[Android] Update OkHttp to 3.14.9 to improve security #30609
Conversation
facebook-github-bot
added
the
CLA Signed
Base commit: fa406ac |
|
@WookieFPV could you please rebase so that Android CI works as expected. |
Base commit: fa406ac |
|
@dulmandakh thank you, the android CI now works as expected. |
|
Please, remember to bump okio as well. |
|
The latest okio Version 1.X is already used. This should be fine in my optionion. |
|
@fkgozali I would propose merge this PR, because bumping okhttp to 4.x would add Kotlin as a dependency, also some APIs changed thus tests are failing. |
There was a problem hiding this comment.
@fkgozali has imported this pull request. If you are a Facebook employee, you can view this diff on Phabricator.
Summary
Okhttp 3.12.X allows Connections using TLS 1.0 and TLS1.1.
TLS 1.0 and TLS 1.1 are no longer secure.
Google, Mozilla, Microsoft, and Apple announced that their browsers will require TLSv1.2 or better starting in early 2020.
https://square.github.io/okhttp/changelog_3x/#version-310
https://github.com/facebook/react-native/wiki/Changelog
Starting from 3.13.0 TLSv1 and TLSv1.1 are no longer enabled by default.
3.13.0 requires JAVA 8 and Android SDK 21 (which was blocking the Upgrade in the Past).
Changelog
[Android] [Changed] - Update Okhttp to version 3.14.19
Test Plan
Current tests should pass.
Connections using TLS 1.0 and TLS 1.1 should not be possible.