Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support TLS 1.2 for Android 4.4 on the 3.12.x branch

See original GitHub issue

The problem we’re trying to solve: disable TLS 1.0 and 1.1 on our web servers.

Due to the decision of OkHttp to support TLS 1.2 only on Android 5+, this will not be possible for several years to come. Like virtually any successful app, our app still supports Android 4.4. Even if some devs decide to go minSdk 5.x, they will usually maintain a separate version that runs on Android 4.x.

According to the SSL Labs test, Android 4.4 can do TLS 1.2 and there are instructions for how to activate it even back on JellyBean!

So my suggestion is to make it possible to use TLS 1.2 for Android 4.4 on the OkHttp 3.12.x branch. At least one common, reasonably secure cipher would be enough:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)

(all of these ciphers are available and enabled by default since Android 3.x.)

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
schildbachcommented, Nov 22, 2019

For the records, I managed to install the Conscrypt from Google Play Services with just these three lines of code (error handling omitted):

Context remoteContext = createPackageContext("com.google.android.gms", 3);
Method method = remoteContext.getClassLoader().loadClass("com.google.android.gms.common.security.ProviderInstallerImpl").getMethod("insertProvider", new Class[] { Context.class });
method.invoke(null, new Object[]{remoteContext});

The logcat seems to indicate success, after ~330 ms:

