title date categories tags
Android 5.0以下TLS1.x SSLHandshakeException
2016-11-30 12:17:02 -0800
Android
Android
TLSv1.x

最近把App的所有请求都换成Https,在测试的时候,部分手机发现请求失败,失败的异常信息如下:

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x783e8e70: Failure in SSL library, usually a protocol error

error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x71a20cf8:0x00000000)

该异常为握手失败,但是为什么有的手机可以成功有的手机又失败了呢,首先查看我们服务端接口TLS支持的版本为1.x,后来发现失败的手机都是5.x以下的版本,推测应该是和这个有关,然后查阅官方文档,SSLSocket中有提到TLS版本和Android SDK版本的对应表,如下:

Protocol Supported (API Levels) Enabled by default (API Levels)
SSLv3 1+ 1+
TLSv1 1+ 1+
TLSv1.1 16+ 20+
TLSv1.2 16+ 20+

通过这个表看到,TLSv1.x(1.1,1.2)Android默认从API16开始支持,而从API20开始默认可用,这就可以解释之前为什么5.x以下手机在进行请求时失败了。

知道问题的原因,我们就要解决,当然服务端可以支持TLSv1版本,这样我们就都可以请求成功,但是这并不是最好的解决方法,我们当然要让我们的App支持新的TLS协议才对。

通过官方文档发现Cipher suites有的也是API20+支持或者默认可用,所以我们如果想支持TLSv1.x版本,可能需要给低版本添加Cipher suites,所以我们需要自定义SSLSocketFactory,自定义的SSLSocketFactory如下:

public class SSL extends SSLSocketFactory {

    private SSLSocketFactory defaultFactory;

    // Android 5.0+ (API level21) provides reasonable default settings

    // but it still allows SSLv3

    // https://developer.android.com/about/versions/android-5.0-changes.html#ssl

    static String protocols[] = null, cipherSuites[] = null;

    static {

        try {

            SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket();

            if (socket != null) {

                /* set reasonable protocol versions */

                // - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0)

                // - remove all SSL versions (especially SSLv3) because they're insecure now

                List<String> protocols = new LinkedList<>();

                for (String protocol : socket.getSupportedProtocols())

                    if (!protocol.toUpperCase().contains("SSL"))

                        protocols.add(protocol);

                SSL.protocols = protocols.toArray(new String[protocols.size()]);

                /* set up reasonable cipher suites */

                if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {

                    // choose known secure cipher suites

                    List<String> allowedCiphers = Arrays.asList(

                            // TLS 1.2

                            "TLS_RSA_WITH_AES_256_GCM_SHA384",

                            "TLS_RSA_WITH_AES_128_GCM_SHA256",

                            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",

                            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

                            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",

                            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

                            "TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256",

                            // maximum interoperability

                            "TLS_RSA_WITH_3DES_EDE_CBC_SHA",

                            "TLS_RSA_WITH_AES_128_CBC_SHA",

                            // additionally

                            "TLS_RSA_WITH_AES_256_CBC_SHA",

                            "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",

                            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",

                            "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",

                            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");

                    List<String> availableCiphers = Arrays.asList(socket.getSupportedCipherSuites());

                    // take all allowed ciphers that are available and put them into preferredCiphers

                    HashSet<String> preferredCiphers = new HashSet<>(allowedCiphers);

                    preferredCiphers.retainAll(availableCiphers);

                    /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling

                     * ciphers which are enabled by default, but have become unsecure), but I guess for

                     * the security level of DAVdroid and maximum compatibility, disabling of insecure

                     * ciphers should be a server-side task */

                    // add preferred ciphers to enabled ciphers

                    HashSet<String> enabledCiphers = preferredCiphers;

                    enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites())));

                    SSL.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]);

                }

            }

        } catch (IOException e) {

            throw new RuntimeException(e);

        }

    }

    public SSL(X509TrustManager tm) {

        try {

            SSLContext sslContext = SSLContext.getInstance("TLS");

            sslContext.init(null, (tm != null) ? new X509TrustManager[]{tm} : null, null);

            defaultFactory = sslContext.getSocketFactory();

        } catch (GeneralSecurityException e) {

            throw new AssertionError(); // The system has no TLS. Just give up.

        }

    }

    private void upgradeTLS(SSLSocket ssl) {

        // Android 5.0+ (API level21) provides reasonable default settings

        // but it still allows SSLv3

        // https://developer.android.com/about/versions/android-5.0-changes.html#ssl

        if (protocols != null) {

            ssl.setEnabledProtocols(protocols);

        }

        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && cipherSuites != null) {

            ssl.setEnabledCipherSuites(cipherSuites);

        }

    }

    @Override public String[] getDefaultCipherSuites() {

        return cipherSuites;

    }

    @Override public String[] getSupportedCipherSuites() {

        return cipherSuites;

    }

    @Override public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {

        Socket ssl = defaultFactory.createSocket(s, host, port, autoClose);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

    @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException {

        Socket ssl = defaultFactory.createSocket(host, port);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

    @Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {

        Socket ssl = defaultFactory.createSocket(host, port, localHost, localPort);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

    @Override public Socket createSocket(InetAddress host, int port) throws IOException {

        Socket ssl = defaultFactory.createSocket(host, port);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

    @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {

        Socket ssl = defaultFactory.createSocket(address, port, localAddress, localPort);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

