首页 > 代码库 > OkHttp在4.4及以下不支持TLS协议的解决方法
OkHttp在4.4及以下不支持TLS协议的解决方法
在做超理论坛app的过程中,遇到许多用户反馈在他们的手机上客户端不能访问网络,我问了他们的手机型号和Android系统版本,全部是5.0以下的,之后我自己运行API19(4.4)的Android模拟器,也遇到了同样的错误。
错误信息如下:
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x79f145b0: Failure in SSL library, usually a protocol errorerror:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
因为之前没有太多接触过网络协议,这个问题也确实很难搜到,所以我找了很久,才找到了原因:Android 4.4及以下的系统默认不支持TLS协议,所以遇到使用TLS协议的网站就无法访问了。
解决方法如下:创建一个SSLSocketFactoryCompat.java文件,内容如下:
1 import java.io.IOException; 2 import java.net.InetAddress; 3 import java.net.Socket; 4 import java.net.UnknownHostException; 5 import java.security.GeneralSecurityException; 6 import java.util.Arrays; 7 import java.util.HashSet; 8 import java.util.LinkedList; 9 import java.util.List; 10 11 import javax.net.ssl.SSLContext; 12 import javax.net.ssl.SSLSocket; 13 import javax.net.ssl.SSLSocketFactory; 14 import javax.net.ssl.X509TrustManager; 15 16 public class SSLSocketFactoryCompat extends SSLSocketFactory { 17 private SSLSocketFactory defaultFactory; 18 // Android 5.0+ (API level21) provides reasonable default settings 19 // but it still allows SSLv3 20 // https://developer.android.com/about/versions/android-5.0-changes.html#ssl 21 static String protocols[] = null, cipherSuites[] = null; 22 static { 23 try { 24 SSLSocket socket = (SSLSocket)SSLSocketFactory.getDefault().createSocket(); 25 if (socket != null) { 26 /* set reasonable protocol versions */ 27 // - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0) 28 // - remove all SSL versions (especially SSLv3) because they‘re insecure now 29 List<String> protocols = new LinkedList<>(); 30 for (String protocol : socket.getSupportedProtocols()) 31 if (!protocol.toUpperCase().contains("SSL")) 32 protocols.add(protocol); 33 SSLSocketFactoryCompat.protocols = protocols.toArray(new String[protocols.size()]); 34 /* set up reasonable cipher suites */ 35 if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) { 36 // choose known secure cipher suites 37 List<String> allowedCiphers = Arrays.asList( 38 // TLS 1.2 39 "TLS_RSA_WITH_AES_256_GCM_SHA384", 40 "TLS_RSA_WITH_AES_128_GCM_SHA256", 41 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 42 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 43 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 44 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 45 "TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256", 46 // maximum interoperability 47 "TLS_RSA_WITH_3DES_EDE_CBC_SHA", 48 "TLS_RSA_WITH_AES_128_CBC_SHA", 49 // additionally 50 "TLS_RSA_WITH_AES_256_CBC_SHA", 51 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", 52 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 53 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", 54 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); 55 List<String> availableCiphers = Arrays.asList(socket.getSupportedCipherSuites()); 56 // take all allowed ciphers that are available and put them into preferredCiphers 57 HashSet<String> preferredCiphers = new HashSet<>(allowedCiphers); 58 preferredCiphers.retainAll(availableCiphers); 59 /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling 60 * ciphers which are enabled by default, but have become unsecure), but I guess for 61 * the security level of DAVdroid and maximum compatibility, disabling of insecure 62 * ciphers should be a server-side task */ 63 // add preferred ciphers to enabled ciphers 64 HashSet<String> enabledCiphers = preferredCiphers; 65 enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites()))); 66 SSLSocketFactoryCompat.