11-22 16:26:02.875 2381-2381/? I/dalvikvm: Could not find method android.content.ContextWrapper.createCredentialProtectedStorageContext, referenced from method ouy.createCredentialProtectedStorageContext
11-22 16:26:02.875 2381-2381/? W/dalvikvm: VFY: unable to resolve virtual method 2516: Landroid/content/ContextWrapper;.createCredentialProtectedStorageContext ()Landroid/content/Context;
11-22 16:26:02.875 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x6f at 0x0002
11-22 16:26:02.875 2381-2381/? I/dalvikvm: Could not find method android.content.ContextWrapper.createDeviceProtectedStorageContext, referenced from method ouy.createDeviceProtectedStorageContext
11-22 16:26:02.875 2381-2381/? W/dalvikvm: VFY: unable to resolve virtual method 2517: Landroid/content/ContextWrapper;.createDeviceProtectedStorageContext ()Landroid/content/Context;
11-22 16:26:02.875 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x6f at 0x0002
11-22 16:26:02.885 2381-2381/? D/dalvikvm: DexOpt: couldn't find static field Landroid/os/Build;.SUPPORTED_ABIS
11-22 16:26:02.885 2381-2381/? W/dalvikvm: VFY: unable to resolve static field 830 (SUPPORTED_ABIS) in Landroid/os/Build;
11-22 16:26:02.885 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x62 at 0x00d2
11-22 16:26:02.885 2381-2381/? D/dalvikvm: DexOpt: couldn't find static field Landroid/os/Build;.SUPPORTED_64_BIT_ABIS
11-22 16:26:02.885 2381-2381/? W/dalvikvm: VFY: unable to resolve static field 829 (SUPPORTED_64_BIT_ABIS) in Landroid/os/Build;
11-22 16:26:02.885 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x62 at 0x00a9
11-22 16:26:02.885 2381-2381/? I/dalvikvm: Could not find method android.content.ContextWrapper.createCredentialProtectedStorageContext, referenced from method com.google.android.chimera.ModuleContext.createCredentialProtectedStorageContext
11-22 16:26:02.885 2381-2381/? W/dalvikvm: VFY: unable to resolve virtual method 2516: Landroid/content/ContextWrapper;.createCredentialProtectedStorageContext ()Landroid/content/Context;
11-22 16:26:02.885 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x6f at 0x0002
11-22 16:26:02.885 2381-2381/? I/dalvikvm: Could not find method android.content.ContextWrapper.createDeviceProtectedStorageContext, referenced from method com.google.android.chimera.ModuleContext.createDeviceProtectedStorageContext
11-22 16:26:02.885 2381-2381/? W/dalvikvm: VFY: unable to resolve virtual method 2517: Landroid/content/ContextWrapper;.createDeviceProtectedStorageContext ()Landroid/content/Context;
11-22 16:26:02.885 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x6f at 0x0002
11-22 16:26:02.885 2381-2381/? D/dalvikvm: Trying to load lib /data/app-lib/com.google.android.gms-1/libconscrypt_gmscore_jni.so 0x9d0c2658
11-22 16:26:02.885 2381-2381/? D/dalvikvm: Added shared lib /data/app-lib/com.google.android.gms-1/libconscrypt_gmscore_jni.so 0x9d0c2658
11-22 16:26:02.885 2381-2381/? V/NativeCrypto: Registering com/google/android/gms/org/conscrypt/NativeCrypto's 286 native methods...
11-22 16:26:02.885 2381-2381/? W/dalvikvm: Unable to resolve superclass of Lcom/google/android/gms/org/conscrypt/TrustManagerImpl; (8619)
11-22 16:26:02.885 2381-2381/? W/dalvikvm: Link of class 'Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;' failed
11-22 16:26:02.885 2381-2381/? I/dalvikvm: Could not find method com.google.android.gms.org.conscrypt.TrustManagerImpl.getDefaultHostnameVerifier, referenced from method com.google.android.gms.org.conscrypt.Conscrypt.getDefaultHostnameVerifier
11-22 16:26:02.885 2381-2381/? W/dalvikvm: VFY: unable to resolve static method 30360: Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;.getDefaultHostnameVerifier ()Lcom/google/android/gms/org/conscrypt/ConscryptHostnameVerifier;
11-22 16:26:02.885 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x71 at 0x0003
11-22 16:26:02.885 2381-2381/? W/dalvikvm: Unable to resolve superclass of Lcom/google/android/gms/org/conscrypt/TrustManagerImpl; (8619)
11-22 16:26:02.885 2381-2381/? W/dalvikvm: Link of class 'Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;' failed
11-22 16:26:02.885 2381-2381/? W/dalvikvm: VFY: unable to find class referenced in signature (Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;)
11-22 16:26:02.885 2381-2381/? W/dalvikvm: Unable to resolve superclass of Lcom/google/android/gms/org/conscrypt/TrustManagerImpl; (8619)
11-22 16:26:02.885 2381-2381/? W/dalvikvm: Link of class 'Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;' failed
11-22 16:26:02.885 2381-2381/? W/FileUtils: Failed to chmod(/data/data/com.google.android.gms/app_extracted_libs): libcore.io.ErrnoException: chmod failed: ENOENT (No such file or directory)
11-22 16:26:02.885 2381-2381/? W/FileUtils: Failed to chmod(/data/data/com.google.android.gms/app_extracted_libs): libcore.io.ErrnoException: chmod failed: ENOENT (No such file or directory)
11-22 16:26:02.895 2381-2381/? I/dalvikvm: Could not find method com.google.android.gms.org.conscrypt.TrustManagerImpl.getHostnameVerifier, referenced from method com.google.android.gms.org.conscrypt.Conscrypt.getHostnameVerifier
11-22 16:26:02.895 2381-2381/? W/dalvikvm: VFY: unable to resolve virtual method 30362: Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;.getHostnameVerifier ()Lcom/google/android/gms/org/conscrypt/ConscryptHostnameVerifier;
11-22 16:26:02.895 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x6e at 0x0004
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Unable to resolve superclass of Lcom/google/android/gms/org/conscrypt/TrustManagerImpl; (8619)
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Link of class 'Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;' failed
11-22 16:26:02.895 2381-2381/? E/dalvikvm: Could not find class 'com.google.android.gms.org.conscrypt.TrustManagerImpl', referenced from method com.google.android.gms.org.conscrypt.Conscrypt.isConscrypt
11-22 16:26:02.895 2381-2381/? W/dalvikvm: VFY: unable to resolve instanceof 7702 (Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;) in Lcom/google/android/gms/org/conscrypt/Conscrypt;
