Android 4.x HTTPS请求SSL handshake

作者: 清风流苏 | 来源:发表于2018-11-15 15:43 被阅读1072次

Android 4.x手机HTTPS请求抛出以下异常：

javax.net.ssl.SSLException: SSL handshake aborted: ssl=0x63a76008: I/O error during system call, Connection reset by peer
        at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
        at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:406)
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:318)
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:282)
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:167)
        at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257)
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
        at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at com.luckyshane.cnblogs.model.api.GankApi$1.intercept(GankApi.java:64)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200)
        at okhttp3.RealCall$AsyncCall.execute(RealCall.java:147)
        at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
        at java.lang.Thread.run(Thread.java:841)

测试手机API 19 HUAWEI CHM-UL00，测试请求URL：https://gank.io/api/today。

经过多方搜索得出问题原因大致如下：

服务器只支持TLS v1.1和TLS v1.2版本
Android4.x设备（16 <= API < 20）虽然支持了TLSv1.1和TLSv1.2，但是没有启用。从而导致HTTPS握手协商失败。

https://developer.android.com/reference/javax/net/ssl/SSLSocket上面列出了Android不同版本SSLSocket对于（SSL、TLS）协议版本支持情况。如下：

Client socket:

Protocol	Supported (API Levels)	Enabled by default (API Levels)
SSLv3	1-25	1-22
TLSv1	1+	1+
TLSv1.1	16+	20+
TLSv1.2	16+	20+

Server socket:

Protocol	Supported (API Levels)	Enabled by default (API Levels)
SSLv3	1-25	1-22
TLSv1	1+	1+
TLSv1.1	16+	16+
TLSv1.2	16+	16+

解决办法：

服务器支持老版本的TLS v1.0。这样老手机可以支持。
4.x的设备已经支持了TLSv1.1和TLSv1.2，只是没有启用。所以，想办法启用它。

在服务端处于无法控制的情况下，只能考虑客户端处理，所以这篇文章将介绍，如何在Android客户端针对老版本进行启用TLSv1.2（基本上服务端都支持这个吧，可根据实际情况处理）。

网上有很多文章介绍这块，解决办法的源头应该是出自这里https://github.com/square/okhttp/issues/2372。

结合个人实践，来介绍下：

定义SSLSocketFactoryCompat，在创建Socket的时候如果是4.x的设备则启用TLSv1.2

import android.os.Build;

import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;

public class SSLSocketFactoryCompat extends SSLSocketFactory{
    private static final String[] TLS_V12_ONLY = {"TLSv1.2"};

    private final SSLSocketFactory delegate;

    public SSLSocketFactoryCompat() throws KeyManagementException, NoSuchAlgorithmException {
        SSLContext sc = SSLContext.getInstance("TLS");
        sc.init(null, null, null);
        delegate = sc.getSocketFactory();
    }

    public SSLSocketFactoryCompat(SSLSocketFactory delegate) {
        if (delegate == null) {
            throw new NullPointerException();
        }
        this.delegate = delegate;
    }
    
    @Override
    public String[] getDefaultCipherSuites() {
        return delegate.getDefaultCipherSuites();
    }

    @Override
    public String[] getSupportedCipherSuites() {
        return delegate.getSupportedCipherSuites();
    }

    private Socket enableTls12(Socket socket) {
        if (Build.VERSION.SDK_INT >= 16 && Build.VERSION.SDK_INT < 20) {
            if (socket instanceof SSLSocket) {
                ((SSLSocket) socket).setEnabledProtocols(TLS_V12_ONLY);
            }
        }
        return socket;
    }

    @Override
    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
        return enableTls12(delegate.createSocket(s, host, port, autoClose));
    }

    @Override
    public Socket createSocket(String host, int port) throws IOException {
        return enableTls12(delegate.createSocket(host, port));
    }

    @Override
    public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException {
        return enableTls12(delegate.createSocket(host, port, localHost, localPort));
    }

    @Override
    public Socket createSocket(InetAddress host, int port) throws IOException {
        return enableTls12(delegate.createSocket(host, port));
    }

    @Override
    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
        return enableTls12(delegate.createSocket(address, port, localAddress, localPort));
    }
}

如果客户端自己有提供SSLSocketFactory的情况（比如，客户端加载自己的证书会提供SSLSocketFactory），则使用SSLSocketFactoryCompat包裹自身的SSLSocketFactory然后进行设置，如果没有的话，则使用SSLSocketFactoryCompat的无参构造函数。

上述类可以用于OkHttp，也可用于其他HTTPS需要设置SSLSocketFactory的情况。

OkHttp使用

// 自己不提供额外证书的情况
public static OkHttpClient getOkHttpClient() {
    OkHttpClient.Builder builder = new OkHttpClient.Builder();
    try {
        SSLSocketFactory factory = new SSLSocketFactoryCompat();
        builder.sslSocketFactory(factory);
    } catch (KeyManagementException e) {
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
    return builder.build();
}

提供额外证书的情况：

// 测试在assets目录下包含了gank.cer证书，你可以根据自己的情况处理
private static OkHttpClient getOkHttpClientSSL() {
    OkHttpClient.Builder builder = new OkHttpClient.Builder();
    InputStream cerInputStream;
    try {
        cerInputStream = App.getInstance().getAssets().open("gank.cer");
        SSLSocketFactory socketFactory = getSocketFactory(cerInputStream);
        builder.sslSocketFactory(new SSLSocketFactoryCompat(socketFactory));
    } catch (IOException e) {
        e.printStackTrace();
    }
    return builder.build();
}

// 根据证书生成SSLSocketFactory，支持多个证书
private static SSLSocketFactory getSocketFactory(InputStream... certificates) {
    KeyStore keyStore;
    try {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null);
        int index = 0;
        for (InputStream certificate : certificates) {
            String certificateAlias = Integer.toString(index++);
            keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate));
        }
        SSLContext sslContext = SSLContext.getInstance("TLS");
        TrustManagerFactory trustManagerFactory =
                TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        sslContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
        return sslContext.getSocketFactory();
    } catch (KeyStoreException e) {
        e.printStackTrace();
    } catch (CertificateException e) {
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    } catch (KeyManagementException e) {
        e.printStackTrace();
    } finally {
        for (InputStream certificate : certificates) {
            try {
                certificate.close();
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }
    return null;
}

HttpsURLConnection简单测试

new Thread(new Runnable() {
    @Override
    public void run() {
        try {
            URL url = new URL("https://gank.io/api/today");
            HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
            connection.setSSLSocketFactory(new SSLSocketFactoryCompat());
            InputStream inputStream = connection.getInputStream();
            String result = IoUtils.readAllChars(new InputStreamReader(inputStream));
            LogUtils.json(result);
            inputStream.close();
        } catch (MalformedURLException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (KeyManagementException e) {
            e.printStackTrace();
        }
    }
}).start();

Android 4.x HTTPS请求SSL handshake

相关文章

网友评论

延伸阅读

深度阅读

栏目导航

热点阅读