Android pre-lollipop 设备给出错误 "SSL handshake aborted: ssl=0x618d9c18: I/O error during system call, Connection reset by peer"
Android pre-lollipop devices giving error "SSL handshake aborted: ssl=0x618d9c18: I/O error during system call, Connection reset by peer"
我遇到了这个奇怪的问题,改造一直让我感到困惑
"SSL handshake aborted: ssl=0x618d9c18: I/O error during system call,
Connection reset by peer"
在 kitkat 中,而相同的代码在棒棒糖设备中运行良好。我正在使用如下所示的 OkHttpClient 客户端
public OkHttpClient getUnsafeOkHttpClient() {
try {
final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] chain,
String authType) {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] chain,
String authType) {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[0];
}
} };
int cacheSize = 10 * 1024 * 1024; // 10 MB
Cache cache = new Cache(getCacheDir(), cacheSize);
final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, trustAllCerts,
new java.security.SecureRandom());
final SSLSocketFactory sslSocketFactory = sslContext
.getSocketFactory();
OkHttpClient okHttpClient = new OkHttpClient();
okHttpClient = okHttpClient.newBuilder()
.cache(cache)
.sslSocketFactory(sslSocketFactory)
.hostnameVerifier(org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER).build();
return okHttpClient;
} catch (Exception e) {
throw new RuntimeException(e);
}
}
我正在像这样改造使用这个客户端
Retrofit retrofit = new Retrofit.Builder()
.baseUrl(URL)
.client(getUnsafeOkHttpClient())
.addConverterFactory(GsonConverterFactory.create())
.build();
编辑:添加 getUnsafeOkHttpClient() 在这里没有效果,完全不建议使用 getUnsafeOkHttpClient()
绕过 ssl 检查
仅供参考:问题是因为 api 端点仅支持 TLS 1.2,默认情况下在 android 设备上禁用 16<device<20。因此,对于 16<device<20,创建自定义 SSLSocketFactory
我在这里得到了 api.data.gov.in 的 SSL/TLS 信息 - https://www.ssllabs.com/ssltest/analyze.html?d=api.data.gov.in
看起来它只支持TLSv1.2。旧 Android 版本确实与最新的 TLS 版本存在问题。在 ssllabs 页面的 "Handshake Simulation" 部分,您甚至可以看到您的问题。
有关可用解决方案,请参阅 How to enable TLS 1.2 support in an Android application (running on Android 4.1 JB)。
终于找到了这个问题的解决方案,它不是一个完整的解决方案,因为它是 Jesse Wilson from okhttp, square here 提到的 hack。正如我提到的,这是一个简单的 hack,我不得不将我的 SSLSocketFactory 变量重命名为
private SSLSocketFactory delegate;
请注意,如果您提供除委托以外的任何名称,它会抛出错误。我在下面发布我的完整解决方案
这是我的 TLSSocketFactory class
public class TLSSocketFactory extends SSLSocketFactory {
private SSLSocketFactory delegate;
private TrustManager[] trustManagers;
public TLSSocketFactory() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {
generateTrustManagers();
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustManagers, null);
delegate = context.getSocketFactory();
}
private void generateTrustManagers() throws KeyStoreException, NoSuchAlgorithmException {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
this.trustManagers = trustManagers;
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket() throws IOException {
return enableTLSOnSocket(delegate.createSocket());
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return enableTLSOnSocket(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return enableTLSOnSocket(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket enableTLSOnSocket(Socket socket) {
if(socket != null && (socket instanceof SSLSocket)) {
((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
}
return socket;
}
@Nullable
public X509TrustManager getTrustManager() {
return (X509TrustManager) trustManagers[0];
}
}
这就是我将它与 okhttp 和 retrofit 一起使用的方式
OkHttpClient client=new OkHttpClient();
try {
TLSSocketFactory tlsSocketFactory=new TLSSocketFactory();
if (tlsSocketFactory.getTrustManager()!=null) {
client = new OkHttpClient.Builder()
.sslSocketFactory(tlsSocketFactory, tlsSocketFactory.getTrustManager())
.build();
}
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
}
Retrofit retrofit = new Retrofit.Builder()
.baseUrl(URL)
.client(client)
.addConverterFactory(GsonConverterFactory.create())
.build();
EDIT :方法 public Builder sslSocketFactory(SSLSocketFactory sslSocketFactory) 现已弃用,我们应该使用 public Builder sslSocketFactory(
SSLSocketFactory sslSocketFactory, X509TrustManager trustManager) 正如我在答案中更新的那样。这是因为 X509TrustManager 是 OkHttp 需要建立一个干净的证书链的字段,它没有在 deprecated 方法中被 paased。
您也可以查看 this for more info
除了 Navneet Krishna,我还必须在我的应用程序 class 中执行下一个操作:
ProviderInstaller.installIfNeededAsync
根据 https://developer.android.com/training/articles/security-gms-provider,这是因为我需要更新安全提供程序以防止 SSL 攻击。
我的应用程序Class:
public class AppClass extends MultiDexApplication {
private static final String TAG = AppClass.class.getName();
private static Context context;
private static AuthAPI authAPI;
private static RestAPI buyersAPI;
@Override
public void onCreate() {
super.onCreate();
/* enable SSL compatibility in pre-lollipop devices */
upgradeSecurityProvider();
createAuthAPI();
createRestAPI();
}
private void upgradeSecurityProvider() {
try{
ProviderInstaller.installIfNeededAsync(this, new ProviderInstaller.ProviderInstallListener() {
@Override
public void onProviderInstalled() {
Log.e(TAG, "New security provider installed.");
}
@Override
public void onProviderInstallFailed(int errorCode, Intent recoveryIntent) {
GooglePlayServicesUtil.showErrorNotification(errorCode, BuyersApp.this);
Log.e(TAG, "New security provider install failed.");
}
});
}catch (Exception ex){
Log.e(TAG, "Unknown issue trying to install a new security provider", ex);
}
}
private void createAuthAPI() {
OkHttpClient.Builder authAPIHttpClientBuilder = new OkHttpClient.Builder();
Retrofit retrofit = new Retrofit.Builder()
.client(enableTls12OnPreLollipop(authAPIHttpClientBuilder).build())
.baseUrl(DomainLoader.getInstance(context).getAuthDomain())
.addConverterFactory(GsonConverterFactory.create())
.build();
authAPI = retrofit.create(AuthAPI.class);
}
private static OkHttpClient.Builder enableTls12OnPreLollipop(OkHttpClient.Builder client) {
if (Build.VERSION.SDK_INT >= 19 && Build.VERSION.SDK_INT < 22) {
try {
SSLContext sc = SSLContext.getInstance("TLSv1.2");
sc.init(null, null, null);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
client.sslSocketFactory(new Tls12SocketFactory(sc.getSocketFactory()), trustManager);
ConnectionSpec cs = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.tlsVersions(TlsVersion.TLS_1_2)
.build();
List<ConnectionSpec> specs = new ArrayList<>();
specs.add(cs);
specs.add(ConnectionSpec.COMPATIBLE_TLS);
specs.add(ConnectionSpec.CLEARTEXT);
client.connectionSpecs(specs);
} catch (Exception exc) {
Log.e("OkHttpTLSCompat", "Error while setting TLS 1.2", exc);
}
}
return client;
}
private void createRestAPI() {
OkHttpClient.Builder restAPIHttpClientBuilder = new OkHttpClient.Builder();
buyersAPIHttpClientBuilder.readTimeout(60, TimeUnit.SECONDS);
buyersAPIHttpClientBuilder.connectTimeout(60, TimeUnit.SECONDS);
buyersAPIHttpClientBuilder.writeTimeout(600, TimeUnit.SECONDS);
buyersAPIHttpClientBuilder.addInterceptor(new NetworkErrorInterceptor());
buyersAPIHttpClientBuilder.addInterceptor(new TokenVerificationInterceptor());
Retrofit retrofit = new Retrofit.Builder()
.client(enableTls12OnPreLollipop(restAPIHttpClientBuilder).build())
.baseUrl(DomainLoader.getInstance(context).getDomain())
.addConverterFactory(GsonConverterFactory.create(new GsonBuilder().setLenient().create()))
.addConverterFactory(ScalarsConverterFactory.create())
.build();
buyersAPI = retrofit.create(RestAPI.class);
}
}
还有我的 Tls12SocketFactory class:
public class Tls12SocketFactory extends SSLSocketFactory {
private static final String[] TLS_V12_ONLY = {"TLSv1.2"};
final SSLSocketFactory delegate;
public Tls12SocketFactory(SSLSocketFactory base) {
this.delegate = base;
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return patch(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return patch(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return patch(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return patch(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return patch(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket patch(Socket s) {
if (s instanceof SSLSocket) {
((SSLSocket) s).setEnabledProtocols(TLS_V12_ONLY);
}
return s;
}
}
它在所有安装了 KitKat 及更高版本的设备上都非常有效。
我认为我的解决方案可能会对某人有所帮助。
在我的项目中,我需要在较旧的 Android (4.4) 上通过 SSL 执行 JSON 请求,并且我不断遇到线程顶部提到的问题。
要修复它,我所要做的就是完全按照上面的方式添加 class Tls12SocketFactory。
但是,我在我的项目中添加了修改后的代码class
我已将此添加到我的 oncreate
upgradeSecurityProvider();
修改上下文函数如下,仅此而已。不再有 SSL 连接问题
private void upgradeSecurityProvider() {
try{
ProviderInstaller.installIfNeededAsync(this, new ProviderInstaller.ProviderInstallListener() {
@Override
public void onProviderInstalled() {
Log.e("SSLFix", "New security provider installed.");
}
@Override
public void onProviderInstallFailed(int errorCode, Intent recoveryIntent) {
// GooglePlayServicesUtil.showErrorNotification(errorCode, BuyersApp.this);
Log.e("SSLFix", "New security provider install failed.");
}
});
}catch (Exception ex){
Log.e("SSLFix", "Unknown issue trying to install a new security provider", ex);
}
}
就这些,没有其他问题了。
我修改了 @Navneet Krishna 答案,因为方法 OkHttpClient.Builder。 builder.sslSocketFactory(tlsSocketFactory) 现已弃用。
public class TLSSocketFactory extends SSLSocketFactory {
private final SSLSocketFactory delegate;
private TrustManager[] trustManagers;
public TLSSocketFactory() throws KeyStoreException, KeyManagementException, NoSuchAlgorithmException {
generateTrustManagers();
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustManagers, null);
delegate = context.getSocketFactory();
}
private void generateTrustManagers() throws KeyStoreException, NoSuchAlgorithmException {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
this.trustManagers = trustManagers;
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket() throws IOException {
return enableTLSOnSocket(delegate.createSocket());
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return enableTLSOnSocket(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return enableTLSOnSocket(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket enableTLSOnSocket(Socket socket) {
if (socket instanceof SSLSocket) {
((SSLSocket) socket).setEnabledProtocols(new String[]{"TLSv1.1", "TLSv1.2"});
}
return socket;
}
@Nullable
public X509TrustManager getTrustManager() {
return (X509TrustManager) trustManagers[0];
}
}
你需要这样赋值:
TLSSocketFactory tlsTocketFactory = new TLSSocketFactory();
client = new OkHttpClient.Builder()
.sslSocketFactory(tlsSocketFactory, tlsSocketFactory.getTrustManager());
.build();
在我的案例中,我只是在 build.gradle(模块应用程序)中添加一个依赖项并将代码添加到我的第一个 activity 解决了我的问题。
依赖性:
implementation 'com.google.android.gms:play-services-base:11.0.0'
我的代码:
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN
&& Build.VERSION.SDK_INT <= Build.VERSION_CODES.KITKAT) {
try {
ProviderInstaller.installIfNeeded(this);
} catch (GooglePlayServicesRepairableException e) {
GooglePlayServicesUtil.showErrorNotification(e.getConnectionStatusCode(), this);
return;
} catch (GooglePlayServicesNotAvailableException e) {
return;
}
}
此问题出现在以下棒棒糖版本中。默认情况下 TLS 未启用,因此必须以编程方式启用 .
