title date categories tags
Android 5.0以下TLS1.x SSLHandshakeException
2016-11-30 12:17:02 -0800
Android
Android
TLSv1.x

最近把App的所有请求都换成Https,在测试的时候,部分手机发现请求失败,失败的异常信息如下:

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x783e8e70: Failure in SSL library, usually a protocol error

error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x71a20cf8:0x00000000)

该异常为握手失败,但是为什么有的手机可以成功有的手机又失败了呢,首先查看我们服务端接口TLS支持的版本为1.x,后来发现失败的手机都是5.x以下的版本,推测应该是和这个有关,然后查阅官方文档,SSLSocket中有提到TLS版本和Android SDK版本的对应表,如下:

Protocol Supported (API Levels) Enabled by default (API Levels)
SSLv3 1+ 1+
TLSv1 1+ 1+
TLSv1.1 16+ 20+
TLSv1.2 16+ 20+

通过这个表看到,TLSv1.x(1.1,1.2)Android默认从API16开始支持,而从API20开始默认可用,这就可以解释之前为什么5.x以下手机在进行请求时失败了。

知道问题的原因,我们就要解决,当然服务端可以支持TLSv1版本,这样我们就都可以请求成功,但是这并不是最好的解决方法,我们当然要让我们的App支持新的TLS协议才对。

通过官方文档发现Cipher suites有的也是API20+支持或者默认可用,所以我们如果想支持TLSv1.x版本,可能需要给低版本添加Cipher suites,所以我们需要自定义SSLSocketFactory,自定义的SSLSocketFactory如下:

public class SSL extends SSLSocketFactory {

    private SSLSocketFactory defaultFactory;

    // Android 5.0+ (API level21) provides reasonable default settings

    // but it still allows SSLv3

    // https://developer.android.com/about/versions/android-5.0-changes.html#ssl

    static String protocols[] = null, cipherSuites[] = null;

    static {

        try {

            SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket();

            if (socket != null) {

                /* set reasonable protocol versions */

                // - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0)

                // - remove all SSL versions (especially SSLv3) because they're insecure now

                List<String> protocols = new LinkedList<>();

                for (String protocol : socket.getSupportedProtocols())

                    if (!protocol.toUpperCase().contains("SSL"))

                        protocols.add(protocol);

                SSL.protocols = protocols.toArray(new String[protocols.size()]);

                /* set up reasonable cipher suites */

                if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {

                    // choose known secure cipher suites

                    List<String> allowedCiphers = Arrays.asList(

                            // TLS 1.2

                            "TLS_RSA_WITH_AES_256_GCM_SHA384",

                            "TLS_RSA_WITH_AES_128_GCM_SHA256",

                            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",

                            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

                            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",

                            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

                            "TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256",

                            // maximum interoperability

                            "TLS_RSA_WITH_3DES_EDE_CBC_SHA",

                            "TLS_RSA_WITH_AES_128_CBC_SHA",

                            // additionally

                            "TLS_RSA_WITH_AES_256_CBC_SHA",

                            "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",

                            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",

                            "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",

                            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");

                    List<String> availableCiphers = Arrays.asList(socket.getSupportedCipherSuites());

                    // take all allowed ciphers that are available and put them into preferredCiphers

                    HashSet<String> preferredCiphers = new HashSet<>(allowedCiphers);

                    preferredCiphers.retainAll(availableCiphers);

                    /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling

                     * ciphers which are enabled by default, but have become unsecure), but I guess for

                     * the security level of DAVdroid and maximum compatibility, disabling of insecure

                     * ciphers should be a server-side task */

                    // add preferred ciphers to enabled ciphers

                    HashSet<String> enabledCiphers = preferredCiphers;

                    enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites())));

                    SSL.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]);

                }

            }

        } catch (IOException e) {

            throw new RuntimeException(e);

        }

    }

    public SSL(X509TrustManager tm) {

        try {

            SSLContext sslContext = SSLContext.getInstance("TLS");

            sslContext.init(null, (tm != null) ? new X509TrustManager[]{tm} : null, null);

            defaultFactory = sslContext.getSocketFactory();

        } catch (GeneralSecurityException e) {

            throw new AssertionError(); // The system has no TLS. Just give up.

        }

    }

    private void upgradeTLS(SSLSocket ssl) {

        // Android 5.0+ (API level21) provides reasonable default settings

        // but it still allows SSLv3

        // https://developer.android.com/about/versions/android-5.0-changes.html#ssl

        if (protocols != null) {

            ssl.setEnabledProtocols(protocols);

        }

        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && cipherSuites != null) {

            ssl.setEnabledCipherSuites(cipherSuites);

        }

    }

    @Override public String[] getDefaultCipherSuites() {

        return cipherSuites;

    }

    @Override public String[] getSupportedCipherSuites() {

        return cipherSuites;

    }

    @Override public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {

        Socket ssl = defaultFactory.createSocket(s, host, port, autoClose);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

    @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException {

        Socket ssl = defaultFactory.createSocket(host, port);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

    @Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {

        Socket ssl = defaultFactory.createSocket(host, port, localHost, localPort);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

    @Override public Socket createSocket(InetAddress host, int port) throws IOException {

        Socket ssl = defaultFactory.createSocket(host, port);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

    @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {

        Socket ssl = defaultFactory.createSocket(address, port, localAddress, localPort);

        if (ssl instanceof SSLSocket)

            upgradeTLS((SSLSocket) ssl);

        return ssl;