}

然后我们只需要给我们的请求设置这个SSLSocketFactory就可以了,我们以okhttp为例,如下:

//定义一个信任所有证书的TrustManager

final X509TrustManager trustAllCert = new X509TrustManager() {

    @Override

    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {

    }

    @Override

    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {

    }

    @Override

    public java.security.cert.X509Certificate[] getAcceptedIssuers() {

        return new java.security.cert.X509Certificate[]{};

    }

};

//设置OkHttpClient

OkHttpClient client = new OkHttpClient.Builder().sslSocketFactory(new SSL(trustAllCert), trustAllCert).build();

设置之后,用低版本手机测试Https,现在可以测试成功了。

Android 使用 HTTPS 问题解决(SSLHandshakeException)的更多相关文章

  1. 关于Android的https通讯安全

    原文链接:http://pingguohe.net/2016/02/26/Android-App-secure-ssl.html 起因 前段时间,同事拿着一个代码安全扫描出来的 bug 过来咨询,我一 ...

  2. Android Material Design Ripple Effect在Android5.0(SDK=21)以下Android版本崩溃问题解决

    Android Material Design Ripple Effect在Android5.0(SDK=21)以下Android版本崩溃问题解决 附录1的Android Ripple Effect水 ...

  3. fiddler Android下https抓包全攻略

    fiddler Android下https抓包全攻略 fiddler的http.https的抓包功能非常强大,可非常便捷得对包进行断点跟踪和回放,但是普通的配置对于像招商银行.支付宝.陌陌这样的APP ...

  4. Android使用https与服务器交互的正确姿势

    HTTPS 使用 SSL 在客户端和服务器之间进行加密通信,错误地使用 SSL ,将会导致其它人能够拦截网络上的应用数据. 使用一个包含公钥及与其匹配的私钥的证书配置服务器,作为 SSL 客户端与服务 ...

  5. android SDK 更新问题解决

    Android在win7更新SDK时出现问题: Download interrupted: hostname in certificate didn't  match: <dl-ssl.goog ...

  6. Android开发-Android Studio使用问题解决

    回头一看,很久没来更新了,归其原因,还是懒癌发作,倒是生活作息规律了,几乎每天都在11点前休息.今天趁着培训,使用android studio,发现几个坑: 1.android studio每次都提示 ...

  7. 解决Android调用https服务API时出错的问题

    今天同事告诉我说他的应用调用我开发的API报异常了,原因跟SSL有关系,因为之前调试一直调用的是HTTP服务API,今天调试HTTPS服务API时报错了,并且找到了一篇文章让我看了一眼,文章中提到了W ...

  8. android studio 不能在线更新android SDK Manager问题解决办法

    Failed to fetch URL https://dl-ssl.google.com/android/repository/addons_list-2.xml, reason: Connecti ...

  9. Android : 关于HTTPS、TLS/SSL认证以及客户端证书导入方法

    一.HTTPS 简介 HTTPS 全称 HTTP over TLS/SSL(TLS就是SSL的新版本3.1).TLS/SSL是在传输层上层的协议,应用层的下层,作为一个安全层而存在,翻译过来一般叫做传 ...

随机推荐

  1. element-ui table 嵌套

    嵌套的时时候用template,数据 scope.row.xxx <template> <div> <el-table :data="urls" st ...

  2. Controller层aop

    利用@Around通知修改Controller的返回值 自定义一个注解@OperationBtn 在切入点Controller上加上自定义注解 接下来就是重点了,AspectJ写切面类,对该Contr ...

  3. body标签

    标签(空格分隔): body标签 body标签: 想要在网页上展示出来的内容一定要放在body标签中. 把我们之前那一段HTML代码贴过来,保存到一个HTML格式的文件中. <!DOCTYPE ...

  4. javascript中的getter和setter

    在ECMAScript 5中,属性值可以用一个或两个方法代替,这两个方法就是getter和setter var man = { name : 'lidg', weibo : '@lidg', get ...

  5. 语义分割之Dual Attention Network for Scene Segmentation

    Dual Attention Network for Scene Segmentation 在本文中,我们通过 基于自我约束机制捕获丰富的上下文依赖关系来解决场景分割任务.       与之前通过多尺 ...

  6. [leetcode]17. Letter Combinations of a Phone Number手机键盘的字母组合

    Given a string containing digits from 2-9 inclusive, return all possible letter combinations that th ...

  7. linux resin 安装 配置 相关

    resin跟tomcat一样,也是解析jsp网站的,也需要JDK的支持,所以第一步也是安装JDK,安装JDK的方法参考Tomcat中的安装JDK部分.下面介绍安装resin.resin官网http:/ ...

  8. py2和py3的区别总结

    1.编码 python2默认编码方式ASCII码(不能识别中文,要在文件头部加上  #-*- encoding:utf-8 -*-  指定编码方式) python3默认编码方式unicode(可识别中 ...

  9. 20172306 2018-2019-2 《Java程序设计》第五周学习总结

    20172306 2018-2019-2 <Java程序设计>第五周学习总结 教材学习内容总结 查找 查找中,我们对这些算法的实现就是对某个Comparable对象的数组进行查找 泛型声明 ...

  10. windows远程桌面连接时,显示发生身份验证错误,给函数提供的身份无效

    摘自:https://www.landui.com/help/show-7787 初次看到这个错误的时候懵了.访问给的地址一看,发现大概意思是不安全了,微软要更新一下 凭据安全支持提供程序协议 (Cr ...