我遇到了这个奇怪的问题,改造一直让我感到困惑
"SSL handshake aborted: ssl=0x618d9c18: I/O error during system call, Connection reset by peer"
在 kitkat 中,而相同的代码在棒棒糖设备中运行良好。我正在使用如下所示的 OkHttpClient 客户端
public OkHttpClient getUnsafeOkHttpClient() {
try {
final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] chain,
String authType) {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] chain,
String authType) {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[0];
}
} };
int cacheSize = 10 * 1024 * 1024; // 10 MB
Cache cache = new Cache(getCacheDir(), cacheSize);
final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, trustAllCerts,
new java.security.SecureRandom());
final SSLSocketFactory sslSocketFactory = sslContext
.getSocketFactory();
OkHttpClient okHttpClient = new OkHttpClient();
okHttpClient = okHttpClient.newBuilder()
.cache(cache)
.sslSocketFactory(sslSocketFactory)
.hostnameVerifier(org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER).build();
return okHttpClient;
} catch (Exception e) {
throw new RuntimeException(e);
}
}
我正在像这样改造使用这个客户端
Retrofit retrofit = new Retrofit.Builder()
.baseUrl(URL)
.client(getUnsafeOkHttpClient())
.addConverterFactory(GsonConverterFactory.create())
.build();
编辑:添加 getUnsafeOkHttpClient() 在这里没有效果,完全不建议使用 getUnsafeOkHttpClient()
仅供参考:问题是因为 api 端点仅支持 TLS 1.2,默认情况下在 android 设备上禁用 16<device<20。因此,对于 16<device<20,创建自定义 SSLSocketFactory
我在这里得到了 api.data.gov.in 的 SSL/TLS 信息 - https://www.ssllabs.com/ssltest/analyze.html?d=api.data.gov.in
看起来它只支持TLSv1.2。旧 Android 版本确实与最新的 TLS 版本存在问题。在 ssllabs 页面的 "Handshake Simulation" 部分,您甚至可以看到您的问题。
有关可用解决方案,请参阅 How to enable TLS 1.2 support in an Android application (running on Android 4.1 JB)。
终于找到了这个问题的解决方案,它不是一个完整的解决方案,因为它是 Jesse Wilson from okhttp, square here 提到的 hack。正如我提到的,这是一个简单的 hack,我不得不将我的 SSLSocketFactory 变量重命名为
private SSLSocketFactory delegate;
请注意,如果您提供除委托以外的任何名称,它会抛出错误。我在下面发布我的完整解决方案
这是我的 TLSSocketFactory class
public class TLSSocketFactory extends SSLSocketFactory {
private SSLSocketFactory delegate;
private TrustManager[] trustManagers;
public TLSSocketFactory() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {
generateTrustManagers();
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustManagers, null);
delegate = context.getSocketFactory();
}
private void generateTrustManagers() throws KeyStoreException, NoSuchAlgorithmException {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
this.trustManagers = trustManagers;
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket() throws IOException {
return enableTLSOnSocket(delegate.createSocket());
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return enableTLSOnSocket(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return enableTLSOnSocket(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket enableTLSOnSocket(Socket socket) {
if(socket != null && (socket instanceof SSLSocket)) {
((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
}
return socket;
}
@Nullable
public X509TrustManager getTrustManager() {
return (X509TrustManager) trustManagers[0];
}
}
这就是我将它与 okhttp 和 retrofit 一起使用的方式
OkHttpClient client=new OkHttpClient();
try {
TLSSocketFactory tlsSocketFactory=new TLSSocketFactory();
if (tlsSocketFactory.getTrustManager()!=null) {
client = new OkHttpClient.Builder()
.sslSocketFactory(tlsSocketFactory, tlsSocketFactory.getTrustManager())
.build();
}
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
}
Retrofit retrofit = new Retrofit.Builder()
.baseUrl(URL)
.client(client)
.addConverterFactory(GsonConverterFactory.create())
.build();
EDIT :方法 public Builder sslSocketFactory(SSLSocketFactory sslSocketFactory) 现已弃用,我们应该使用 public Builder sslSocketFactory(
SSLSocketFactory sslSocketFactory, X509TrustManager trustManager) 正如我在答案中更新的那样。这是因为 X509TrustManager 是 OkHttp 需要建立一个干净的证书链的字段,它没有在 deprecated 方法中被 paased。
您也可以查看 this for more info
除了 Navneet Krishna,我还必须在我的应用程序 class 中执行下一个操作:
ProviderInstaller.installIfNeededAsync
根据 https://developer.android.com/training/articles/security-gms-provider,这是因为我需要更新安全提供程序以防止 SSL 攻击。
我的应用程序Class:
public class AppClass extends MultiDexApplication {
private static final String TAG = AppClass.class.getName();
private static Context context;
private static AuthAPI authAPI;
private static RestAPI buyersAPI;
@Override
public void onCreate() {
super.onCreate();
/* enable SSL compatibility in pre-lollipop devices */
upgradeSecurityProvider();
createAuthAPI();
createRestAPI();
}
private void upgradeSecurityProvider() {
try{
ProviderInstaller.installIfNeededAsync(this, new ProviderInstaller.ProviderInstallListener() {
@Override
public void onProviderInstalled() {
Log.e(TAG, "New security provider installed.");
}
@Override
public void onProviderInstallFailed(int errorCode, Intent recoveryIntent) {
GooglePlayServicesUtil.showErrorNotification(errorCode, BuyersApp.this);
Log.e(TAG, "New security provider install failed.");
}
});
}catch (Exception ex){
Log.e(TAG, "Unknown issue trying to install a new security provider", ex);
}
}
private void createAuthAPI() {
OkHttpClient.Builder authAPIHttpClientBuilder = new OkHttpClient.Builder();
Retrofit retrofit = new Retrofit.Builder()
.client(enableTls12OnPreLollipop(authAPIHttpClientBuilder).build())
.baseUrl(DomainLoader.getInstance(context).getAuthDomain())
.addConverterFactory(GsonConverterFactory.create())
.build();
authAPI = retrofit.create(AuthAPI.class);
}
private static OkHttpClient.Builder enableTls12OnPreLollipop(OkHttpClient.Builder client) {
if (Build.VERSION.SDK_INT >= 19 && Build.VERSION.SDK_INT < 22) {
try {
SSLContext sc = SSLContext.getInstance("TLSv1.2");
sc.init(null, null, null);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
client.sslSocketFactory(new Tls12SocketFactory(sc.getSocketFactory()), trustManager);
ConnectionSpec cs = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.tlsVersions(TlsVersion.TLS_1_2)
.build();
List<ConnectionSpec> specs = new ArrayList<>();
specs.add(cs);
specs.add(ConnectionSpec.COMPATIBLE_TLS);
specs.add(ConnectionSpec.CLEARTEXT);
client.connectionSpecs(specs);
} catch (Exception exc) {
Log.e("OkHttpTLSCompat", "Error while setting TLS 1.2", exc);
}
}
return client;
}
private void createRestAPI() {
OkHttpClient.Builder restAPIHttpClientBuilder = new OkHttpClient.Builder();
buyersAPIHttpClientBuilder.readTimeout(60, TimeUnit.SECONDS);
buyersAPIHttpClientBuilder.connectTimeout(60, TimeUnit.SECONDS);
buyersAPIHttpClientBuilder.writeTimeout(600, TimeUnit.SECONDS);
buyersAPIHttpClientBuilder.addInterceptor(new NetworkErrorInterceptor());
buyersAPIHttpClientBuilder.addInterceptor(new TokenVerificationInterceptor());
Retrofit retrofit = new Retrofit.Builder()
.client(enableTls12OnPreLollipop(restAPIHttpClientBuilder).build())
.baseUrl(DomainLoader.getInstance(context).getDomain())
.addConverterFactory(GsonConverterFactory.create(new GsonBuilder().setLenient().create()))
.addConverterFactory(ScalarsConverterFactory.create())
.build();
buyersAPI = retrofit.create(RestAPI.class);
}
}
还有我的 Tls12SocketFactory class:
public class Tls12SocketFactory extends SSLSocketFactory {
