what version of cognito do use TLS 1.2? #3086
Comments
eeatonaws
added
question
hvar90
changed the title
|
@hvar90 I do not believe the SDK selects a specific version, instead using what the device default to. What is the minSDK version of your application? It is likely older devices are using TLS 1.1 or possibly even 1.0. We are aware of these upcoming enforcements and are looking into explicitly setting TLS connection version in the SDK in a future update. |
minSdkVersion 23 is the min SDK, that SDK do use TLS 1.2 ? |
|
TLS 1.2 is enabled by default on 23+, but 1.1 is likely also enabled and the device is choosing that. We will look to provide an update that will choose the higher version. |
Ok, i will close this issue when the update be released.... |
|
@tylerjroach Would this only be for Cognito, or for dependencies like S3 and such as well? |
|
This applies to any of the android sdk libs that make network calls @carterhudson. |
sdhuka
added
improvement
|
Hi @tylerjroach, the deadline for this enforcement is already on the horizon. Do you have a release date already planned? Thanks. |
|
While we still do not yet have an update that ensures Android devices < sdk 21 have TLS 1.2 enabled, if you are using a minSDKVersion of 21+, the eventual change should not have any impact. The planned change is to ensure TLS 1.2 is enabled on older devices, not to completely disable 1.0/1.1 from the networking clients used on our libraries. After further research, Client (device) and Server should negotiate to the highest TLS version supported by both. This should result in no impact once TLS 1.0/1.1 support is dropped from the server-side. Newer devices should already be negotiating to TLS 1.2 anyway. If anyone that has also received the email referenced in the initial report, please let us know if you are seeing high connection counts with TLS 1.0/1.1 on v21+ devices. This should not be the case, but please reach out if that is seen. |
|
Thanks for the quick answer @tylerjroach. Actually we have 30k devices or more that run Android 4.4 (API 19) and those are the problem in my case. So only with an update to the SDK to force TLS 1.2 for everything lower than API 21 would actually work once the older TLS version support is dropped. That's why I need to know if this will be released soon, otherwise would have to find another way to solved it. At the end it's not easy to run full regression tests on all our devices and be able to release our apps with the new SDK from one day to another. Is that change I mentioned something you have planned? If yes, for when? |
|
@oh-giovanirocha Thank you for that context. We will be prioritizing this issue to ensure that customers have enough time to pull the changes in, and deploy their own applications with the updates in place. |
|
Throwing another hat (or many) into this ring as well: We've got around 2000 legacy devices stuck on 4.1, so if we could avoid having to manually build out an S3 transport using SSLSocket for ourselves, it would be greatly appreciated. |
|
@everydave42 by the lack of update (no milestone, branch or anything yet) I highly recommend you to fork and add the fix, in my case there is no way we could wait any longer and still meet the deadline to update all our devices. |
|
Wanted to provide an update on this ticket. We do have a PR that we are currently testing that enables TLS 1.2 support on these older devices. I'll provide an additional update here once its merged and released. |
|
@oh-giovanirocha I understand that you have a large number of these older devices. For internal testing, if you are currently forking the build, please try 3258 and report any issues you may see. We understand the urgency here and the deadline approaching. This change impacts a lot of services and we are being careful to ensure the applied fix does not cause any regressions. We expect to have wrapped up with testing very soon. |
|
Hi @tylerjroach, unfortunately I won't be able to help you on testing anymore. We already forked master and added the fix weeks ago. Right now QA almost finished testing and we are only missing regression to be able to get green light to release. Your PR looks good, I did it on a simpler way forcing TLS 1.2 and totally removing 1.0 and 1.1 versions since they are not supported anymore anyways. |
|
@oh-giovanirocha Thank you, in a follow up release, we will drop 1.0 and 1.1 as you have done. There is a small risk that some non Play Services devices will not support 1.2, even with this change. We wanted to ensure that we are not prematurely breaking those devices until 1.0 and 1.1 support is fully dropped. I will still provide updates in this thread when the changes go live, and hopefully we can get you back on the main release soon. |
|
Just as a FYI @tylerjroach, our devices are all non Play services and have been working fine using only TLS 1.2 so far, so I think you don't need to worry about it. |
|
The 2.69.0 version of the lib with this change has solved the issue for us. Thank you. |
|
@everydave42 glad to hear! Pinging others in the thread that may be looking for this update: @hvar90, @carterhudson |
tylerjroach
added
the
closing soon
State your question
i received this email from aws, i want to know what version of aws-android-sdk-cognito uses TLS 1.2 because cognito 2.16.5 is using TLS 1.1
i need to update cognito to use TLS 1.2, what version should i use?
Which AWS Services are you utilizing?
aws-android-sdk-cognito 2.16.5
Environment:
aws-android-sdk-cognito:2.16.5
Device Information :
Linux/3.0.8-00367-g0bb73f2 Dalvik/1.6.0/0
The text was updated successfully, but these errors were encountered: