comment)

Confirmed that before this change, requests fail with the error below (tested on device running Galaxy Nexus 4.3):

05-25 11:48:33.551 3220-3220/com.mapzen.pelias E/PeliasSearchView: Unable to fetch autocomplete results
                                                                   javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x4183b860: Failure in SSL library, usually a protocol error
                                                                   error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x5bb246a2:0x00000000)
                                                                       at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:440)
                                                                       at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:242)
                                                                       at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:200)
                                                                       at okhttp3.internal.connection.RealConnection.buildConnection(RealConnection.java:174)
                                                                       at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:114)
                                                                       at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:196)
                                                                       at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:132)
                                                                       at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:101)
                                                                       at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
                                                                       at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
                                                                       at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
                                                                       at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
                                                                       at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
                                                                       at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
                                                                       at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
                                                                       at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
                                                                       at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
                                                                       at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
                                                                       at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
                                                                       at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179)
                                                                       at okhttp3.RealCall$AsyncCall.execute(RealCall.java:129)
                                                                       at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
                                                                       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1080)
                                                                       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:573)
                                                                       at java.lang.Thread.run(Thread.java:841)
                                                                   	Suppressed: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x58e9d658: Failure in SSL library, usually a protocol error
                                                                   error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x5bb246a2:0x00000000)
                                                                   		... 25 more
                                                                   	Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x58e9d658: Failure in SSL library, usually a protocol error
                                                                   error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x5bb246a2:0x00000000)
                                                                       at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
                                                                       at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:398)
                                                                       		... 24 more
                                                                    Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x4183b860: Failure in SSL library, usually a protocol error
                                                                   error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (external/openssl/ssl/s23_clnt.c:741 0x5bb246a2:0x00000000)
                                                                       at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
                                                                       at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:398)
                                                                       	... 24 more

Closes #75

@sarahsnow1 sarahsnow1 assigned msmollin and tallytalwar and unassigned msmollin May 25, 2017
tallytalwar
tallytalwar approved these changes May 25, 2017
View reviewed changes
Copy link
Collaborator

@tallytalwar tallytalwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small thing here, good otherwise.

lib/src/main/java/com/mapzen/pelias/http/Tls12OkHttpClientFactory.java
* @return TLS enabled client.
*/
public static OkHttpClient.Builder enableTls12OnPreLollipop(OkHttpClient.Builder client) {
if (Build.VERSION.SDK_INT >= 16 && Build.VERSION.SDK_INT < 22) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what I remember there might be something similar on some recent version of android also (7.0?). Though we have not updated that on tangram-es (tangrams/tangram-es#1501). So will be good to document this and keep an eye for this in the future.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tallytalwar Issue created here so we can circle back to it: #78

@sarahsnow1 sarahsnow1 mentioned this pull request May 30, 2017
Open
@msmollin msmollin merged commit 598a524 into master May 31, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tallytalwar tallytalwar tallytalwar approved these changes

@msmollin msmollin msmollin approved these changes

Assignees

@tallytalwar tallytalwar

@msmollin msmollin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sarahsnow1 @tallytalwar @msmollin