热门标签
热门文章
- 1CV2的conda安装_cv2 conda
- 2ROS小车(SLAM+物体追踪)_视觉slam 智能车循迹
- 3【独家OD2023C卷真题】20天拿下华为OD笔试【DFS/BFS】2023C-地图寻宝【欧弟算法】全网注释最详细分类最全的华为OD真题题解_小华按照地图去寻宝,地图上被划分成
- 4网站localhost和127.0.0.1可以访问,本地ip不可访问解决方案_本机ip访问不了,只能用localhost
- 5boss直聘改回系统头像_Boss直聘CEO回应“求职少年之死”:之前没做好,愧对当事人...
- 6使用Python进行大数据处理和分析:Hadoop和Spark
- 7Wireshark抓包分析TCP协议:三次握手和四次挥手_捕获tcp数据包并分析,包括三次握手,四次挥手等
- 8docker使用示例_docker应用实例
- 9UNITY动画播放暂停_unity 动画在某一帧暂停
- 10please declare environment variable 'SUMO_HOME'
当前位置: article > 正文
Android5.0以下手机通过https请求服务器报SSLException异常的原因及解决方案
作者:不正经 | 2024-05-31 06:37:36
赞
踩
sslexception
问题描述:
最近突然收到了测试组提的bug,说是部分手机打开APP的时候会报服务器连接异常。然后我就用我的手机试了下,发现没有问题。然后用他们在缺陷描述中写的测试机型和系统版本进行了测试。发现确实会报服务区连接异常。然后通过本地调试,发现网络请求的时候报了如下异常:
该异常为SSL握手失败,但是为什么有的手机可以成功有的手机又失败了呢。然后又试了下其他版本的手机,发现Android5.0以下系统的手机都不通。
问题原因:
首先想到的是后台服务器那边前两天更新了https协议的版本。推测应该是和这个有关。经确认,后台服务器是禁止TLS1.0,TLS1.1和TLS1.2放行。然后查看了一下Google关于SSLEngine的官方文档说明,不同Android版本针对于TLS协议的默认配置图如下:
从上图可以可知:
- TLSv1.0从API 1+就被默认打开
- TLSv1.1和TLSv1.2只有在API 20+ 才会被默认打开
- 也就是说低于API 20+的版本是默认关闭对TLSv1.1和TLSv1.2的支持,若要支持则必须自己打开
这就能解释为什么Android5.0以下系统在进行HTTPS访问时会产生上述异常。
解决方案:
首先我们可以让服务器配置支持TLS1.0、1.1、1.2,这样客户端不需要做任何处理,就可以兼容Android5.0以下的手机了。
但后台那边也是出于安全,才会只放行安全性更高的TLS1.1和TLS1.2协议。所以我们只能在客户端添加新协议的支持。
因此我们需要给低版本的协议添加Cipher suites,我们需要自定义SSLSocketFactory,自定义的SSLSocketFactory如下:
- import java.io.IOException;
- import java.net.InetAddress;
- import java.net.Socket;
- import java.net.UnknownHostException;
- import java.security.GeneralSecurityException;
- import java.util.Arrays;
- import java.util.HashSet;
- import java.util.LinkedList;
- import java.util.List;
-
- import javax.net.ssl.SSLContext;
- import javax.net.ssl.SSLSocket;
- import javax.net.ssl.SSLSocketFactory;
- import javax.net.ssl.X509TrustManager;
-
- public class SSLSocketFactoryCompat extends SSLSocketFactory {
- private SSLSocketFactory defaultFactory;
- // Android 5.0+ (API level21) provides reasonable default settings
- // but it still allows SSLv3
- // https://developer.android.com/about/versions/android-5.0-changes.html#ssl
- static String protocols[] = null, cipherSuites[] = null;
- static {
- try {
- SSLSocket socket = (SSLSocket)SSLSocketFactory.getDefault().createSocket();
- if (socket != null) {
- /* set reasonable protocol versions */
- // - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0)
- // - remove all SSL versions (especially SSLv3) because they're insecure now
- List<String> protocols = new LinkedList<>();
- for (String protocol : socket.getSupportedProtocols())
- if (!protocol.toUpperCase().contains("SSL"))
- protocols.add(protocol);
- SSLSocketFactoryCompat.protocols = protocols.toArray(new String[protocols.size()]);
- /* set up reasonable cipher suites */
- if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {
- // choose known secure cipher suites
- List<String> allowedCiphers = Arrays.asList(
- // TLS 1.2
- "TLS_RSA_WITH_AES_256_GCM_SHA384",
- "TLS_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
- "TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256",
- // maximum interoperability
- "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_RSA_WITH_AES_128_CBC_SHA",
- // additionally
- "TLS_RSA_WITH_AES_256_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");
- List<String> availableCiphers = Arrays.asList(socket.getSupportedCipherSuites());
- // take all allowed ciphers that are available and put them into preferredCiphers
- HashSet<String> preferredCiphers = new HashSet<>(allowedCiphers);
