From 314be2d6fc51b385a22276cabdaee1441835cc83 Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Fri, 7 Apr 2023 11:42:56 -0400 Subject: [PATCH 01/12] Enable and enforce TLS 1.2 on older devices --- .../cognitoauth/util/AuthHttpClient.java | 5 +- .../amazonaws/http/TLS12SocketFactory.java | 136 ++++++++++++++++++ .../com/amazonaws/http/UrlHttpClient.java | 33 ++++- .../java/com/amazonaws/util/HttpUtils.java | 7 + .../client/internal/oauth2/OAuth2Client.java | 3 + .../notification/NotificationClientBase.java | 10 +- 6 files changed, 185 insertions(+), 9 deletions(-) create mode 100644 aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java diff --git a/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java b/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java index 9bcb314054..795fe1c145 100644 --- a/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java +++ b/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java @@ -17,8 +17,7 @@ package com.amazonaws.mobileconnectors.cognitoauth.util; -import android.content.Context; - +import com.amazonaws.http.TLS12SocketFactory; import com.amazonaws.mobileconnectors.cognitoauth.exceptions.AuthClientException; import com.amazonaws.mobileconnectors.cognitoauth.exceptions.AuthServiceException; @@ -46,6 +45,8 @@ public String httpPost(final URL uri, final Map headerParams, fi } final HttpsURLConnection httpsURLConnection = (HttpsURLConnection) uri.openConnection(); + // Enable TLS 1.2 on Pre SDK 21 devices + TLS12SocketFactory.fixTLSPre21(httpsURLConnection); DataOutputStream httpOutputStream = null; BufferedReader br = null; try { diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java new file mode 100644 index 0000000000..7e7833eff3 --- /dev/null +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java @@ -0,0 +1,136 @@ +package com.amazonaws.http; + +import android.os.Build; + +import androidx.annotation.NonNull; +import androidx.annotation.Nullable; + +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; +import java.net.UnknownHostException; +import java.security.KeyManagementException; +import java.security.NoSuchAlgorithmException; + +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +/** + * Although this has public access, it is intended for internal use and should not be used directly by host + * applications. The behavior of this may change without warning. + */ +public class TLS12SocketFactory extends SSLSocketFactory { + + private static final Object contextLock = new Object(); + private static SSLContext sslContext = null; + public static final String TLSv1_2 = "TLSv1.2"; + private static final String[] SUPPORTED_PROTOCOLS = new String[] { TLSv1_2 }; + private final SSLSocketFactory delegate; + + @Nullable + public static TLS12SocketFactory createTLS12SocketFactory() { + return createTLS12SocketFactory(null); + } + + @Nullable + public static TLS12SocketFactory createTLS12SocketFactory( + @Nullable SSLContext sslContext + ) { + if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1) { + try { + return new TLS12SocketFactory(sslContext); + } catch (Exception e) { + // + } + } + return null; + } + + public static void fixTLSPre21(HttpsURLConnection connection) { + fixTLSPre21(connection, createTLS12SocketFactory()); + } + + public static void fixTLSPre21( + @NonNull HttpsURLConnection connection, + @Nullable TLS12SocketFactory tls12SocketFactory + ) { + if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && + tls12SocketFactory != null) { + try { + connection.setSSLSocketFactory(tls12SocketFactory); + } catch (Exception e) { + // Failed to enabled TLS1.2 on <= Android 21 device + } + } + } + + private TLS12SocketFactory(@Nullable SSLContext customSSLContext) + throws KeyManagementException, NoSuchAlgorithmException { + + if (customSSLContext != null) { + delegate = customSSLContext.getSocketFactory(); + } else { + // Cache SSLContext due to weight and hold static + synchronized (contextLock) { + if (sslContext == null) { + sslContext = SSLContext.getInstance(TLSv1_2); + sslContext.init(null, null, null); + } + } + delegate = sslContext.getSocketFactory(); + } + } + + @Override + public String[] getDefaultCipherSuites() { + return delegate.getDefaultCipherSuites(); + } + + @Override + public String[] getSupportedCipherSuites() { + return delegate.getSupportedCipherSuites(); + } + + @Override + public Socket createSocket() throws IOException { + return updateTLSProtocols(delegate.createSocket()); + } + + @Override + public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { + return updateTLSProtocols(delegate.createSocket(s, host, port, autoClose)); + } + + @Override + public Socket createSocket(String host, int port) throws IOException, UnknownHostException { + return updateTLSProtocols(delegate.createSocket(host, port)); + } + + @Override + public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { + return updateTLSProtocols(delegate.createSocket(host, port, localHost, localPort)); + } + + @Override + public Socket createSocket(InetAddress host, int port) throws IOException { + return updateTLSProtocols(delegate.createSocket(host, port)); + } + + @Override + public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { + return updateTLSProtocols(delegate.createSocket(address, port, localAddress, localPort)); + } + + private Socket updateTLSProtocols(Socket socket) { + if(socket instanceof SSLSocket) { + try { + ((SSLSocket) socket).setEnabledProtocols(SUPPORTED_PROTOCOLS); + } catch (Exception e) { + // TLS 1.2 may not be supported on device + } + } + return socket; + } +} \ No newline at end of file diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java index 70bd7496c0..9605de64ff 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java @@ -55,12 +55,24 @@ public class UrlHttpClient implements HttpClient { private static final int BUFFER_SIZE_MULTIPLIER = 8; private final ClientConfiguration config; + // SocketFactory for Pre SDK 21 devices to enforce TLS 1.2 + private final TLS12SocketFactory tls12SocketFactory; + + // Cached SSLContext for connections using custom TrustManagers. + private SSLContext customTrustSSLContext = null; + + // SocketFactory for Pre SDK 21 devices to enforce TLS 1.2 that also holds custom TrustManagers. + private TLS12SocketFactory customTrustTls12SocketFactory; + /** * Constructor. * @param config the client config. */ public UrlHttpClient(ClientConfiguration config) { this.config = config; + + // will return null if SDK > 21 + tls12SocketFactory = TLS12SocketFactory.createTLS12SocketFactory(); } @Override @@ -279,26 +291,35 @@ void configureConnection(HttpRequest request, HttpURLConnection connection) { if (config.getTrustManager() != null) { enableCustomTrustManager(https); + } else if (tls12SocketFactory != null) { + TLS12SocketFactory.fixTLSPre21(https, tls12SocketFactory); } } } - private SSLContext sc = null; - private void enableCustomTrustManager(HttpsURLConnection connection) { - if (sc == null) { + if (customTrustSSLContext == null) { final TrustManager[] customTrustManagers = new TrustManager[] { config.getTrustManager() }; try { - sc = SSLContext.getInstance("TLS"); - sc.init(null, customTrustManagers, null); + customTrustSSLContext = SSLContext.getInstance(TLS12SocketFactory.TLSv1_2); + customTrustSSLContext.init(null, customTrustManagers, null); + + if (customTrustTls12SocketFactory == null) { + customTrustTls12SocketFactory = TLS12SocketFactory + .createTLS12SocketFactory(customTrustSSLContext); + } } catch (final GeneralSecurityException e) { throw new RuntimeException(e); } } - connection.setSSLSocketFactory(sc.getSocketFactory()); + if (customTrustTls12SocketFactory != null) { + connection.setSSLSocketFactory(customTrustTls12SocketFactory); + } else { + connection.setSSLSocketFactory(customTrustSSLContext.getSocketFactory()); + } } /* diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java b/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java index 092970f491..a6d9aeb51b 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java @@ -18,6 +18,7 @@ import com.amazonaws.ClientConfiguration; import com.amazonaws.Request; import com.amazonaws.http.HttpMethodName; +import com.amazonaws.http.TLS12SocketFactory; import java.io.IOException; import java.io.InputStream; @@ -31,6 +32,8 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; +import javax.net.ssl.HttpsURLConnection; + /** * HTTP utils class. */ @@ -289,6 +292,10 @@ public static InputStream fetchFile( final URL url = uri.toURL(); // TODO: support proxy? final HttpURLConnection connection = (HttpURLConnection) url.openConnection(); + if (connection instanceof HttpsURLConnection) { + // Enable TLS 1.2 on Pre SDK 21 devices + TLS12SocketFactory.fixTLSPre21((HttpsURLConnection) connection); + } connection.setConnectTimeout(getConnectionTimeout(config)); connection.setReadTimeout(getSocketTimeout(config)); connection.addRequestProperty("User-Agent", getUserAgent(config)); diff --git a/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java b/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java index 19d5fe6bb8..649f5c7453 100644 --- a/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java +++ b/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java @@ -12,6 +12,7 @@ import androidx.browser.customtabs.CustomTabsSession; import android.util.Log; +import com.amazonaws.http.TLS12SocketFactory; import com.amazonaws.internal.keyvaluestore.AWSKeyValueStore; import com.amazonaws.mobile.client.AWSMobileClient; import com.amazonaws.mobile.client.Callback; @@ -495,6 +496,8 @@ public static String httpPost(final URL uri, final Map headerPar } final HttpsURLConnection httpsURLConnection = (HttpsURLConnection) uri.openConnection(); + // Enable TLS 1.2 on Pre SDK 21 devices + TLS12SocketFactory.fixTLSPre21(httpsURLConnection); DataOutputStream httpOutputStream = null; BufferedReader br = null; try { diff --git a/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java b/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java