6

Using OkHttp and Google Security ProviderInstaller any connection to a domain that supports both TLS1.2 and TLS1.3 are made using 1.2 version. Without ProviderInstaller all works fine using 1.3.

this is sample code, using last version of okhttp and play-services-basement on Android 12

GlobalScope.launch(Dispatchers.IO) {
    var r1 = OkHttpClient().newCall(Request.Builder().url("https://www.google.com").build()).execute()
    println(r1.handshake)
    try {
        ProviderInstaller.installIfNeeded(this@MainActivity)
        println("ProviderInstaller DONE")
    } catch (e: Exception) {
        e.printStackTrace()
    }

    var r2 = OkHttpClient().newCall(Request.Builder().url("https://www.google.com").build()).execute()
    println(r2.handshake)
}

the log result are

I/System.out: Handshake{tlsVersion=TLS_1_3 cipherSuite=TLS_AES_128_GCM_SHA256 peerCertificates=[CN=www.google.com, CN=GTS CA 1C3, O=Google Trust Services LLC, C=US, CN=GTS Root R1, O=Google Trust Services LLC, C=US] localCertificates=[]}
I/System.out: ProviderInstaller DONE
I/System.out: Handshake{tlsVersion=TLS_1_2 cipherSuite=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 peerCertificates=[CN=www.google.com, CN=GTS CA 1C3, O=Google Trust Services LLC, C=US, CN=GTS Root R1, O=Google Trust Services LLC, C=US] localCertificates=[]}

Does it seem like a HUGE problem only to me?

Another strange thing is that com.google.firebase.inappmessaging force app to use ProviderInstaller

Also opened a bug to issuetracker

Alessandro Scarozza
  • 4,273
  • 6
  • 31
  • 39
  • Do you really need to use ProviderInstaller? I thought it was only if you want your server to work for Android 4.4 – Zun Sep 14 '22 at 08:03
  • @Zun i thought ProviderInstaller can be only an upgrade and not downgrade. anyway is this the correct behaviour or not? – Alessandro Scarozza Sep 14 '22 at 08:23
  • I vaguely remember that there's a good reason to use TLS_1_2 for the handshake, even when trying to use TLS 1.3 only, but I'll have to look that up if that's relevant here, I'll post a link if I find that. – Joachim Sauer Sep 15 '22 at 13:05
  • @JoachimSauer the problem is that i need to contact a server that accept only 1_3 and it fail handshake – Alessandro Scarozza Sep 15 '22 at 13:11
  • @Xan: oh I see, then even that reason won't help you (I also didn't find it). Did you try explicitly creating a `SSLContext` using `SSLContext.getInstance("TLSv1.3")` and using that to create a ssl socket factory for the OkHttpClient? Then you could even explicitly disable TLSv1.2 (in case you get a provider that supports both). – Joachim Sauer Sep 15 '22 at 13:18

0 Answers0