- preferredCiphers.retainAll(availableCiphers);
- /* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling
- * ciphers which are enabled by default, but have become unsecure), but I guess for
- * the security level of DAVdroid and maximum compatibility, disabling of insecure
- * ciphers should be a server-side task */
- // add preferred ciphers to enabled ciphers
- HashSet<String> enabledCiphers = preferredCiphers;
- enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites())));
- SSLSocketFactoryCompat.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]);
- }
- }
- } catch (IOException e) {
- throw new RuntimeException(e);
- }
- }
- public SSLSocketFactoryCompat(X509TrustManager tm) {
- try {
- SSLContext sslContext = SSLContext.getInstance("TLS");
- sslContext.init(null, (tm != null) ? new X509TrustManager[] { tm } : null, null);
- defaultFactory = sslContext.getSocketFactory();
- } catch (GeneralSecurityException e) {
- throw new AssertionError(); // The system has no TLS. Just give up.
- }
- }
- private void upgradeTLS(SSLSocket ssl) {
- // Android 5.0+ (API level21) provides reasonable default settings
- // but it still allows SSLv3
- // https://developer.android.com/about/versions/android-5.0-changes.html#ssl
- if (protocols != null) {
- ssl.setEnabledProtocols(protocols);
- }
- if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && cipherSuites != null) {
- ssl.setEnabledCipherSuites(cipherSuites);
- }
- }
- @Override
- public String[] getDefaultCipherSuites() {
- return cipherSuites;
- }
- @Override
- public String[] getSupportedCipherSuites() {
- return cipherSuites;
- }
- @Override
- public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
- Socket ssl = defaultFactory.createSocket(s, host, port, autoClose);
- if (ssl instanceof SSLSocket)
- upgradeTLS((SSLSocket)ssl);
- return ssl;
- }
- @Override
- public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
- Socket ssl = defaultFactory.createSocket(host, port);
- if (ssl instanceof SSLSocket)
- upgradeTLS((SSLSocket)ssl);
- return ssl;
- }
- @Override
- public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
- Socket ssl = defaultFactory.createSocket(host, port, localHost, localPort);
- if (ssl instanceof SSLSocket)
- upgradeTLS((SSLSocket)ssl);
- return ssl;
- }
- @Override
- public Socket createSocket(InetAddress host, int port) throws IOException {
- Socket ssl = defaultFactory.createSocket(host, port);
- if (ssl instanceof SSLSocket)
- upgradeTLS((SSLSocket)ssl);
- return ssl;
- }
- @Override
- public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
- Socket ssl = defaultFactory.createSocket(address, port, localAddress, localPort);
- if (ssl instanceof SSLSocket)
- upgradeTLS((SSLSocket)ssl);
- return ssl;
- }
- }
然后只需要给我们的请求设置这个SSLSocketFactory就可以了,我们以okhttp为例:
- //定义一个信任所有证书的TrustManager
- final X509TrustManager trustAllCert = new X509TrustManager() {
- @Override
- public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
- }
-
- @Override
- public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
- }
-
- @Override
- public java.security.cert.X509Certificate[] getAcceptedIssuers() {
- return new java.security.cert.X509Certificate[]{};
- }
- };
- //设置OkHttpClient
- OkHttpClient client = new OkHttpClient.Builder().
- sslSocketFactory(new SSLSocketFactoryCompat(trustAllCert), trustAllCert).build();
设置之后,用低版本手机测试https,就可以测试成功了。
准备最近这几天再写一篇,详细介绍一下HTTPS 和 SSL/TLS 协议。
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/不正经/article/detail/650863
推荐阅读
相关标签