11-22 16:26:02.895 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x20 at 0x0000
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Unable to resolve superclass of Lcom/google/android/gms/org/conscrypt/TrustManagerImpl; (8619)
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Link of class 'Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;' failed
11-22 16:26:02.895 2381-2381/? I/dalvikvm: Could not find method com.google.android.gms.org.conscrypt.TrustManagerImpl.setDefaultHostnameVerifier, referenced from method com.google.android.gms.org.conscrypt.Conscrypt.setDefaultHostnameVerifier
11-22 16:26:02.895 2381-2381/? W/dalvikvm: VFY: unable to resolve static method 30372: Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;.setDefaultHostnameVerifier (Lcom/google/android/gms/org/conscrypt/ConscryptHostnameVerifier;)V
11-22 16:26:02.895 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x71 at 0x0003
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Unable to resolve superclass of Lcom/google/android/gms/org/conscrypt/TrustManagerImpl; (8619)
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Link of class 'Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;' failed
11-22 16:26:02.895 2381-2381/? W/dalvikvm: VFY: unable to find class referenced in signature (Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;)
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Unable to resolve superclass of Lcom/google/android/gms/org/conscrypt/TrustManagerImpl; (8619)
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Link of class 'Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;' failed
11-22 16:26:02.895 2381-2381/? I/dalvikvm: Could not find method com.google.android.gms.org.conscrypt.TrustManagerImpl.setHostnameVerifier, referenced from method com.google.android.gms.org.conscrypt.Conscrypt.setHostnameVerifier
11-22 16:26:02.895 2381-2381/? W/dalvikvm: VFY: unable to resolve virtual method 30373: Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;.setHostnameVerifier (Lcom/google/android/gms/org/conscrypt/ConscryptHostnameVerifier;)V
11-22 16:26:02.895 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x6e at 0x0004
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Unable to resolve superclass of Lcom/google/android/gms/org/conscrypt/TrustManagerImpl; (8619)
11-22 16:26:02.895 2381-2381/? W/dalvikvm: Link of class 'Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;' failed
11-22 16:26:02.895 2381-2381/? E/dalvikvm: Could not find class 'com.google.android.gms.org.conscrypt.TrustManagerImpl', referenced from method com.google.android.gms.org.conscrypt.Conscrypt.toConscrypt
11-22 16:26:02.895 2381-2381/? W/dalvikvm: VFY: unable to resolve check-cast 7702 (Lcom/google/android/gms/org/conscrypt/TrustManagerImpl;) in Lcom/google/android/gms/org/conscrypt/Conscrypt;
11-22 16:26:02.895 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x1f at 0x002a
11-22 16:26:02.935 2381-2384/? D/dalvikvm: GC_CONCURRENT freed 260K, 9% free 3526K/3844K, paused 5ms+1ms, total 25ms
11-22 16:26:02.935 2381-2381/? D/dalvikvm: WAIT_FOR_CONCURRENT_GC blocked 1ms
11-22 16:26:02.985 2381-2384/? D/dalvikvm: GC_CONCURRENT freed 156K, 7% free 3878K/4148K, paused 1ms+1ms, total 17ms
11-22 16:26:02.985 2381-2381/? D/dalvikvm: WAIT_FOR_CONCURRENT_GC blocked 5ms
11-22 16:26:03.045 2381-2384/? D/dalvikvm: GC_CONCURRENT freed 130K, 6% free 4247K/4500K, paused 1ms+2ms, total 31ms
11-22 16:26:03.045 2381-2381/? D/dalvikvm: WAIT_FOR_CONCURRENT_GC blocked 8ms
11-22 16:26:03.105 2381-2384/? D/dalvikvm: GC_CONCURRENT freed 106K, 6% free 4617K/4868K, paused 3ms+2ms, total 21ms
11-22 16:26:03.105 2381-2381/? D/dalvikvm: WAIT_FOR_CONCURRENT_GC blocked 5ms
11-22 16:26:03.135 2381-2381/? E/dalvikvm: Could not find class 'javax.net.ssl.SNIServerName', referenced from method com.google.android.gms.org.conscrypt.Platform.getSniHostnameFromParams
11-22 16:26:03.135 2381-2381/? W/dalvikvm: VFY: unable to resolve check-cast 8595 (Ljavax/net/ssl/SNIServerName;) in Lcom/google/android/gms/org/conscrypt/Platform;
11-22 16:26:03.135 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x1f at 0x0025
11-22 16:26:03.135 2381-2381/? E/dalvikvm: Could not find class 'javax.net.ssl.SNIHostName', referenced from method com.google.android.gms.org.conscrypt.Platform.setParametersSniHostname
11-22 16:26:03.135 2381-2381/? W/dalvikvm: VFY: unable to resolve new-instance 8594 (Ljavax/net/ssl/SNIHostName;) in Lcom/google/android/gms/org/conscrypt/Platform;
11-22 16:26:03.135 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x22 at 0x0025
11-22 16:26:03.135 2381-2381/? E/dalvikvm: Could not find class 'javax.net.ssl.SNIHostName', referenced from method com.google.android.gms.org.conscrypt.Platform.setParametersSniHostname
11-22 16:26:03.145 2381-2381/? W/dalvikvm: VFY: unable to resolve new-instance 8594 (Ljavax/net/ssl/SNIHostName;) in Lcom/google/android/gms/org/conscrypt/Platform;
11-22 16:26:03.145 2381-2381/? D/dalvikvm: VFY: replacing opcode 0x22 at 0x0025
11-22 16:26:03.145 2381-2381/? D/dalvikvm: DexOpt: unable to opt direct call 0x87de at 0x2b in Lcom/google/android/gms/org/conscrypt/Platform;.setParametersSniHostname
11-22 16:26:03.145 2381-2381/? D/dalvikvm: DexOpt: unable to opt direct call 0x87de at 0x2b in Lcom/google/android/gms/org/conscrypt/Platform;.setParametersSniHostname
11-22 16:26:03.145 2381-2381/? D/dalvikvm: Trying to load lib /data/app-lib/com.google.android.gms-1/libconscrypt_gmscore_jni.so 0x9d0c2658
11-22 16:26:03.145 2381-2381/? D/dalvikvm: Shared lib '/data/app-lib/com.google.android.gms-1/libconscrypt_gmscore_jni.so' already loaded in same CL 0x9d0c2658
11-22 16:26:03.165 2381-2384/? D/dalvikvm: GC_CONCURRENT freed 229K, 8% free 4935K/5328K, paused 1ms+1ms, total 16ms
11-22 16:26:03.165 2381-2381/? D/dalvikvm: WAIT_FOR_CONCURRENT_GC blocked 13ms
11-22 16:26:03.195 2381-2381/? I/ProviderInstaller: Installed default security provider GmsCore_OpenSSL

