warren-bank/Android-HttpsURLConnectionTester

Android utility app for the purpose of testing HttpsURLConnection.

HttpsURLConnection Tester

A little Android utility app for the purpose of testing HttpsURLConnection to help debug SSL/TLS connection errors.

Helpful Links

• Protocols and Cipher Suites supported by Web Hosts:

  • letsencrypt.org

• Protocols and Cipher Suites supported by HTTP clients:

  • Android 4.4.2

• Hosted Web Sites for testing that support a single Protocol:

  • badssl.com
    • TLSv1.0
    • TLSv1.1
    • TLSv1.2

Android 4.x

Interesting problem:

• the list of cipher suites reported by SSL Labs for Android HTTP clients is based on tests of its WebView
• excerpt:
  • Further research leads me to believe that the discrepancy is due to the fact that Android 4.4 (API 19) actually does not support any of these (TLS 1.2) cipher suites natively.
  • WebView has started to gain more modern TLS support than the underlying Android operating system itself.

My own observations:

• releases in v2.x work pretty well
  • the only problem that I've encountered.. and it's non-trivial.. is that hosts using a certificate signed by the most common Let's Encrypt root certificate almost always require unsupported cipher suites
    • SSL Labs reports that some are supported
    • WebView can successfully load the URL
    • HttpsURLConnection fails
• my post on the Let's Encrypt forum asks for advice, and includes a more detailed discussion of:
  • how I updated all system root certificates
  • lists of hosts with a successful TLS handshake
  • lists of hosts with a failed TLS handshake

Workaround using Conscrypt:

My understanding of Conscrypt is that it:

• implements many modern cipher suites
• plugs directly into the Java Security model as the preferred Provider
• isn't tiny
  • about 4 MB for all 4x ABIs
  • about 1 MB per ABI
• can either be:
  • bundled with each individual app as an internal library
  • installed once in a standalone app, and then shared with any other app that includes a small amount of boilerplate code

Release Flavors:

• withInternalConscryptSecurityProvider
  • Conscrypt is bundled as an internal library
  • releases a separate APK for each ABI
• withSharedExternalConscryptOrDefaultSecurityProvider
  • Conscrypt is loaded from a shared app
  • falls back to use the default native Security Provider when either:
    • this app isn't available
    • this app isn't signed by a trusted source

Legal

• copyright: Warren Bank
• license: GPL-2.0