private static final String[] TLS_V12_ONLY = {"TLSv1.2"};
final SSLSocketFactory delegate;
public Tls12SocketFactory(SSLSocketFactory base) {
this.delegate = base;
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return patch(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return patch(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return patch(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return patch(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return patch(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket patch(Socket s) {
if (s instanceof SSLSocket) {
((SSLSocket) s).setEnabledProtocols(TLS_V12_ONLY);
}
return s;
}
}
它在所有安装了 KitKat 及更高版本的设备上都非常有效。
我认为我的解决方案可能会对某人有所帮助。
在我的项目中,我需要在较旧的 Android (4.4) 上通过 SSL 执行 JSON 请求,并且我不断遇到线程顶部提到的问题。
要修复它,我所要做的就是完全按照上面的方式添加 class Tls12SocketFactory。
但是,我在我的项目中添加了修改后的代码class
我已将此添加到我的 oncreate
upgradeSecurityProvider();
修改上下文函数如下,仅此而已。不再有 SSL 连接问题
private void upgradeSecurityProvider() {
try{
ProviderInstaller.installIfNeededAsync(this, new ProviderInstaller.ProviderInstallListener() {
@Override
public void onProviderInstalled() {
Log.e("SSLFix", "New security provider installed.");
}
@Override
public void onProviderInstallFailed(int errorCode, Intent recoveryIntent) {
// GooglePlayServicesUtil.showErrorNotification(errorCode, BuyersApp.this);
Log.e("SSLFix", "New security provider install failed.");
}
});
}catch (Exception ex){
Log.e("SSLFix", "Unknown issue trying to install a new security provider", ex);
}
}
就这些,没有其他问题了。
我修改了 @Navneet Krishna 答案,因为方法 OkHttpClient.Builder。 builder.sslSocketFactory(tlsSocketFactory) 现已弃用。
public class TLSSocketFactory extends SSLSocketFactory {
private final SSLSocketFactory delegate;
private TrustManager[] trustManagers;
public TLSSocketFactory() throws KeyStoreException, KeyManagementException, NoSuchAlgorithmException {
generateTrustManagers();
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustManagers, null);
delegate = context.getSocketFactory();
}
private void generateTrustManagers() throws KeyStoreException, NoSuchAlgorithmException {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
this.trustManagers = trustManagers;
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket() throws IOException {
return enableTLSOnSocket(delegate.createSocket());
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return enableTLSOnSocket(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return enableTLSOnSocket(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket enableTLSOnSocket(Socket socket) {
if (socket instanceof SSLSocket) {
((SSLSocket) socket).setEnabledProtocols(new String[]{"TLSv1.1", "TLSv1.2"});
}
return socket;
}
@Nullable
public X509TrustManager getTrustManager() {
return (X509TrustManager) trustManagers[0];
}
}
你需要这样赋值:
TLSSocketFactory tlsTocketFactory = new TLSSocketFactory();
client = new OkHttpClient.Builder()
.sslSocketFactory(tlsSocketFactory, tlsSocketFactory.getTrustManager());
.build();
在我的案例中,我只是在 build.gradle(模块应用程序)中添加一个依赖项并将代码添加到我的第一个 activity 解决了我的问题。 依赖性:
implementation 'com.google.android.gms:play-services-base:11.0.0'
我的代码:
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN
&& Build.VERSION.SDK_INT <= Build.VERSION_CODES.KITKAT) {
try {
ProviderInstaller.installIfNeeded(this);
} catch (GooglePlayServicesRepairableException e) {
GooglePlayServicesUtil.showErrorNotification(e.getConnectionStatusCode(), this);
return;
} catch (GooglePlayServicesNotAvailableException e) {
return;
}
}
此问题出现在以下棒棒糖版本中。默认情况下 TLS 未启用,因此必须以编程方式启用 .