index ba0e13cbf2..ffb9a1d79b 100644 --- a/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java +++ b/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java @@ -34,6 +34,7 @@ import androidx.core.app.NotificationCompat; import androidx.core.app.NotificationManagerCompat; +import com.amazonaws.http.TLS12SocketFactory; import com.amazonaws.mobileconnectors.pinpoint.analytics.AnalyticsEvent; import com.amazonaws.mobileconnectors.pinpoint.internal.core.PinpointContext; import com.amazonaws.mobileconnectors.pinpoint.internal.core.system.AndroidPreferences; @@ -48,12 +49,15 @@ import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.net.URL; +import java.net.URLConnection; import java.util.ArrayList; import java.util.List; import java.util.Map; import java.util.Random; import java.util.concurrent.ExecutionException; +import javax.net.ssl.HttpsURLConnection; + /** * NotificationClientBase is the entry point into the Amazon Mobile Analytics SDK to * handle Pinpoint notifications. @@ -1081,7 +1085,11 @@ private class DownloadImageTask extends AsyncTask { @Override protected Bitmap doInBackground(String... urls) { try { - return BitmapFactory.decodeStream((new URL(urls[0])).openConnection().getInputStream()); + URLConnection connection = new URL(urls[0]).openConnection(); + if (connection instanceof HttpsURLConnection) { + TLS12SocketFactory.fixTLSPre21((HttpsURLConnection) connection); + } + return BitmapFactory.decodeStream(connection.getInputStream()); } catch (final IOException ex) { log.error("Cannot download or find image for rich notification.", ex); return null; From 048032a04aecb61f5c37c5bd53bce9b48f5e5fd6 Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Fri, 7 Apr 2023 11:46:11 -0400 Subject: [PATCH 02/12] add nullability annotation --- .../src/main/java/com/amazonaws/http/TLS12SocketFactory.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java index 7e7833eff3..d4821e0b0b 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java @@ -24,9 +24,9 @@ public class TLS12SocketFactory extends SSLSocketFactory { private static final Object contextLock = new Object(); - private static SSLContext sslContext = null; public static final String TLSv1_2 = "TLSv1.2"; private static final String[] SUPPORTED_PROTOCOLS = new String[] { TLSv1_2 }; + private static SSLContext sslContext = null; private final SSLSocketFactory delegate; @Nullable @@ -48,7 +48,7 @@ public static TLS12SocketFactory createTLS12SocketFactory( return null; } - public static void fixTLSPre21(HttpsURLConnection connection) { + public static void fixTLSPre21(@NonNull HttpsURLConnection connection) { fixTLSPre21(connection, createTLS12SocketFactory()); } From f8d0ca2c02d8ff8f86de317bab4756e5bc2bf88f Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Fri, 7 Apr 2023 11:47:07 -0400 Subject: [PATCH 03/12] lint --- .../src/main/java/com/amazonaws/http/TLS12SocketFactory.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java index d4821e0b0b..1236e380a4 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java @@ -133,4 +133,4 @@ private Socket updateTLSProtocols(Socket socket) { } return socket; } -} \ No newline at end of file +} From fbab50c24a1edd697103982c82260909948ed497 Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Fri, 7 Apr 2023 11:55:42 -0400 Subject: [PATCH 04/12] Include SDK 21 in fix --- .../cognitoauth/util/AuthHttpClient.java | 3 +-- .../java/com/amazonaws/http/TLS12SocketFactory.java | 10 +++++----- .../main/java/com/amazonaws/http/UrlHttpClient.java | 2 +- .../src/main/java/com/amazonaws/util/HttpUtils.java | 3 +-- .../mobile/client/internal/oauth2/OAuth2Client.java | 3 +-- .../targeting/notification/NotificationClientBase.java | 2 +- 6 files changed, 10 insertions(+), 13 deletions(-) diff --git a/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java b/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java index 795fe1c145..1321f5b1ff 100644 --- a/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java +++ b/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java @@ -45,8 +45,7 @@ public String httpPost(final URL uri, final Map headerParams, fi } final HttpsURLConnection httpsURLConnection = (HttpsURLConnection) uri.openConnection(); - // Enable TLS 1.2 on Pre SDK 21 devices - TLS12SocketFactory.fixTLSPre21(httpsURLConnection); + TLS12SocketFactory.fixTLSPre22(httpsURLConnection); DataOutputStream httpOutputStream = null; BufferedReader br = null; try { diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java index 1236e380a4..8d4350ba5d 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java @@ -48,20 +48,20 @@ public static TLS12SocketFactory createTLS12SocketFactory( return null; } - public static void fixTLSPre21(@NonNull HttpsURLConnection connection) { - fixTLSPre21(connection, createTLS12SocketFactory()); + public static void fixTLSPre22(@NonNull HttpsURLConnection connection) { + fixTLSPre22(connection, createTLS12SocketFactory()); } - public static void