我有这个奇怪的问题,其中改造不断抛弃我
“SSL握手中止:ssl = 0x618d9c18:系统调用期间的I / O错误,同级连接重置”
在kitkat,而相同的代码在棒棒糖设备中工作正常。我使用如下的OkHttpClient客户端
public OkHttpClient getUnsafeOkHttpClient() {
try {
final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] chain,
String authType) {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] chain,
String authType) {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[0];
}
} };
int cacheSize = 10 * 1024 * 1024; // 10 MB
Cache cache = new Cache(getCacheDir(), cacheSize);
final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, trustAllCerts,
new java.security.SecureRandom());
final SSLSocketFactory sslSocketFactory = sslContext
.getSocketFactory();
OkHttpClient okHttpClient = new OkHttpClient();
okHttpClient = okHttpClient.newBuilder()
.cache(cache)
.sslSocketFactory(sslSocketFactory)
.hostnameVerifier(org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER).build();
return okHttpClient;
} catch (Exception e) {
throw new RuntimeException(e);
}
}
我在这样的改造中使用这个客户端
Retrofit retrofit = new Retrofit.Builder()
.baseUrl(URL)
.client(getUnsafeOkHttpClient())
.addConverterFactory(GsonConverterFactory.create())
.build();
编辑:添加getUnsafeOkHttpClient()
在这里没有任何影响,并没有建议通过使用getUnsafeOkHttpClient()
绕过ssl检查
仅供参考:问题是因为api端点仅支持在Android设备TLS 1.2
上默认禁用的16<device<20
。因此,对于16<device<20
,创建一个自定义SSLSocketFactory
终于找到了解决这个问题的方法,它不是一个完整的解决方案,因为它是来自okhttp,square Jesse Wilson的here提到的黑客攻击。正如我所提到的,这是一个简单的黑客,我必须将我的SSLSocketFactory变量重命名为
private SSLSocketFactory delegate;
请注意,如果您提供除委托之外的任何名称,则会抛出错误。我在下面发布完整的解决方案
这是我的TLSSocketFactory类
public class TLSSocketFactory extends SSLSocketFactory {
private SSLSocketFactory delegate;
public TLSSocketFactory() throws KeyManagementException, NoSuchAlgorithmException {
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, null, null);
delegate = context.getSocketFactory();
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket() throws IOException {
return enableTLSOnSocket(delegate.createSocket());
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return enableTLSOnSocket(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return enableTLSOnSocket(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket enableTLSOnSocket(Socket socket) {
if(socket != null && (socket instanceof SSLSocket)) {
((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
}
return socket;
}
}
这就是我用okhttp和改造它的方式
OkHttpClient client=new OkHttpClient();
try {
client = new OkHttpClient.Builder()
.sslSocketFactory(new TLSSocketFactory())
.build();
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
Retrofit retrofit = new Retrofit.Builder()
.baseUrl(URL)
.client(client)
.addConverterFactory(GsonConverterFactory.create())
.build();
您也可以查看this for more info
我在这里获得了api.data.gov.in的SSL / TLS信息 - https://www.ssllabs.com/ssltest/analyze.html?d=api.data.gov.in
它看起来只支持TLSv1.2。旧的Android版本确实存在最新TLS版本的问题。在ssllabs页面的“握手模拟”部分,您甚至可以看到您的问题。
有关可用的解决方案,请参阅How to enable TLS 1.2 support in an Android application (running on Android 4.1 JB)。
我修改了@Navneet Krishna的答案因为方法OkHttpClient.Builder。 builder.sslSocketFactory(tlsSocketFactory)现已弃用。
public class TLSSocketFactory extends SSLSocketFactory {
private final SSLSocketFactory delegate;
private TrustManager[] trustManagers;
@Inject
public TLSSocketFactory() throws KeyStoreException, KeyManagementException, NoSuchAlgorithmException {
generateTrustManagers();
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustManagers, null);
delegate = context.getSocketFactory();
}
private void generateTrustManagers() throws KeyStoreException, NoSuchAlgorithmException {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
this.trustManagers = trustManagers;
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket() throws IOException {
return enableTLSOnSocket(delegate.createSocket());
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return enableTLSOnSocket(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return enableTLSOnSocket(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return enableTLSOnSocket(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return enableTLSOnSocket(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket enableTLSOnSocket(Socket socket) {
if (socket instanceof SSLSocket) {
((SSLSocket) socket).setEnabledProtocols(new String[]{"TLSv1.1", "TLSv1.2"});
}
return socket;
}
@Nullable
public X509TrustManager getTrustManager() {
return (X509TrustManager) trustManagers[0];
}
}
您需要像这样分配:
TLSSocketFactory tlsTocketFactory = new TLSSocketFactory();
client = new OkHttpClient.Builder()
.sslSocketFactory(tlsSocketFactory, tlsSocketFactory.getTrustManager());
.build();
除了Navneet Krishna,我不得不在我的App课程中做下一个:
