Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] Android service: security issues
Hi David,

try using "TLS" instead of "SSL". I've an example in github.

https://github.com/manolodd/mqtt_tls_selfsigned_certificate

Hope it helps.


2015-09-03 21:37 GMT+02:00 David Portilla Abellán <dportilla12@xxxxxxxxx>:
Hi all,

When creating a MqttAndroidClient using SSL it is not possible to choose the protocol. This is because the method getSSLSocketFactory creates the SSLContext with this line:

ctx = SSLContext.getInstance(“SSL”);

This will force to SSL 3.0 or lower, and these versions have known vulnerabilities. I propose to add a parameter in the method for choosing the version, or force to “TLSv1.2" (but this implies Android API's 16+).

Another improvement I’d like to propose is client authentication with TLS. For this, it is needed to modify the same method to read a private key, create a KeyManager and load it in the ssl context. I already tested it and it works fine.

Regards.

David



_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev



--
---
Manuel Domínguez Dorado
ingeniero ARROBA ManoloDominguez PUNTO com
http://www.ManoloDominguez.com

Back to the top