Skip to content

Instantly share code, notes, and snippets.

  • Save vrichv/5194fae07d53ca702ccb626c7dda6c56 to your computer and use it in GitHub Desktop.
Save vrichv/5194fae07d53ca702ccb626c7dda6c56 to your computer and use it in GitHub Desktop.
Android: TLS 1.3 with OkHttp and Conscrypt on all Android versions (Tested on 4.1+)
// Android 4.1+
dependencies {
implementation 'com.squareup.okhttp3:okhttp:3.12.13'
implementation 'org.conscrypt:conscrypt-android:2.5.2'
// Android 5.0+
dependencies {
implementation 'com.squareup.okhttp3:okhttp:4.10.0'
implementation 'org.conscrypt:conscrypt-android:2.5.2'
// Init Conscrypt
Provider conscrypt = Conscrypt.newProvider();
// Add as provider
Security.insertProviderAt(conscrypt, 1);
// Init OkHttp
OkHttpClient.Builder okHttpBuilder = new OkHttpClient()
// OkHttp 3.12.x
// ConnectionSpec.COMPATIBLE_TLS = TLS1.0
// ConnectionSpec.MODERN_TLS = TLS1.0 + TLS1.1 + TLS1.2 + TLS 1.3
// ConnectionSpec.RESTRICTED_TLS = TLS 1.2 + TLS 1.3
// OkHttp 3.13+
// ConnectionSpec.COMPATIBLE_TLS = TLS1.0 + TLS1.1 + TLS1.2 + TLS 1.3
// ConnectionSpec.MODERN_TLS = TLS1.2 + TLS 1.3
// ConnectionSpec.RESTRICTED_TLS = TLS 1.2 + TLS 1.3
try {
X509TrustManager tm = Conscrypt.getDefaultX509TrustManager();
SSLContext sslContext = SSLContext.getInstance("TLS", conscrypt);
sslContext.init(null, new TrustManager[] { tm }, null);
okHttpBuilder.sslSocketFactory(new InternalSSLSocketFactory(sslContext.getSocketFactory()), tm);
} catch (Exception e) {
// Build OkHttp
OkHttpClient okHttpClient =;
public final class InternalSSLSocketFactory extends SSLSocketFactory {
private final SSLSocketFactory mSSLSocketFactory;
public InternalSSLSocketFactory(SSLSocketFactory sslSocketFactory) {
this.mSSLSocketFactory = sslSocketFactory;
public String[] getDefaultCipherSuites() {
return mSSLSocketFactory.getDefaultCipherSuites();
public String[] getSupportedCipherSuites() {
return mSSLSocketFactory.getSupportedCipherSuites();
public Socket createSocket() throws IOException {
return enableTLSOnSocket(mSSLSocketFactory.createSocket());
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return enableTLSOnSocket(mSSLSocketFactory.createSocket(s, host, port, autoClose));
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return enableTLSOnSocket(mSSLSocketFactory.createSocket(host, port));
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return enableTLSOnSocket(mSSLSocketFactory.createSocket(host, port, localHost, localPort));
public Socket createSocket(InetAddress host, int port) throws IOException {
return enableTLSOnSocket(mSSLSocketFactory.createSocket(host, port));
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return enableTLSOnSocket(mSSLSocketFactory.createSocket(address, port, localAddress, localPort));
private Socket enableTLSOnSocket(Socket socket) {
//if(socket instanceof SSLSocket) ((SSLSocket) socket).setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"});
if(socket instanceof SSLSocket) ((SSLSocket) socket).setEnabledProtocols(new String[] {"TLSv1.2", "TLSv1.3"});
return socket;
Request request = new Request.Builder()
.url("") // You can try another TLS 1.3 capable HTTPS server
.enqueue(new Callback() {
public void onFailure(final Call call, IOException e) {
Log.d(LOG, "onFailure()");
public void onResponse(Call call,final Response response) throws IOException {
Log.d(LOG, "onResponse() tlsVersion=" + response.handshake().tlsVersion());
Log.d(LOG, "onResponse() cipherSuite=" + response.handshake().cipherSuite().toString());
// D/TestApp##: onResponse() tlsVersion=TLS_1_3
// D/TestApp##: onResponse() cipherSuite=TLS_AES_256_GCM_SHA384
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment