Android Question MQTT client and TLS1.2

[VTSinLincoln]

Is there any way of enabling TLS1.2 support in the existing jMQTT client library (V1.00)? It only appears to support TLS1.0 which is now deprecated, or about to become so. (While TLS V1.0 is probably sufficient for my needs - I'm not using it for financial transactions, I'd still prefer to use something closer to the bleeding edge).

If I can't make the existing client use TLS1.2, what do I need to do to create a new library from the latest Eclipse Paho project (which does support TLS1.2)? I'm guessing I need to install Eclipse and not just use the Simple Library Compiler?

 

[Erel]

Which error do you get when you try to connect to a server only supporting TLS1.2? Is this an online server?

 

[VTSinLincoln]

The error I get is:

java.net.SocketTimeoutException: SSL handshake timed out

The broker is a custom (C#) one based on a NuGet package MQTTnet. It uses a Let's Encrypt certificate which all works correctly with a test MQTTnet client.

When I got the error with my Android test client, I downloaded the latest source from GitHub and changed the server authentication code from

await sslStream.AuthenticateAsServerAsync(_tlsCertificate, false, SslProtocols.Tls12, false).ConfigureAwait(false);

to

await sslStream.AuthenticateAsServerAsync(_tlsCertificate, false, SslProtocols.Tls, false).ConfigureAwait(false);

My broker then worked with my Android test client.

I've subsequently changed the broker code back TLS1.2 and done some more testing. I've discovered the error only appears with an old Android 4.4 tablet (which as luck would have it was what I was doing my initial testing with ). On newer devices, TLS v1.2 is negotiated quite successfully (so the existing MQTT client *does* support TLS1.2).

Problem identified (not quite solved).

Thanks for the quick response.

 

[Erel]

The problem is not in jMQTT. Your old Android device doesn't support it.

You can try to use a custom security provider with your old device: https://www.b4x.com/android/forum/threads/ssl-websocket-client.88472/#post-560032

 

[VTSinLincoln]

The custom security provider appears to say it installed, but things don't look good after that (and a TLS1.2 only broker still rejects it):

Spoiler: Unfiltered Logs

Provider installed successfully
created
Connecting
GC_CONCURRENT freed 380K, 15% free 6699K/7872K, paused 2ms+2ms, total 9ms
created
WS reader created and started
running
created
WS writer created and started
Status: 101 (Switching Protocols)
opening handshake received
GC_FOR_ALLOC freed 356K, 18% free 7030K/8532K, paused 9ms, total 9ms
connected
onOpen() called, ready to rock.
{"data":[],"etype":"setAutomaticEvents"}
quit
ended
WebSockets Close received (1000 - null)
quit
ended
quit
error: null
-1 received
writer error
java.lang.InterruptedException
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:1992)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2026)
at java.util.concurrent.ArrayBlockingQueue.take(ArrayBlockingQueue.java:373)
at anywheresoftware.b4a.remotelogger.Connector$Writer.run(Connector.java:160)
at java.lang.Thread.run(Thread.java:841)
Starting remote logger. Port: 29707
After accept
-1 received
writer error
java.lang.InterruptedException
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.reportInterruptAfterWait(AbstractQueuedSynchronizer.java:1992)
at java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2026)
at java.util.concurrent.ArrayBlockingQueue.take(ArrayBlockingQueue.java:373)
at anywheresoftware.b4a.remotelogger.Connector$Writer.run(Connector.java:160)
at java.lang.Thread.run(Thread.java:841)
Starting remote logger. Port: 29707

I've currenty got the broker accepting TLS V1.0 and V1.2. I think the simplest thing is to limit the app to Android 5 (or 6) and above. Plus maybe root my test device and install something later on it!