适用于Android的OpenSSL
[英]OpenSSL for android
问题描述
I am using following OpenSSL library for android 
我正在为Android使用以下OpenSSL库
My application need to support TLS 1.2 version(TLSv2).I want to know Does above library support TLS 1.2 and above library is build upon which Openssl version? 我的应用程序需要支持TLS 1.2版本(TLSv2)。我想知道以上库是否支持TLS 1.2及以上库是基于哪个Openssl版本构建的?
2 个解决方案
解决方案1
2 已采纳 2014-06-23 10:29:05
According to the code this is only OpenSSL 1.0.0a. 根据代码,这只是OpenSSL 1.0.0a。 TLS1.2 support was added with OpenSS L1.0.1, so this library does not support TLS1.2. TLS1.2支持已随OpenSS L1.0.1添加,因此该库不支持TLS1.2。 BTW, TLS1.2 is TLSv1_2 and not TLSv2. 顺便说一句,TLS1.2是TLSv1_2,而不是TLSv2。
解决方案2
0 2014-06-23 11:55:12
I am using following OpenSSL library for android
According to Steffen, its a dwonlevel version. 根据Steffen的说法,它是dwonlevel版本。 You might consider building it yourself. 您可以考虑自己构建它。 You can find information on OpenSSL's wiki: OpenSSL and Android . 您可以在OpenSSL的Wiki上找到信息: OpenSSL和Android 。
Or, you could fetch 1.0.1h from this Github: Noloader GitHub . 或者,您可以从以下Github中获取1.0.1h: Noloader GitHub 。 The GitHub has OpenSSL 1.0.1h built for both API 14 (GCC 4.6 toolchain) and API 18 (GCC 4.8 toolchain). GitHub具有为API 14(GCC 4.6工具链)和API 18(GCC 4.8工具链)构建的OpenSSL 1.0.1h。
Does OpenSSL library support TLS 1.2 and above library is build upon which Openssl version?
If you are working with a modern version of OpenSSL, then TLS 1.2 will be available by default (unless on a distro like Debian and Ubuntu, which disables TLS 1.1 and TLS 1.2 prior to about 2014). 如果您使用的是现代版本的OpenSSL,则默认情况下将使用TLS 1.2(除非在Debian和Ubuntu之类的发行版中,它将在2014年前左右禁用TLS 1.1和TLS 1.2)。 If the distro has not disabled the protocol, then you should perform the following to tighten up the protocols: 如果发行版尚未禁用该协议,则应执行以下操作以加强协议:
/* Useless return value ??? */
SSL_library_init();
const SSL_METHOD* method = SSLv23_method();
if(!(NULL != method)) handleFailure();
SSL_CTX* ctx = SSL_CTX_new(method);
if(!(ctx != NULL)) handleFailure();
/* Cannot fail ??? */
const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);
The code above provides you with TLS 1.0 and above. 上面的代码为您提供TLS 1.0及更高版本。 You will be fine with TLS since its ubiquitous (hence, no need for SSLv3). 由于TLS无处不在(因此,不需要SSLv3),因此您会满意的。 The code will also ensure TLS 1.3 is available once its standardized (the IETF is standardizing it now). 该代码还将确保TLS 1.3一旦标准化即可使用(IETF现在对其进行了标准化)。 And it disables compression because of attacks like CRIME . 而且由于诸如CRIME之类的攻击,它禁用了压缩。
There's also an opportunity to tighten up the cipher suites. 还有机会加强密码套件。 You should provide 16 or 20 or so approved ciphers and no more. 您应该提供16或20个左右的已批准密码,并且不再提供。 There's no reason to be using export grade ciphers, RC4 or MD5 in 2014. Plus, if you advertise all 80+ ciphers, it causes some appliances to break like older F5's and IronPorts. 2014年没有理由使用出口级密码,RC4或MD5。此外,如果宣传所有80多种密码,它会导致某些设备损坏,例如较旧的F5和IronPorts。 The applicances used a fixed-size buffer that was too small, and they choke/hang on the ClientHello . 这些应用程序使用了一个固定大小的缓冲区,该缓冲区太小,它们在ClientHello上阻塞/挂起。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.