fixTLSPre21( + public static void fixTLSPre22( @NonNull HttpsURLConnection connection, @Nullable TLS12SocketFactory tls12SocketFactory ) { - if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && + if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1 && tls12SocketFactory != null) { try { connection.setSSLSocketFactory(tls12SocketFactory); } catch (Exception e) { - // Failed to enabled TLS1.2 on <= Android 21 device + // Failed to enabled TLS1.2 on <= Android 22 device } } } diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java index 9605de64ff..54f066231a 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java @@ -292,7 +292,7 @@ void configureConnection(HttpRequest request, HttpURLConnection connection) { if (config.getTrustManager() != null) { enableCustomTrustManager(https); } else if (tls12SocketFactory != null) { - TLS12SocketFactory.fixTLSPre21(https, tls12SocketFactory); + TLS12SocketFactory.fixTLSPre22(https, tls12SocketFactory); } } } diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java b/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java index a6d9aeb51b..cf6b6a8947 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java @@ -293,8 +293,7 @@ public static InputStream fetchFile( // TODO: support proxy? final HttpURLConnection connection = (HttpURLConnection) url.openConnection(); if (connection instanceof HttpsURLConnection) { - // Enable TLS 1.2 on Pre SDK 21 devices - TLS12SocketFactory.fixTLSPre21((HttpsURLConnection) connection); + TLS12SocketFactory.fixTLSPre22((HttpsURLConnection) connection); } connection.setConnectTimeout(getConnectionTimeout(config)); connection.setReadTimeout(getSocketTimeout(config)); diff --git a/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java b/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java index 649f5c7453..76023de6ab 100644 --- a/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java +++ b/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java @@ -496,8 +496,7 @@ public static String httpPost(final URL uri, final Map headerPar } final HttpsURLConnection httpsURLConnection = (HttpsURLConnection) uri.openConnection(); - // Enable TLS 1.2 on Pre SDK 21 devices - TLS12SocketFactory.fixTLSPre21(httpsURLConnection); + TLS12SocketFactory.fixTLSPre22(httpsURLConnection); DataOutputStream httpOutputStream = null; BufferedReader br = null; try { diff --git a/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java b/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java index ffb9a1d79b..9514db10b0 100644 --- a/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java +++ b/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java @@ -1087,7 +1087,7 @@ protected Bitmap doInBackground(String... urls) { try { URLConnection connection = new URL(urls[0]).openConnection(); if (connection instanceof HttpsURLConnection) { - TLS12SocketFactory.fixTLSPre21((HttpsURLConnection) connection); + TLS12SocketFactory.fixTLSPre22((HttpsURLConnection) connection); } return BitmapFactory.decodeStream(connection.getInputStream()); } catch (final IOException ex) { From d9646be302eaae7a17f05ebb8a825edac702ba27 Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Fri, 7 Apr 2023 11:56:29 -0400 Subject: [PATCH 05/12] Include SDK 21 in fix --- .../src/main/java/com/amazonaws/http/UrlHttpClient.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java index 54f066231a..7e3e63d7f3 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java @@ -55,13 +55,13 @@ public class UrlHttpClient implements HttpClient { private static final int BUFFER_SIZE_MULTIPLIER = 8; private final ClientConfiguration config; - // SocketFactory for Pre SDK 21 devices to enforce TLS 1.2 + // SocketFactory for Pre SDK 22 devices to enforce TLS 1.2 private final TLS12SocketFactory tls12SocketFactory; // Cached SSLContext for connections using custom TrustManagers. private SSLContext customTrustSSLContext = null; - // SocketFactory for Pre SDK 21 devices to enforce TLS 1.2 that also holds custom TrustManagers. + // SocketFactory for Pre SDK 22 devices to enforce TLS 1.2 that also holds custom TrustManagers. private TLS12SocketFactory customTrustTls12SocketFactory; /** @@ -71,7 +71,7 @@ public class UrlHttpClient implements HttpClient { public UrlHttpClient(ClientConfiguration config) { this.config = config; - // will return null if SDK > 21 + // will return null if SDK > 22 tls12SocketFactory = TLS12SocketFactory.createTLS12SocketFactory(); } From 9929832f203dd096e0443dead9845da2b104d15b Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Fri, 7 Apr 2023 16:37:45 -0400 Subject: [PATCH 06/12] Add licence --- .../com/amazonaws/http/TLS12SocketFactory.java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java index 8d4350ba5d..6b4cdda089 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java @@ -1,3 +1,17 @@ +/* + * Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"). + * You may not use this file except in compliance with the License. + * A copy of the License