ProviderInstaller.installIfNeededAsync
根据https://developer.android.com/training/articles/security-gms-provider,这是因为我需要更新安全提供程序以防止SSL攻击。
我的应用类:
public class AppClass extends MultiDexApplication {
private static final String TAG = AppClass.class.getName();
private static Context context;
private static AuthAPI authAPI;
private static RestAPI buyersAPI;
@Override
public void onCreate() {
super.onCreate();
/* enable SSL compatibility in pre-lollipop devices */
upgradeSecurityProvider();
createAuthAPI();
createRestAPI();
}
private void upgradeSecurityProvider() {
try{
ProviderInstaller.installIfNeededAsync(this, new ProviderInstaller.ProviderInstallListener() {
@Override
public void onProviderInstalled() {
Log.e(TAG, "New security provider installed.");
}
@Override
public void onProviderInstallFailed(int errorCode, Intent recoveryIntent) {
GooglePlayServicesUtil.showErrorNotification(errorCode, BuyersApp.this);
Log.e(TAG, "New security provider install failed.");
}
});
}catch (Exception ex){
Log.e(TAG, "Unknown issue trying to install a new security provider", ex);
}
}
private void createAuthAPI() {
OkHttpClient.Builder authAPIHttpClientBuilder = new OkHttpClient.Builder();
Retrofit retrofit = new Retrofit.Builder()
.client(enableTls12OnPreLollipop(authAPIHttpClientBuilder).build())
.baseUrl(DomainLoader.getInstance(context).getAuthDomain())
.addConverterFactory(GsonConverterFactory.create())
.build();
authAPI = retrofit.create(AuthAPI.class);
}
private static OkHttpClient.Builder enableTls12OnPreLollipop(OkHttpClient.Builder client) {
if (Build.VERSION.SDK_INT >= 19 && Build.VERSION.SDK_INT < 22) {
try {
SSLContext sc = SSLContext.getInstance("TLSv1.2");
sc.init(null, null, null);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
client.sslSocketFactory(new Tls12SocketFactory(sc.getSocketFactory()), trustManager);
ConnectionSpec cs = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.tlsVersions(TlsVersion.TLS_1_2)
.build();
List<ConnectionSpec> specs = new ArrayList<>();
specs.add(cs);
specs.add(ConnectionSpec.COMPATIBLE_TLS);
specs.add(ConnectionSpec.CLEARTEXT);
client.connectionSpecs(specs);
} catch (Exception exc) {
Log.e("OkHttpTLSCompat", "Error while setting TLS 1.2", exc);
}
}
return client;
}
private void createRestAPI() {
OkHttpClient.Builder restAPIHttpClientBuilder = new OkHttpClient.Builder();
buyersAPIHttpClientBuilder.readTimeout(60, TimeUnit.SECONDS);
buyersAPIHttpClientBuilder.connectTimeout(60, TimeUnit.SECONDS);
buyersAPIHttpClientBuilder.writeTimeout(600, TimeUnit.SECONDS);
buyersAPIHttpClientBuilder.addInterceptor(new NetworkErrorInterceptor());
buyersAPIHttpClientBuilder.addInterceptor(new TokenVerificationInterceptor());
Retrofit retrofit = new Retrofit.Builder()
.client(enableTls12OnPreLollipop(restAPIHttpClientBuilder).build())
.baseUrl(DomainLoader.getInstance(context).getDomain())
.addConverterFactory(GsonConverterFactory.create(new GsonBuilder().setLenient().create()))
.addConverterFactory(ScalarsConverterFactory.create())
.build();
buyersAPI = retrofit.create(RestAPI.class);
}
}
和我的Tls12SocketFactory类:
public class Tls12SocketFactory extends SSLSocketFactory {
private static final String[] TLS_V12_ONLY = {"TLSv1.2"};
final SSLSocketFactory delegate;
public Tls12SocketFactory(SSLSocketFactory base) {
this.delegate = base;
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return patch(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return patch(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return patch(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return patch(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return patch(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket patch(Socket s) {
if (s instanceof SSLSocket) {
((SSLSocket) s).setEnabledProtocols(TLS_V12_ONLY);
}
return s;
}
}
它在KitKat及以上版本的所有设备中都具有魅力。
我认为我的解决方案可以帮助某人。
在我的项目中,我需要在较旧的Android(4.4)上通过SSL执行JSON请求,并且我一直在线程顶部提到问题。
要修复它,我所要做的就是完全按照上面的方式添加类Tls12SocketFactory。
但是,我在项目类中添加了修改后的代码
我把它添加到我的oncreate
upgradeSecurityProvider();
并修改了上下文的功能,这就是全部。不再有SSL连接问题
private void upgradeSecurityProvider() {
try{
ProviderInstaller.installIfNeededAsync(this, new ProviderInstaller.ProviderInstallListener() {
@Override
public void onProviderInstalled() {
Log.e("SSLFix", "New security provider installed.");
}
@Override
public void onProviderInstallFailed(int errorCode, Intent recoveryIntent) {
// GooglePlayServicesUtil.showErrorNotification(errorCode, BuyersApp.this);
Log.e("SSLFix", "New security provider install failed.");
}
});
}catch (Exception ex){
Log.e("SSLFix", "Unknown issue trying to install a new security provider", ex);
}
}
这就是全部而且不再是问题。