制作的SSLEngine使用TLSv1.2在Android(4.4.2)?SSLEngine、Android
伙计们,我希望有一些明显的我失踪了,我希望有人能够给一些启发。我试图让TLSv1.2在SSL + NIO上下文中运行(使用 AndroidAsync 库),所以我想通过SSLEngine的启用它。我可以运行code是这样的:
Folks, I'm hoping there's something obvious that I'm missing, and I hope someone will be able to shed some light. I'm trying to get TLSv1.2 running in an SSL + NIO context (using the AndroidAsync library), so I'm trying to enable it via an SSLEngine. I can run code like this:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, null, null);
String[] protocols = sslContext.getSupportedSSLParameters().getProtocols();
for (String protocol : protocols) {
Timber.d("Context supported protocol: " + protocol);
}
SSLEngine engine = sslContext.createSSLEngine();
String[] supportedProtocols = engine.getSupportedProtocols();
for (String protocol : supportedProtocols) {
Timber.d("Engine supported protocol: " + protocol);
}
和我结束了在logcat中看到这一点:
And I end up seeing this on logcat:
06-22 21:56:27.715 1117-1117/? D/XXX﹕ Context supported protocol: SSLv3
06-22 21:56:27.715 1117-1117/? D/XXX﹕ Context supported protocol: TLSv1
06-22 21:56:27.725 1117-1117/? D/XXX﹕ Context supported protocol: TLSv1.1
06-22 21:56:27.725 1117-1117/? D/XXX﹕ Context supported protocol: TLSv1.2
06-22 21:56:27.735 1117-1117/? D/XXX﹕ Engine supported protocol: TLSv1
06-22 21:56:27.745 1117-1117/? D/XXX﹕ Engine supported protocol: SSLv3
当然,如果我尝试 engine.setEnabledProtocols(新[] {TLSv1.2}字符串)我得到一个IllegalArgumentException不支持协议TLSv1.2 。
Of course if I try to engine.setEnabledProtocols(new String[] { "TLSv1.2" }) I get an IllegalArgumentException "Protocol TLSv1.2 is not supported."
我能看到的范围内宣称支持TLSv1.2,但此时发动机从我这方面做出不?发生了什么?如果我在第一行用TLS,而不是TLSv1.2之上,顺便说一句这一切都不改变。
I can see the context claims to support TLSv1.2, but then the engine I make from that context doesn't? What's going on here? None of this changes if I use "TLS" instead of "TLSv1.2" in the first line above, btw.
我推测这可能是与这个问题,我读过this (尚未解答)问题和articles这样,但他们不太似乎是击中当场 - 我见过的解决方案似乎都依靠SSLSocket而不是让SSLEngine
I gather this might have something to do with this issue, and I've read this (as yet unanswered) question and articles like this, but they don't quite seem to be hitting the spot - solutions I've seen all seem to rely on SSLSocket rather than SSLEngine.
感谢很多的任何知识,你可以放下。
Thanks much for any knowledge you can drop.
更新14年6月23日10AMEDT
于是我找到 SSLEngine.setSSLParameters ,我希望能让我过的,我从 SSLContext.getSupportedSSLParameters得到了一个SSLParameters(),但是当我打电话,我得到,声称不支持密码套件是一个例外,所以它看起来像setSSLParameters()只是做了同样的事情,setEnabledCipherSuites()不会,发动机已经在一个国家所支持的地方不承认TLS 1.2协议/套。
So I found SSLEngine.setSSLParameters, which I was hoping would let me pass in an SSLParameters that I got from SSLContext.getSupportedSSLParameters(), but when I call that I get an exception that claims the cipher suites aren't supported, so it looks like setSSLParameters() is just doing the same thing that setEnabledCipherSuites() does, and the engine is already in a state where it doesn't recognize the TLS 1.2 protocol/suites as supported.
推荐答案
Android的API文档正确国家的TLSv1.2仅在API级别20或更高版本(棒棒堂),而SSLSocket支持它,因为16级支持的SSLEngine。
The Android API docs correctly state that TLSv1.2 is only supported for SSLEngine in API Level 20 or later (Lollipop) while SSLSocket supports it since level 16.
使用SSLSocket或要求API 20是为我们的项目没有选择既不是更改服务器code,允许使用TLSv1或SSLv3的。我们的解决方案是安装使用较新的安全提供Google播放服务:
Using SSLSocket or requiring API 20 was no option for our project and neither was changing the server code to allow TLSv1 or SSLv3. Our solution was to install a newer security provider using Google Play Services:
ProviderInstaller.installIfNeeded(getApplicationContext());
这有效地使你的应用程序访问的OpenSSL和Java安全提供的更新版本,其中包括用于TLSv1.2在SSLEngine的支持。一旦新的提供程序已安装,您可以创建支持的SSLv3,使用TLSv1,TLSv1.1和TLSv1.2通常的方式是让SSLEngine:
This effectively gives your app access to a newer version of OpenSSL and Java Security Provider which includes support for TLSv1.2 in SSLEngine. Once the new provider is installed, you can create an SSLEngine which supports SSLv3, TLSv1, TLSv1.1 and TLSv1.2 the usual way:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, null, null);
SSLEngine engine = sslContext.createSSLEngine();
或者你也可以使用限制启用的协议 engine.setEnabledProtocols 。