is located at + * + * http://aws.amazon.com/apache2.0 + * + * or in the "license" file accompanying this file. This file is distributed + * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either + * express or implied. See the License for the specific language governing + * permissions and limitations under the License. + */ package com.amazonaws.http; import android.os.Build; From eb50a660dab3299aaecec9b482ae48802badf656 Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Fri, 21 Apr 2023 10:22:52 -0400 Subject: [PATCH 07/12] tls updates --- .../LoggingHandshakeCompletedListener.java | 38 +++++++++++++++++++ .../amazonaws/http/TLS12SocketFactory.java | 32 +++++++++++----- .../com/amazonaws/http/UrlHttpClient.java | 2 +- 3 files changed, 62 insertions(+), 10 deletions(-) create mode 100644 aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java new file mode 100644 index 0000000000..d12332ddcd --- /dev/null +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java @@ -0,0 +1,38 @@ +/* + * + * * Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * * + * * Licensed under the Apache License, Version 2.0 (the "License"). + * * You may not use this file except in compliance with the License. + * * A copy of the License is located at + * * + * * http://aws.amazon.com/apache2.0 + * * + * * or in the "license" file accompanying this file. This file is distributed + * * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either + * * express or implied. See the License for the specific language governing + * * permissions and limitations under the License. + * + */ + +package com.amazonaws.http; + +import com.amazonaws.logging.LogFactory; + +import javax.net.ssl.HandshakeCompletedEvent; +import javax.net.ssl.HandshakeCompletedListener; +import javax.net.ssl.SSLSession; + +public class LoggingHandshakeCompletedListener implements HandshakeCompletedListener { + + private static final com.amazonaws.logging.Log log = + LogFactory.getLog(LoggingHandshakeCompletedListener.class); + @Override + public void handshakeCompleted(HandshakeCompletedEvent event) { + SSLSession session = event.getSession(); + String protocol = session.getProtocol(); + String cipherSuite = session.getCipherSuite(); + + log.debug("Protocol: " + protocol + ", CipherSuite: " + cipherSuite); + } +} \ No newline at end of file diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java index 6b4cdda089..f2985b0e56 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java @@ -38,10 +38,11 @@ public class TLS12SocketFactory extends SSLSocketFactory { private static final Object contextLock = new Object(); - public static final String TLSv1_2 = "TLSv1.2"; - private static final String[] SUPPORTED_PROTOCOLS = new String[] { TLSv1_2 }; + private static final String[] SUPPORTED_PROTOCOLS = + new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" }; private static SSLContext sslContext = null; private final SSLSocketFactory delegate; + private LoggingHandshakeCompletedListener handshakeCompletedListener; @Nullable public static TLS12SocketFactory createTLS12SocketFactory() { @@ -89,12 +90,13 @@ private TLS12SocketFactory(@Nullable SSLContext customSSLContext) // Cache SSLContext due to weight and hold static synchronized (contextLock) { if (sslContext == null) { - sslContext = SSLContext.getInstance(TLSv1_2); + sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, null, null); } } delegate = sslContext.getSocketFactory(); } + this.handshakeCompletedListener = new LoggingHandshakeCompletedListener(); } @Override @@ -109,32 +111,44 @@ public String[] getSupportedCipherSuites() { @Override public Socket createSocket() throws IOException { - return updateTLSProtocols(delegate.createSocket()); + SSLSocket socket = (SSLSocket) delegate.createSocket(); + socket.addHandshakeCompletedListener(handshakeCompletedListener); + return updateTLSProtocols(socket); } @Override public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { - return updateTLSProtocols(delegate.createSocket(s, host, port, autoClose)); + SSLSocket socket = (SSLSocket) delegate.createSocket(s, host, port, autoClose); + socket.addHandshakeCompletedListener(handshakeCompletedListener); + return updateTLSProtocols(socket); } @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { - return updateTLSProtocols(delegate.createSocket(host, port)); + SSLSocket socket = (SSLSocket) delegate.createSocket(host, port); + socket.addHandshakeCompletedListener(handshakeCompletedListener); + return updateTLSProtocols(socket); } @Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { - return updateTLSProtocols(delegate.createSocket(host, port, localHost, localPort)); + SSLSocket socket = (SSLSocket) delegate.createSocket(host, port, localHost, localPort); + socket.addHandshakeCompletedListener(handshakeCompletedListener); + return updateTLSProtocols(socket); } @Override public Socket createSocket(InetAddress host, int port) throws IOException { - return updateTLSProtocols(delegate.createSocket(host, port)); + SSLSocket