    }

}

然后我们只需要给我们的请求设置这个SSLSocketFactory就可以了,我们以okhttp为例,如下:

//定义一个信任所有证书的TrustManager

final X509TrustManager trustAllCert = new X509TrustManager() {

    @Override

    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {

    }

    @Override

    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {

    }

    @Override

    public java.security.cert.X509Certificate[] getAcceptedIssuers() {

        return new java.security.cert.X509Certificate[]{};

    }

};

//设置OkHttpClient

OkHttpClient client = new OkHttpClient.Builder().sslSocketFactory(new SSL(trustAllCert), trustAllCert).build();

设置之后,用低版本手机测试Https,现在可以测试成功了。

Android 使用 HTTPS 问题解决(SSLHandshakeException)的更多相关文章

  1. 关于Android的https通讯安全

    原文链接:http://pingguohe.net/2016/02/26/Android-App-secure-ssl.html 起因 前段时间,同事拿着一个代码安全扫描出来的 bug 过来咨询,我一 ...

  2. Android Material Design Ripple Effect在Android5.0(SDK=21)以下Android版本崩溃问题解决

    Android Material Design Ripple Effect在Android5.0(SDK=21)以下Android版本崩溃问题解决 附录1的Android Ripple Effect水 ...

  3. fiddler Android下https抓包全攻略

    fiddler Android下https抓包全攻略 fiddler的http.https的抓包功能非常强大,可非常便捷得对包进行断点跟踪和回放,但是普通的配置对于像招商银行.支付宝.陌陌这样的APP ...

  4. Android使用https与服务器交互的正确姿势

    HTTPS 使用 SSL 在客户端和服务器之间进行加密通信,错误地使用 SSL ,将会导致其它人能够拦截网络上的应用数据. 使用一个包含公钥及与其匹配的私钥的证书配置服务器,作为 SSL 客户端与服务 ...

  5. android SDK 更新问题解决

    Android在win7更新SDK时出现问题: Download interrupted: hostname in certificate didn't  match: <dl-ssl.goog ...

  6. Android开发-Android Studio使用问题解决

    回头一看,很久没来更新了,归其原因,还是懒癌发作,倒是生活作息规律了,几乎每天都在11点前休息.今天趁着培训,使用android studio,发现几个坑: 1.android studio每次都提示 ...

  7. 解决Android调用https服务API时出错的问题

    今天同事告诉我说他的应用调用我开发的API报异常了,原因跟SSL有关系,因为之前调试一直调用的是HTTP服务API,今天调试HTTPS服务API时报错了,并且找到了一篇文章让我看了一眼,文章中提到了W ...

  8. android studio 不能在线更新android SDK Manager问题解决办法

    Failed to fetch URL https://dl-ssl.google.com/android/repository/addons_list-2.xml, reason: Connecti ...

  9. Android : 关于HTTPS、TLS/SSL认证以及客户端证书导入方法

    一.HTTPS 简介 HTTPS 全称 HTTP over TLS/SSL(TLS就是SSL的新版本3.1).TLS/SSL是在传输层上层的协议,应用层的下层,作为一个安全层而存在,翻译过来一般叫做传 ...

随机推荐

  1. python3编译安装no module named _ssl

    使用源码编译安装python3.6.7以后用pip 安装库, 出现如下问题 Retrying (Retry(total=4, connect=None, read=None, redirect=Non ...

  2. Mybatis-PageHelper分页插件

    PageHelper.startPage 静态方法调用 除了 PageHelper.startPage 方法外,还提供了类似用法的 PageHelper.offsetPage 方法. 在你需要进行分页 ...

  3. 438. Find All Anagrams in a String

    原题: 438. Find All Anagrams in a String 解题: 两个步骤 1)就是从s中逐步截取p长度的字符串 2)将截取出的字符串和p进行比较,比较可以用排序,或者字典比较(这 ...

  4. Linux下常用系统分析工具总结(转)

    1.1 top top命令可以实时动态地查看系统的整体运行情况,是一个综合了多方信息监测系统性能和运行信息的实用工具. Top常用的可选参数和其对应的含义如下: (1)-c:显示完整的命令: (2)- ...

  5. 微信小程序---setData

    data:{ obj:{ name:'hello' } } 对data中obj的name字段进行重新赋值. onLoad: function (option) { var value = 'obj.n ...

  6. uvm_pre_do

    https://blog.csdn.net/tingtang13/article/details/46535649 1.uvm_do 封装了一系列接口,封装越多,灵活性越差.所以增加了三个接口:pre ...

  7. 【python深入】collections-Counter使用总结

    关于collections的使用,首先介绍:Counter的使用 需要执行:from collections import Counter 在很多使用到dict和次数的场景下,Python中用Coun ...

  8. c#: WebBrowser控制台输出

    还是处理视频下载所相关的问题. 有些网站,它的页面代码是由页面加载后js动态生成,那么其原始的html便不能用.页面渲染后的代码,是我们需要的 c#中,我用WebBrowser这个控件处理.设置项目类 ...

  9. Django model进阶

    Django-model进阶   QuerySet 可切片 使用Python 的切片语法来限制查询集记录的数目 .它等同于SQL 的LIMIT 和OFFSET 子句. >>> Ent ...

  10. etcd-v2第二集

    参考文章:https://github.com/coreos/etcd/blob/master/Documentation/v2/api.mdhttp://www.cnblogs.com/zhengr ...