OkHttp 3.11和TLS 1.2支持 [英] OkHttp 3.11 and TLS 1.2 support
问题描述
在Android 4.2中添加了对TLS v1.2的支持,但默认情况下未启用.通过提供自定义SSLSocketFactory实现,使用OkHttp 3.x可以很容易地解决此问题.到OkHttp客户端:
The support for TLS v1.2 was added in Android 4.2, but it wasn't enabled by default. This issue was quite easy to fix with OkHttp 3.x by providing a custom SSLSocketFactory implementation to the OkHttp client:
OkHttpClient okHttpClient = new OkHttpClient();
okHttpClient.setSocketFactory(new MySSLSocketFactory());
在我的情况下,自定义套接字工厂正在设置启用的协议,如下所示:
In my case the custom socket factory was setting the enabled protocols like this:
private static final String[] TLS_PROTOCOLS = new String[]{ "TLSv1.1", "TLSv1.2" };
public MySSLSocketFactory(final KeyManager[] keyManagers, final TrustManager trustManager) throws KeyManagementException, NoSuchAlgorithmException {
final SSLContext sslContext = SSLContext.getInstance(TLS);
sslContext.init(keyManagers, new TrustManager[]{ trustManager }, null);
// ...
}
// ...
private Socket enableTLSOnSocket(final Socket socket) {
if (socket instanceof SSLSocket) {
((SSLSocket) socket).setEnabledProtocols(TLS_PROTOCOLS);
}
return socket;
}
在最新的OkHttp 3.11中,我们可以阅读
In the latest OkHttp 3.11 we can read
修复:建议使用TLSv1.2(如果有).在某些较旧的平台上 必须选择加入TLSv1.2
Fix: Prefer TLSv1.2 where it is available. On certain older platforms it is necessary to opt-in to TLSv1.2
我正在尝试检查相关的提交(可能是这一个),但是我我不确定它是否解决了与自定义工厂相同的问题.
I was trying to check relevant commits (probably this one) but I'm not sure if it addresses the same issue as the custom factory does.
所以我的问题是:当使用OkHttp 3.11+来保持旧Android设备上的TSL 1.2使用率时,删除自定义SSLSocketFactory是否安全?
推荐答案
我已经使用默认套接字工厂测试了最新(3.11)OkHttp版本
I've tested the latest (3.11) OkHttp version with default socket factory
final SSLContext sslContext = SSLContext.getInstance(TLS);
sslContext.init(keyManagers, new TrustManager[]{ trustManager }, null);
sslContext.getSocketFactory();
final SSLContext sslContext = SSLContext.getInstance(TLS);
sslContext.init(keyManagers, new TrustManager[]{ trustManager }, null);
sslContext.getSocketFactory();
不幸的是,即使TLSv1.2可用,它也不是首选.现在,我必须继续使用自己的SSLSocketFactory实现,其中包括TLSv1.2.
Unfortunately, TLSv1.2 isn't preferred even though it is available. For now, I have to keep using my own implementation of SSLSocketFactory which includes TLSv1.2.
这篇关于OkHttp 3.11和TLS 1.2支持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