socket = (SSLSocket) delegate.createSocket(host, port); + socket.addHandshakeCompletedListener(handshakeCompletedListener); + return updateTLSProtocols(socket); } @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { - return updateTLSProtocols(delegate.createSocket(address, port, localAddress, localPort)); + SSLSocket socket = (SSLSocket) delegate.createSocket(address, port, localAddress, localPort); + socket.addHandshakeCompletedListener(handshakeCompletedListener); + return updateTLSProtocols(socket); } private Socket updateTLSProtocols(Socket socket) { diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java index 7e3e63d7f3..d530004aa0 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java @@ -303,7 +303,7 @@ private void enableCustomTrustManager(HttpsURLConnection connection) { config.getTrustManager() }; try { - customTrustSSLContext = SSLContext.getInstance(TLS12SocketFactory.TLSv1_2); + customTrustSSLContext = SSLContext.getInstance("TLS"); customTrustSSLContext.init(null, customTrustManagers, null); if (customTrustTls12SocketFactory == null) { From 8cbbc40d6b50a2d4dcdba2f3d2eba89004bfeeba Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Fri, 21 Apr 2023 16:44:07 -0400 Subject: [PATCH 08/12] Upgrade TLS connections on old devices to support TLSv1.2 --- .../iot/AWSIotMqttManager.java | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java b/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java index c2737ea5f7..78a917825a 100644 --- a/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java +++ b/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java @@ -24,6 +24,7 @@ import com.amazonaws.AmazonClientException; import com.amazonaws.SDKGlobalConfiguration; import com.amazonaws.auth.AWSCredentialsProvider; +import com.amazonaws.http.TLS12SocketFactory; import com.amazonaws.regions.Region; import com.amazonaws.util.StringUtils; import com.amazonaws.util.VersionInfoUtils; @@ -229,10 +230,17 @@ public boolean isMetricsEnabled() { return metricsIsEnabled; } /** - * Holds client socket factory. Set upon initial connect then reused on + * Holds client socket factory for keystore connect. Set upon initial connect then reused on * reconnect. */ private SocketFactory clientSocketFactory; + + + /** + * Holds cached SocketFactory for non-keystore connect calls on Android versions < 22 + * Set upon initial connect then reused on reconnect. + */ + private TLS12SocketFactory tls12SocketFactory; /** * Holds client provided AWS credentials provider. * Set upon initial connect. @@ -1138,6 +1146,7 @@ private void customAuthConnect(final MqttConnectOptions options) { private void mqttConnect(MqttConnectOptions options) { LOGGER.debug("ready to do mqtt connect"); + fixTLSPre22(options); options.setCleanSession(cleanSession); options.setKeepAliveInterval(userKeepAlive); @@ -1324,6 +1333,8 @@ void reconnectToSession() { handleConnectionFailure(new IllegalStateException("Unexpected value: " + authMode)); } + fixTLSPre22(options); + setupCallbackForMqttClient(); try { ++autoReconnectsAttempted; @@ -2055,4 +2066,18 @@ enum AuthenticationMode { public boolean getSessionPresent() { return sessionPresent; } + + /** + * Injects a SocketFactory that supports TLSv1.2 on pre 22 devices. + * If a SocketFactory is already specified (ex keystore connect uses its own), call is ignored. + * @param options for connect call + */ + private void fixTLSPre22(MqttConnectOptions options) { + if (options.getSocketFactory() == null && + Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1 + ) { + this.tls12SocketFactory = TLS12SocketFactory.createTLS12SocketFactory(); + options.setSocketFactory(tls12SocketFactory); + } + } } From cd45faf14cd4746cea6bf25018693e7689d9e947 Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Fri, 21 Apr 2023 16:47:33 -0400 Subject: [PATCH 09/12] wrap attempt to log protocol and cipher suite --- .../http/LoggingHandshakeCompletedListener.java | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java index d12332ddcd..d765862dcc 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java @@ -29,10 +29,14 @@ public class LoggingHandshakeCompletedListener implements HandshakeCompletedList LogFactory.getLog(LoggingHandshakeCompletedListener.class); @Override public void handshakeCompleted(HandshakeCompletedEvent event) { - SSLSession session = event.getSession(); - String protocol = session.getProtocol(); - String cipherSuite = session.getCipherSuite(); + try { + SSLSession session = event.getSession(); + String protocol = session.getProtocol(); + String cipherSuite = session.getCipherSuite(); - log.debug("Protocol: " + protocol + ", CipherSuite: " + cipherSuite); + log.debug("Protocol: " + protocol + ", CipherSuite: " + cipherSuite); + } catch (Exception exception) { + log.debug("Failed to log connection protocol/cipher suite", exception); + } } } \ No newline at end of file From 90445928ed3bae9e7df9eae3c6e2ad7f8df2fe9d Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Tue, 