標籤:about avd ash ceo ret retain fail throws cal
| title | date | categories | tags | |||
|---|---|---|---|---|---|---|
| Android 5.0以下TLS1.x SSLHandshakeException | 2016-11-30 12:17:02 -0800 |
|
|
最近把App的所有請求都換成Https,在測試的時候,部分手機發現請求失敗,失敗的異常資訊如下:
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x783e8e70: Failure in SSL library, usually a protocol errorerror:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol (external/openssl/ssl/s23_clnt.c:714 0x71a20cf8:0x00000000)
該異常為握手失敗,但是為什麼有的手機可以成功有的手機又失敗了呢,首先查看我們服務端介面TLS支援的版本為1.x,後來發現失敗的手機都是5.x以下的版本,推測應該是和這個有關,然後查閱官方文檔,SSLSocket中有提到TLS版本和Android SDK版本的對應表,如下:
| Protocol | Supported (API Levels) | Enabled by default (API Levels) |
|---|---|---|
| SSLv3 | 1+ | 1+ |
| TLSv1 | 1+ | 1+ |
| TLSv1.1 | 16+ | 20+ |
| TLSv1.2 | 16+ | 20+ |
通過這個表看到,TLSv1.x(1.1,1.2)Android預設從API16開始支援,而從API20開始預設可用,這就可以解釋之前為什麼5.x以下手機在進行請求時失敗了。
知道問題的原因,我們就要解決,當然服務端可以支援TLSv1版本,這樣我們就都可以請求成功,但是這並不是最好的解決方案,我們當然要讓我們的App支援新的TLS協議才對。
通過官方文檔發現Cipher suites有的也是API20+支援或者預設可用,所以我們如果想支援TLSv1.x版本,可能需要給低版本添加Cipher suites,所以我們需要自訂SSLSocketFactory,自訂的SSLSocketFactory如下:
public class SSL extends SSLSocketFactory { private SSLSocketFactory defaultFactory; // Android 5.0+ (API level21) provides reasonable default settings // but it still allows SSLv3 // https://developer.android.com/about/versions/android-5.0-changes.html#ssl static String protocols[] = null, cipherSuites[] = null; static { try { SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(); if (socket != null) { /* set reasonable protocol versions */ // - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0) // - remove all SSL versions (especially SSLv3) because they‘re insecure now List<String> protocols = new LinkedList<>(); for (String protocol : socket.getSupportedProtocols()) if (!protocol.toUpperCase().contains("SSL")) protocols.add(protocol); SSL.protocols = protocols.toArray(new String[protocols.size()]); /* set up reasonable cipher suites */ if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) { // choose known secure cipher suites List<String> allowedCiphers = Arrays.asList( // TLS 1.2 "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256", // maximum interoperability "TLS_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", // additionally "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); List<String> availableCiphers = Arrays.asList(socket.getSupportedCipherSuites()); // take all allowed ciphers that are available and put them into preferredCiphers HashSet<String> preferredCiphers = new HashSet<>(allowedCiphers); preferredCiphers.retainAll(availableCiphers); /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling * ciphers which are enabled by default, but have become unsecure), but I guess for * the security level of DAVdroid and maximum compatibility, disabling of insecure * ciphers should be a server-side task */ // add preferred ciphers to enabled ciphers HashSet<String> enabledCiphers = preferredCiphers; enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites()))); SSL.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]); } } } catch (IOException e) { throw new RuntimeException(e); } } public SSL(X509TrustManager tm) { try { SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, (tm != null) ? new X509TrustManager[]{tm} : null, null); defaultFactory = sslContext.getSocketFactory(); } catch (GeneralSecurityException e) { throw new AssertionError(); // The system has no TLS. Just give up. } } private void upgradeTLS(SSLSocket ssl) { // Android 5.0+ (API level21) provides reasonable default settings // but it still allows SSLv3 // https://developer.android.com/about/versions/android-5.0-changes.html#ssl if (protocols != null) { ssl.setEnabledProtocols(protocols); } if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && cipherSuites != null) { ssl.setEnabledCipherSuites(cipherSuites); } } @Override public String[] getDefaultCipherSuites() { return cipherSuites; } @Override public String[] getSupportedCipherSuites() { return cipherSuites; } @Override public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { Socket ssl = defaultFactory.createSocket(s, host, port, autoClose); if (ssl instanceof SSLSocket) upgradeTLS((SSLSocket) ssl); return ssl; } @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { Socket ssl = defaultFactory.createSocket(host, port); if (ssl instanceof SSLSocket) upgradeTLS((SSLSocket) ssl); return ssl; } @Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { Socket ssl = defaultFactory.createSocket(host, port, localHost, localPort); if (ssl instanceof SSLSocket) upgradeTLS((SSLSocket) ssl); return ssl; } @Override public Socket createSocket(InetAddress host, int port) throws IOException { Socket ssl = defaultFactory.createSocket(host, port); if (ssl instanceof SSLSocket) upgradeTLS((SSLSocket) ssl); return ssl; } @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { Socket ssl = defaultFactory.createSocket(address, port, localAddress, localPort); if (ssl instanceof SSLSocket) upgradeTLS((SSLSocket) ssl); return ssl; }}
然後我們只需要給我們的請求設定這個SSLSocketFactory就可以了,我們以okhttp為例,如下:
//定義一個信任所有認證的TrustManagerfinal X509TrustManager trustAllCert = new X509TrustManager() { @Override public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { } @Override public java.security.cert.X509Certificate[] getAcceptedIssuers() { return new java.security.cert.X509Certificate[]{}; }};//設定OkHttpClientOkHttpClient client = new OkHttpClient.Builder().sslSocketFactory(new SSL(trustAllCert), trustAllCert).build();
設定之後,用低版本手機測試Https,現在可以測試成功了。
Android 使用 Https問題解決(SSLHandshakeException)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