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]); 67 } 68 } 69 } catch (IOException e) { 70 throw new RuntimeException(e); 71 } 72 } 73 public SSLSocketFactoryCompat(X509TrustManager tm) { 74 try { 75 SSLContext sslContext = SSLContext.getInstance("TLS"); 76 sslContext.init(null, (tm != null) ? new X509TrustManager[] { tm } : null, null); 77 defaultFactory = sslContext.getSocketFactory(); 78 } catch (GeneralSecurityException e) { 79 throw new AssertionError(); // The system has no TLS. Just give up. 80 } 81 } 82 private void upgradeTLS(SSLSocket ssl) { 83 // Android 5.0+ (API level21) provides reasonable default settings 84 // but it still allows SSLv3 85 // https://developer.android.com/about/versions/android-5.0-changes.html#ssl 86 if (protocols != null) { 87 ssl.setEnabledProtocols(protocols); 88 } 89 if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && cipherSuites != null) { 90 ssl.setEnabledCipherSuites(cipherSuites); 91 } 92 } 93 @Override 94 public String[] getDefaultCipherSuites() { 95 return cipherSuites; 96 } 97 @Override 98 public String[] getSupportedCipherSuites() { 99 return cipherSuites;100 }101 @Override102 public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {103 Socket ssl = defaultFactory.createSocket(s, host, port, autoClose);104 if (ssl instanceof SSLSocket)105 upgradeTLS((SSLSocket)ssl);106 return ssl;107 }108 @Override109 public Socket createSocket(String host, int port) throws IOException, UnknownHostException {110 Socket ssl = defaultFactory.createSocket(host, port);111 if (ssl instanceof SSLSocket)112 upgradeTLS((SSLSocket)ssl);113 return ssl;114 }115 @Override116 public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {117 Socket ssl = defaultFactory.createSocket(host, port, localHost, localPort);118 if (ssl instanceof SSLSocket)119 upgradeTLS((SSLSocket)ssl);120 return ssl;121 }122 @Override123 public Socket createSocket(InetAddress host, int port) throws IOException {124 Socket ssl = defaultFactory.createSocket(host, port);125 if (ssl instanceof SSLSocket)126 upgradeTLS((SSLSocket)ssl);127 return ssl;128 }129 @Override130 public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {131 Socket ssl = defaultFactory.createSocket(address, port, localAddress, localPort);132 if (ssl instanceof SSLSocket)133 upgradeTLS((SSLSocket)ssl);134 return ssl;135 }136 }
在创建OkHttpClient的时候,添加这个SSLSocketFactory(我用单例模式来每次获取同一个全局的OkHttpClient,每个人的实现不一定一样,从我的代码里参考问题的解决方法就好):
1 public synchronized static OkHttpClient getClient(){ 2 if (okHttpClient == null) { 3 OkHttpClient.Builder builder = new OkHttpClient.Builder(); 4 try { 5 // 自定义一个信任所有证书的TrustManager,添加SSLSocketFactory的时候要用到 6 final X509TrustManager trustAllCert = 7 new X509TrustManager() { 8 @Override 9 public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {10 }11 12 @Override13 public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {14 }15 16 @Override17 public java.security.cert.X509Certificate[] getAcceptedIssuers() {18 return new java.security.cert.X509Certificate[]{};19 }20 };28 final SSLSocketFactory sslSocketFactory = new SSLSocketFactoryCompat(trustAllCert);29 builder.sslSocketFactory(sslSocketFactory, trustAllCert);30 } catch (Exception e) {31 throw new RuntimeException(e);32 }33 okHttpClient = builder.build();34 }35 return okHttpClient;36 }
这样就可以解决了~
不知道如果用别人在OkHttp基础上封装好的工具类,比如okhttp-utils还会不会有这个问题,不过我在使用OkHttp之前,是用AsyncHttpClient做网络库的,因为它已经太老而过时所以换到了OkHttp,在使用AsyncHttpClient的时候也遇到了这个问题
OkHttp在4.4及以下不支持TLS协议的解决方法
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。