25 Apr 2023 10:34:40 -0400 Subject: [PATCH 10/12] Fix TLS only below sdk 21 --- .../cognitoauth/util/AuthHttpClient.java | 2 +- .../http/LoggingHandshakeCompletedListener.java | 2 +- .../java/com/amazonaws/http/TLS12SocketFactory.java | 12 ++++++------ .../main/java/com/amazonaws/http/UrlHttpClient.java | 8 ++++---- .../src/main/java/com/amazonaws/util/HttpUtils.java | 2 +- .../mobileconnectors/iot/AWSIotMqttManager.java | 8 ++++---- .../mobile/client/internal/oauth2/OAuth2Client.java | 2 +- .../notification/NotificationClientBase.java | 2 +- 8 files changed, 19 insertions(+), 19 deletions(-) diff --git a/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java b/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java index 1321f5b1ff..cdc1b0b854 100644 --- a/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java +++ b/aws-android-sdk-cognitoauth/src/main/java/com/amazonaws/mobileconnectors/cognitoauth/util/AuthHttpClient.java @@ -45,7 +45,7 @@ public String httpPost(final URL uri, final Map headerParams, fi } final HttpsURLConnection httpsURLConnection = (HttpsURLConnection) uri.openConnection(); - TLS12SocketFactory.fixTLSPre22(httpsURLConnection); + TLS12SocketFactory.fixTLSPre21(httpsURLConnection); DataOutputStream httpOutputStream = null; BufferedReader br = null; try { diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java index d765862dcc..3f27d01ebc 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/LoggingHandshakeCompletedListener.java @@ -1,6 +1,6 @@ /* * - * * Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved. + * * Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * * * Licensed under the Apache License, Version 2.0 (the "License"). * * You may not use this file except in compliance with the License. diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java index f2985b0e56..5d23af3c7f 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/TLS12SocketFactory.java @@ -53,7 +53,7 @@ public static TLS12SocketFactory createTLS12SocketFactory() { public static TLS12SocketFactory createTLS12SocketFactory( @Nullable SSLContext sslContext ) { - if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1) { + if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) { try { return new TLS12SocketFactory(sslContext); } catch (Exception e) { @@ -63,20 +63,20 @@ public static TLS12SocketFactory createTLS12SocketFactory( return null; } - public static void fixTLSPre22(@NonNull HttpsURLConnection connection) { - fixTLSPre22(connection, createTLS12SocketFactory()); + public static void fixTLSPre21(@NonNull HttpsURLConnection connection) { + fixTLSPre21(connection, createTLS12SocketFactory()); } - public static void fixTLSPre22( + public static void fixTLSPre21( @NonNull HttpsURLConnection connection, @Nullable TLS12SocketFactory tls12SocketFactory ) { - if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1 && + if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && tls12SocketFactory != null) { try { connection.setSSLSocketFactory(tls12SocketFactory); } catch (Exception e) { - // Failed to enabled TLS1.2 on <= Android 22 device + // Failed to enabled TLS1.2 on < Android 21 device } } } diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java index d530004aa0..7a4b64e94e 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/http/UrlHttpClient.java @@ -55,13 +55,13 @@ public class UrlHttpClient implements HttpClient { private static final int BUFFER_SIZE_MULTIPLIER = 8; private final ClientConfiguration config; - // SocketFactory for Pre SDK 22 devices to enforce TLS 1.2 + // SocketFactory for Pre SDK 21 devices to enforce TLS 1.2 private final TLS12SocketFactory tls12SocketFactory; // Cached SSLContext for connections using custom TrustManagers. private SSLContext customTrustSSLContext = null; - // SocketFactory for Pre SDK 22 devices to enforce TLS 1.2 that also holds custom TrustManagers. + // SocketFactory for Pre SDK 21 devices to enforce TLS 1.2 that also holds custom TrustManagers. private TLS12SocketFactory customTrustTls12SocketFactory; /** @@ -71,7 +71,7 @@ public class UrlHttpClient implements HttpClient { public UrlHttpClient(ClientConfiguration config) { this.config = config; - // will return null if SDK > 22 + // will return null if SDK >= 21 tls12SocketFactory = TLS12SocketFactory.createTLS12SocketFactory(); } @@ -292,7 +292,7 @@ void configureConnection(HttpRequest request, HttpURLConnection connection) { if (config.getTrustManager() != null) { enableCustomTrustManager(https); } else if (tls12SocketFactory != null) { - TLS12SocketFactory.fixTLSPre22(https, tls12SocketFactory); + TLS12SocketFactory.fixTLSPre21(https, tls12SocketFactory); } } } diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java b/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java index cf6b6a8947..d7bd0adf62 100644 --- a/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java +++ b/aws-android-sdk-core/src/main/java/com/amazonaws/util/HttpUtils.java @@ -293,7 +293,7 @@ public static InputStream fetchFile( // TODO: support proxy? final HttpURLConnection connection = (HttpURLConnection) url.openConnection(); if (connection instanceof HttpsURLConnection) { - TLS12SocketFactory.fixTLSPre22((HttpsURLConnection) connection); + TLS12SocketFactory.fixTLSPre21((HttpsURLConnection) connection); } connection.setConnectTimeout(getConnectionTimeout(config)); connection.setReadTimeout(getSocketTimeout(config)); diff --git a/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java b/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java index 78a917825a..384cbb0fee 100644 --- a/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java +++ b/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java @@ -1146,7 +1146,7 @@ private void customAuthConnect(final MqttConnectOptions options) { private void mqttConnect(MqttConnectOptions options) { LOGGER.debug("ready to do mqtt connect"); - fixTLSPre22(options); + fixTLSPre21(options); options.setCleanSession(cleanSession); options.setKeepAliveInterval(userKeepAlive); @@ -1333,7 +1333,7 @@ void reconnectToSession() { handleConnectionFailure(new IllegalStateException("Unexpected value: " + authMode)); } - fixTLSPre22(options); + fixTLSPre21(options); setupCallbackForMqttClient(); try { @@ -2068,11 +2068,11 @@ public boolean getSessionPresent() { } /** - * Injects a SocketFactory that supports TLSv1.2 on pre 22 devices. + * Injects a SocketFactory that supports TLSv1.2 on pre 21 devices. * If a SocketFactory is already specified (ex keystore connect uses its own), call is ignored. * @param options for connect call */ - private void fixTLSPre22(MqttConnectOptions options) { + private void fixTLSPre21(MqttConnectOptions options) { if (options.getSocketFactory() == null && Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1 ) { diff --git a/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java b/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java index 76023de6ab..3442448e28 100644 --- a/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java +++ b/aws-android-sdk-mobile-client/src/main/java/com/amazonaws/mobile/client/internal/oauth2/OAuth2Client.java @@ -496,7 +496,7 @@ public static String httpPost(final URL uri, final Map headerPar } final HttpsURLConnection httpsURLConnection = (HttpsURLConnection) uri.openConnection(); - TLS12SocketFactory.fixTLSPre22(httpsURLConnection); + TLS12SocketFactory.fixTLSPre21(httpsURLConnection); DataOutputStream httpOutputStream = null; BufferedReader br = null; try { diff --git a/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java b/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java index 9514db10b0..ffb9a1d79b 100644 --- a/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java +++ b/aws-android-sdk-pinpoint/src/main/java/com/amazonaws/mobileconnectors/pinpoint/targeting/notification/NotificationClientBase.java @@ -1087,7 +1087,7 @@ protected Bitmap doInBackground(String... urls) { try { URLConnection connection = new URL(urls[0]).openConnection(); if (connection instanceof HttpsURLConnection) { - TLS12SocketFactory.fixTLSPre22((HttpsURLConnection) connection); + TLS12SocketFactory.fixTLSPre21((HttpsURLConnection) connection); } return BitmapFactory.decodeStream(connection.getInputStream()); } catch (final IOException ex) { From dc985264af6acace17a9b02432d2e988f5fd24fb Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Tue, 25 Apr 2023 10:35:22 -0400 Subject: [PATCH 11/12] fix comment --- .../com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java b/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java index 384cbb0fee..c387db011a 100644 --- a/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java +++ b/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java @@ -237,7 +237,7 @@ public boolean isMetricsEnabled() { /** - * Holds cached SocketFactory for non-keystore connect calls on Android versions < 22 + * Holds cached SocketFactory for non-keystore connect calls on Android versions < 21 * Set upon initial connect then reused on reconnect. */ private TLS12SocketFactory tls12SocketFactory; From 490c0e575c8cd3a34d218d0dc06c078c018551f2 Mon Sep 17 00:00:00 2001 From: Tyler Roach Date: Mon, 8 May 2023 11:27:57 -0400 Subject: [PATCH 12/12] Limit to < 21 --- .../com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java b/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java index c387db011a..922398d946 100644 --- a/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java +++ b/aws-android-sdk-iot/src/main/java/com/amazonaws/mobileconnectors/iot/AWSIotMqttManager.java @@ -2074,7 +2074,7 @@ public boolean getSessionPresent() { */ private void fixTLSPre21(MqttConnectOptions options) { if (options.getSocketFactory() == null && - Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1 + Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP ) { this.tls12SocketFactory = TLS12SocketFactory.createTLS12SocketFactory(); options.setSocketFactory(tls12SocketFactory);