Support a secure set of encryption settings (including TLSv1.2) by default


  • developer

    It seems that SSLSockets created by the SSLCertificateSocketFactory don't have TLSv1.2 enabled by default, at least on our Samsung Note 10.1 (Android 4.1) and here: https://twitter.com/mrwaite/status/451568328436248576

    When quering the socket with getSupportedProtocols(), TLSv1.2 is listed, so it's available not enabled by default.

    So DAVdroid should provide reasonable SSL/TLS settings (although this should in my opionion by done by SSLCertificateSocketFactory), including enabled protocols, cipher suites and other settings like TLS sessions.


  • developer

    So far, I have found out by testing:

    • Android 4.1.2 (most recent Sasung Galaxy Note 10.1 stock firmware) supports SSLv3, TLSv1, TLSv1.1, TLSv1.2, but only SSLv3 and TLSv1 are enabled by default!
    • Android 4.4.2 (CyanogenMod) supports SSLv3, TLSv1, TLSv1.1, TLSv1.2, but only SSLv3 and TLSv1 are enabled by default!

    According to this message in the Android issue tracker: https://code.google.com/p/android/issues/detail?id=61085#c6, TLSv1.1 and TLSv1.2 "are now enabled by default". The message is from Dec 20, 2013. Android 4.4.2 has been released on Dec 9, 2013. So TLS v1.1 and v1.2 will be enabled by default on all Android versions newer than 4.4.2.

    There's also a good article on StackOverflow: SSL/TLS protocols and cipher suites with the AndroidHttpClient. According to it, TLSv1.2 is supported (but disabled) from Android 4.2+.


  • developer

    For a first try, I'd like to enable all supported protocols (fromgetSupportedProtocols()). Any objections?

    If you think certain protocols and/or cipher suites and/or settings should be disabled by DAVdroid, please post here.



  • Same Problem here - App does not work if I activate "only" TLSv1.2 (apache) - other Apps (CalDav) already solved this problem. Please enable TSLv1.2 by default. (If you already did then somthing is broken)

    I'm using 0.5.12-alpha, Android 4.3


  • developer

    @sztyler As you can see in the commit message above, this is already done in master and will be available in the next release.



  • ok thx - I only saw that the commit is "8 days ago" as well as that also the relase "0.5.12-alpha" is 8 days old. Thus, I thought that this alpha-version already contains the fix.



  • The fix isn't working for me, because the enabling of the supported protocols is only done if the ssl socket is not connected. But socket is connects if there are no matching protocols. I can successfully connect to my server if the supported protocols are enabled before the if statement.


  • developer

    The fix isn't working for me, because the enabling of the supported protocols is only done if the ssl socket is not connected. But socket is connects if there are no matching protocols. I can successfully connect to my server if the supported protocols are enabled before the if statement.

    The check for the connected socket was a mistake. It's fixed in the latest commit, and we have just uploaded a new release (containing TLSv1.2 support) to the stores :)


  • developer

    http://developer.android.com/about/versions/android-5.0-changes.html#ssl

    Should be fixed with Android 5.0, thus existing workaround code should be conditional.



Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.