Bug 49430 - TLS 1.2 on randomuser.me not supported, event with
Summary: TLS 1.2 on randomuser.me not supported, event with
Status: RESOLVED ANSWERED
Alias: None
Product: Android
Classification: Xamarin
Component: Mono runtime / AOT Compiler ()
Version: 7.1 (C9)
Hardware: PC Windows
: --- normal
Target Milestone: ---
Assignee: Marek Habersack
URL:
Depends on:
Blocks:
 
Reported: 2016-12-09 13:48 UTC by softlion
Modified: 2016-12-13 15:43 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED ANSWERED

Description softlion 2016-12-09 13:48:42 UTC
App:
Android 4.4 device (samsung s3) and android 6 device
HttpClient implementation: "Android client Handler" (Default)

Test image:
https://randomuser.me/api/portraits/med/men/99.jpg

I have been able to make it work using the stable ModernHttpClient nuget, BUT then the app crashes randomly when http calls are made in OkHttp code.
The same app (Xamarin Forms app) works fine on iOS using Apple TLS / NSUrlHandler.

Symptom:
android log contains a message like "can not decrypt" or "can not establish a secure connection" or "can not find an algorithm", can't remember exactly.
Comment 1 Marek Habersack 2016-12-12 14:40:15 UTC
The default HTTP handler doesn't support TLS 1.2, you need to use the "AndroidClientHandler" option for the HTTP client - it will work with TLS 1.2 *IF* the underlying Java.NET implementation supports it on your device.
Comment 2 softlion 2016-12-12 16:29:30 UTC
> you need to use the "AndroidClientHandler" option for the HTTP client

I wrote "My HttpClient implementation: "Android client Handler"".
So i'm already using it.

>  it will work with TLS 1.2 *IF* the underlying Java.NET implementation supports it on your device.

And what device are supported ? This is not advertised !
I've checked Samsung S3/Android 4.4 and Samsng A3/Android 5.0, both "not supported".

OkHttp does work fine 90% of the time for TSL1.2 on both devices.
But 10% of crash is not acceptable.
Comment 3 Marek Habersack 2016-12-12 18:08:40 UTC
You wrote "Android client Handler (Default)" and the default is NOT AndroidClientHandler but the standard System.Net.Http handler which does not support TLS 1.2

As for devices - this is a question for Google, we don't know which Google Android versions and, especially, the modified vendor Android versions, support TLS 1.2

OkHttp (https://square.github.io/okhttp/) is a Java framework, you should file a bug with them if the issue is in their code.
Comment 4 softlion 2016-12-12 20:18:35 UTC
> "Android client Handler (Default)" and the default is NOT AndroidClientHandler


Steps to reproduce:
- Open an android project in Visual Studio.
- Open Properties/Android Options/Advanced.
- In Http client implementation field, hover the blue "i" (informations) icon.
You can read in the first 2 lines:
"Default: if no value is specified, defaults to AndroidClientHandler."

Screen capture: https://justpaste.it/11bxa



Support for TLS 1.2:
https://www.ssllabs.com/ssltest/clients.html
Android 4.4+



OkHttp does support TLS 1.2 on my devices. So my devices support it.



Xamarin   4.2.1.64 (872717c)
Visual Studio extension to enable development for Xamarin.iOS and Xamarin.Android.

Xamarin.Android   7.0.2.37 (ce955cc)
Visual Studio extension to enable development for Xamarin.Android.

Xamarin.iOS   10.2.1.5 (44931ae)
Visual Studio extension to enable development for Xamarin.iOS.
Comment 5 softlion 2016-12-13 11:31:15 UTC
It seems that the mono provider is used, even if AndroidClientHandler is specified in the configuration.

It is true that i'm always overriding the HttpClientHandler used by HttpClient, with a custom that derives from HttpClientHandler.
And that is why it was still using the old Mono tls provider.

It is not clear in the Xamarin doc that these options only switched the default handler used, and that custom handler must derive from their respective platform version instead of HttpClientHandler to provide the same level of feature.
Comment 6 softlion 2016-12-13 11:32:26 UTC
So this is resolved. I've switched to AndroidClientHandler and all TLS works much better.
Just update the doc plz.
Thxs.
Comment 7 Marek Habersack 2016-12-13 14:14:15 UTC
@softlion, which docs do you have in mind in comment 5?
Comment 8 Jonathan Pryor 2016-12-13 15:43:07 UTC
Related: Bug #49828.