However, there is still something missing on the OkHttp side. I still get the above exception.

I was testing this on an API 19 aosp x86 emulator image with com.google.android.gms version 19.6.29 manually installed.

0reactions
yschimkecommented, Nov 22, 2019

n.b. You will likely be limited to HTTP/1.1. Conscrypt and HTTP/2 is on the 4.x branch IIRC.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Working with TLS 1.2 on Android 4.4 and Lower - Ankush Gupta
In this article, I explain how we migrated the Quizlet Android app to TLS 1.2, while minimizing disruption to our users.
Read more >
[SOLVED] Raise minimum supported Android version to ...
The OkHttp 3.12.x branch supports Android 2.3+ (API level 9+) and Java 7+. These platforms lack support for TLS 1.2 and should not...
Read more >
KitKat and TLSv1.2 - Public Object
“Implementations MUST support TLS 1.2 and MUST prefer to negotiate TLS version 1.2 over earlier versions of TLS. Rationale: Several stronger ...
Read more >
3.x Change Log - OkHttp
The OkHttp 3.12.x branch will be our long-term branch for Android 2.3+ (API level 9+) and Java 7+. These platforms lack support for...
Read more >
retrofit + okhttp on android 4 ssl - Stack Overflow
LOLLIPOP) { //Devices with Android 5.1+ should support TLS 1.x out of the ... implementation: Working with TLS 1.2 on Android 4.4 and...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Document ForkJoinPool.managedBlock() usage example

Next page

Travis CI snapshots failing