如何在Android 8/9上为OkHttp 3.12.x启用TLSv1.3? [英] How to enable TLSv1.3 for OkHttp 3.12.x on Android 8/9?

问题描述

我在Android 9(Pixel 2设备)上使用OkHttp 3.12.2，并尝试连接到运行OpenSSL 1.1.1的nginx 1.14.0. Nginx具有TLSv1.3的功能，我在Ubuntu 18.04上的Firefox 66.0.2，Android 9上的Chrome 73.0和ChromeOS 72.0上对此进行了验证.

I'm using OkHttp 3.12.2 on Android 9 (Pixel 2 device) and try to connect to an nginx 1.14.0 running with OpenSSL 1.1.1. The nginx is capable of TLSv1.3, I verified this with Firefox 66.0.2 on Ubuntu 18.04, Chrome 73.0 on Android 9 and ChromeOS 72.0.

但是， OkHttp始终会协商TLSv1.2 .我还尝试设置RESTRICTED_TLS ConnectionSpec，但这没有帮助.

However, OkHttp always negotiates TLSv1.2. I also tried to set a RESTRICTED_TLS ConnectionSpec, but it didn't help.

我没有找到有关如何使TLSv1.3在Android上运行的特定说明.我知道只有Android 8和9开箱即用支持TLSv1.3.我现在有那个限制.

I did not find a specific instruction on how to get TLSv1.3 working on Android. I know that only Android 8 and 9 support TLSv1.3 out of the box; I'm fine for now with that restriction.

我从较早的TLS迁移中获得的经验是，除了更新所有涉及的组件之外，我无需执行任何操作.

My experience from earlier TLS migrations is that I don't have to do anything except updating all involved components.

推荐答案

如官方 conscrypt 库. Conscrypt安全提供程序包括用于TLS功能的公共API.为此，我们必须添加依赖项，

As shown in official link, TLSv1.3 is supported from Android 10(Api Level 29) on wards. So to support TLSv1.3 in previous versions we can integrate the conscrypt library. Conscrypt security provider includes a public API for TLS functionality. For that we have to add the dependency,

dependencies {
  implementation 'org.conscrypt:conscrypt-android:2.2.1'
}

这里我们还需要OkHttp客户端，因为它支持conscrypt.

Here also we need OkHttp client as it supports conscrypt.

如 OkHttp 中所述，

OkHttp使用平台的内置TLS实现.在Java上 OkHttp平台还支持Conscrypt，它集成了BoringSSL 与Java.如果是第一个安全性，OkHttp将使用Conscrypt 提供者.

OkHttp uses your platform’s built-in TLS implementation. On Java platforms OkHttp also supports Conscrypt, which integrates BoringSSL with Java. OkHttp will use Conscrypt if it is the first security provider.

在添加conscrypt依赖关系之后，我们只需要在应用程序类中提及

After adding conscrypt dependency, in application class we just have to mention,

Security.insertProviderAt(Conscrypt.newProvider(), 1);

这有助于在较早的android版本(Api级别< 29)中提供支持并启用TLS 1.3.

This can be helpful to provide support and enable TLS 1.3 in older android version (Api level <29).

这篇关于如何在Android 8/9上为OkHttp 3.12.x启用TLSv1.3?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！