tls 1.3 support

[zedherle]

Please read these guidelines before opening an issue.

Bug Description

1. Steps to reproduce and the simplest code sample possible to demonstrate the issue

I am trying to replicate over tls1.3 network using the latest version of the library. It seems that disconnects. Is there any issues with this specific protocol?

2. What you expected to happen

I was expecting a replication between endpoints.

3. What actually happened

Replication failed.

Environment details

• Version(s) that are affected by this issue.

  2.0.2

• Android or Java version (including vendor and platform)

  Android 5.1, API level 22, Linux/armv7l Java 1.7

• sync-android artifact you are using:
  • [x] cloudant-sync-datastore-android

[ricellis]

As per https://developer.android.com/reference/javax/net/ssl/SSLSocket#protocols

TLS1.3 is only available in Android API level 29+

[zedherle]

thank you for the information. I was also reading here and found that okhttp3 provides a way to pass through it. here is the link : https://stackoverflow.com/questions/55539513/how-to-enable-tlsv1-3-for-okhttp-3-12-x-on-android-8-9

just wanted to clarify if this helps in anyway?

[ricellis]

sync-android doesn't use OkHttp directly, it uses the java.net.ssl.HttpsURLConnection from the Android platform. AIUI (historically at least) the Android implementation of that class was based on OkHttp and used it under the hood, but I don't think that matters here; in the post you are referencing it appears that the client is directly using OkHttp (i.e. bundled in their app) - sync-android doesn't offer a way to change the HTTP implementation.

TLS 1.3 should work automatically with sync-android when using Android API level 29+.

If you want to try and enable it on an older version of Android then I think you'll need to customize and configure the default SSLSocketFactory available to HttpsUrlConnection. I imagine you'll also need to supply a TLS1.3 provider to actually provide that factory since the built-in providers on older Android platforms don't have TLS1.3.

[zedherle]

Thank you again for the details.

I have a situation like this - i have an android tablet and i am replicating it through tls 1.3 nginx. This infact worked fine with successfull replication.

Interestingly, when i paired a bluetooth device (not headsets), be it another phone, the whole replication from the tablet stopped over that network.

Could this be any interceptor issue ? May be tls 1.3 rejecting it ?

[zedherle]

@ricellis do you have any thoughts on this scenario?

[ricellis]

I have an android tablet and i am replicating it through tls 1.3 nginx. This infact worked fine with successfull replication.

So if TLSv1.3 works I don't understand why you think there is a TLSv1.3 problem. Are you saying that this exact scenario worked without TLSv1.3 previously and only since changing to TLSv1.3 you now experience replication failure when a bluetooth device is connected?

replication from the tablet stopped over that network

Stopped or failed? Do you have any error messages or stack traces?

Could this be any interceptor issue ? May be tls 1.3 rejecting it ?

I doubt it, unless you're using interceptors to change network configuration. What interceptors are you using?

The only interceptor we use related to TLS is one that helps older versions of Android make a TLSv1.2 connection (which is the minimum that Cloudant supports and the highest that is provided by the platform on older Androids). It enables a TLSv1.2 socket factory on Android API levels < 20. I don't think this should be involved because your Android environment is newer than API level 20 (you listed your environment as API level 22 when opening the issue, but you also said TLSv1.3 was working which makes me think 29).

[zedherle]

Over tls 1.3 nginx - replication fails, (not really stops) when the bluetooth is paired. But if i reduce the tls to 1.2 it will start working again even with bluetooth is paired.

So wanted to clarify if you have come across.

I am using a android tablet of 5.1.1

[ricellis]

Never heard of a problem like this.

Since TLSv1.3 isn't available from the platform in that level of Android my guess would be that whatever mechanism you are using to enable it is disrupted by a side-effect action of the bluetooth connection. For example, if you are configuring the default SSLSocketFactory to a provider that supports TLSv1.3 but the bluetooth side of your application is also configuring the default SSLSocketFactory to a different provider then it could wipe out the TLSv1.3 support.

I don't think this is a sync-android problem anyway - if you think it is then please provide us with some error logs and more information about the configuration.

[zedherle]

Exactly. Its wierd. Thank you for providing valuable inputs. Will figure out and let you know.

[zedherle]

I have also tried it in android 10 now, it failed there too after pairing it with BT device.

[zedherle]

I wanted to share this info - the bt device that i was using, was tying for https connection over that network. And it fails with ssl handshake and subsequent connection will also be dropped. Hence replication also failed.