androidsslhttpsandroid-volleysslsocketfactory

How do I tell the TLS version in Android Volley

My project has been using Android Volley network framework for a long time, but recently I found a SSL 3.0 protocol bug published on the Internet.

I want to know how can I find out what's the TLS version my project used, and how to confirm whether the library is updated.

Here is my source code fragment: 

HttpStack stack = new HurlStack();
Network network = new BasicNetwork(stack);
mHttpRequestQueue = new RequestQueue(new NoCache(), network);
mHttpRequestQueue.start();

I think the point is in HurlStack class, and it depends on org.apache.http package, but I can't figure out where TLS/SSL configuration is.

Solution

  • You may modify the version of TLS used in Volley by creating a custom HTTPStack and setting the stack in the Volley.newRequestQueue(context, httpStack) method in Volley.java. Although, you only need to do this for Android versions 16-19. Before v16, TLS 1.2 isn't supported and after v19, TLS 1.2 is enabled by default. So, you should focus on manually setting TLS to 1.2 for Android versions 16-19.

    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN
    && Build.VERSION.SDK_INT <= Build.VERSION_CODES.KITKAT) {
    try {
      ProviderInstaller.installIfNeeded(getContext());
    } catch (GooglePlayServicesRepairableException e) {
      // Indicates that Google Play services is out of date, disabled, etc.
      // Prompt the user to install/update/enable Google Play services.
      GooglePlayServicesUtil.showErrorNotification(e.getConnectionStatusCode(), getContext());
      // Notify the SyncManager that a soft error occurred.
      syncResult.stats.numIOExceptions++;
      return;
    } catch (GooglePlayServicesNotAvailableException e) {
      // Indicates a non-recoverable error; the ProviderInstaller is not able
      // to install an up-to-date Provider.
      // Notify the SyncManager that a hard error occurred.
      syncResult.stats.numAuthExceptions++;
      return;
    }

    HttpStack stack = null;
    try {
      stack = new HurlStack(null, new TLSSocketFactory());
    } catch (KeyManagementException e) {
      e.printStackTrace();
      Log.d("Your Wrapper Class", "Could not create new stack for TLS v1.2");
      stack = new HurlStack();
    } catch (NoSuchAlgorithmException e) {
      e.printStackTrace();
      Log.d("Your Wrapper Class", "Could not create new stack for TLS v1.2");
      stack = new HurlStack();
    }
    requestQueue = Volley.newRequestQueue(context, stack);
} else {
  requestQueue = Volley.newRequestQueue(context);
}

    And then use a TLSSocketFactory class which extends SSLSocketFactory like the one Florian Krauthan created here, where the v1.2 TLS protocol is enabled: https://gist.github.com/fkrauthan/ac8624466a4dee4fd02f#file-tlssocketfactory-java