Hi all,
A project I work on has recently set their web services to only accept TLS 1.2, they can’t enable TLS 1.0 or SSLv3 due to security issues.
The issue is Android devices running anything less than 5.0 have TLS 1.1 and 1.2 disabled by default. This results in those devices failing the SSL handshake with the web API. See the error below:
ERROR: network: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5aae5ec0: Failure in SSL library, usually a protocol error
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x5cc4f55c:0x00000000): [WEB_URL] (javax.net.ssl.SSLHandshakeException)
From the looks of things it’s fairly simple to enable TLS 1.2 via Java:
https://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/
Can Corona implement this?
Some extra info:
PCI-DSS compliance requires disabling the use of TLS 1.0 as of July 1, 2018. I know a lot of people aren’t concerned about PCI compliance, but we have to be due to the nature of the app. More and more web services will start stopping support for TLS1.0 and I imagine far more developers here will start having this issue.
Thanks,
Jamie