Android 4.4.2 SSL握手中止

浏览 27关注 0回答 2得票数 25
原文

代码可以在我的Genymotion Android 4.4.4模拟器上运行,但不能在我使用的设备(4.4.2)上运行。

我已经尝试了很多“信任所有证书”的变通方法,但是都没有用(我不认为这是问题所在,因为证书是AOK的)。

我想我已经确定了密码(使用我桌面上的wireshark跟踪);TLS 0x00 0x1E似乎有点罕见?

你知道怎么修复吗?

这是我的代码

StrictMode.ThreadPolicy policy = new StrictMode.ThreadPolicy.Builder().permitAll().build();
StrictMode.setThreadPolicy(policy);
CloseableHttpClient client = HttpClientBuilder.create().setSSLSocketFactory(sslsf).build();
String baseURL = "https://mysite.co.uk/api/";
HttpGetHC4 request = new HttpGetHC4(baseURL + "/authenticate?user=abcd&password=1234");
CloseableHttpResponse response = client.execute(request);

和错误;

 javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x6abff398: Failure in SSL library, usually a protocol error
 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x684dfce0:0x00000000)
     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:449)
     at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:340)
     at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:281)
     at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:124)
     at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:322)
     at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:373)
     at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:225)
     at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
     at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
     at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
     at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:178)
     at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
     at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
     at com.example.lee.printticket.Main$OrderAsyncTask.onPostExecute(Main.java:239)
     at com.example.lee.printticket.Main$OrderAsyncTask.onPostExecute(Main.java:189)
     at android.os.AsyncTask.finish(AsyncTask.java:632)
     at android.os.AsyncTask.access$600(AsyncTask.java:177)
     at android.os.AsyncTask$InternalHandler.handleMessage(AsyncTask.java:645)
     at android.os.Handler.dispatchMessage(Handler.java:102)
     at android.os.Looper.loop(Looper.java:136)
     at android.app.ActivityThread.main(ActivityThread.java:5017)
     at java.lang.reflect.Method.invokeNative(Native Method)
     at java.lang.reflect.Method.invoke(Method.java:515)
     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:785)
     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:601)
     at dalvik.system.NativeStart.main(Native Method)
 Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x6abff398: Failure in SSL library, usually a protocol error
 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x684dfce0:0x00000000)
     at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:406)
    ... 25 more

编辑

尝试使用不同的技术/库;

        RequestQueue queue = Volley.newRequestQueue(this);
        String url ="https://mysite.co.uk/api/authenticate?user=abcd&password=1234";

        // Request a string response from the provided URL.
        StringRequest stringRequest = new StringRequest(Request.Method.GET, url,
                new Response.Listener<String>() {
                    @Override
                    public void onResponse(String response) {
                        // Display the first 500 characters of the response string.
                        Log.d("response: ", response);
                    }
                }, new Response.ErrorListener() {
            @Override
            public void onErrorResponse(VolleyError error) {
                Log.d("response: ", error.toString());
            }
        });
        // Add the request to the RequestQueue.
        queue.add(stringRequest);

返回;

D/response:: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x6ad51be0: Failure in SSL library, usually a protocol error
D/response:: error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available (external/openssl/ssl/s23_clnt.c:486 0x684dfce0:0x00000000)

或者使用来自Javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: Failure in SSL library, usually a protocol error的NoSSLv3SocketFactory黑客;

        HttpStack stack = new HurlStack(null, new NoSSLv3SocketFactory());
        RequestQueue queue = Volley.newRequestQueue(this, stack);

返回;

D/response:: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x6ae51d30: Failure in SSL library, usually a protocol error
D/response:: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x684dfce0:0x00000000)
原文
Community修改于2017-05-23 19:55

2 个回答

高票数最新
GuilhE
回答于2016-11-10 01:16
得票数 0

试试这个:

public class ClientSSLSocketFactory {

    public static SSLSocketFactory getSocketFactory(Context context) {
        try {
            X509TrustManager tm = new X509TrustManager() {
                public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
                }

                public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
                }

                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            };
            SSLContext ctx = SSLContext.getInstance("TLS");
            ctx.init(null, new TrustManager[]{tm}, new SecureRandom());

            SSLSocketFactory ssf = SSLCertificateSocketFactory.getDefault(10000, new SSLSessionCache(context));
            return ssf;
        } catch (Exception ex) {
            Log.e("ssl", "Error during the getSocketFactory");
            ex.printStackTrace();
            return null;
        }
    }
}

在创建队列时:

sRequestQueue = Volley.newRequestQueue(context, new HurlStack(null, ClientSSLSocketFactory.getSocketFactory()));

希望能有所帮助。

Sean F
回答于2018-05-16 08:01
得票数 0

我认为问题出在SSL v3基于这样的字符串,这表明它正试图使用SSL v3: SSL23_GET_SERVER_HELLO:sslv3。

SSL v3被认为是不安全的,因此在大多数现代软件上都被禁用了(即使在你原本期望它能工作的地方,许多公司也只是简单地把它拉了出来)。我还从堆栈跟踪中看到代码使用apache http client: org.apache.http.impl.client

因此您必须以某种方式阻止apache http客户端使用ssl v3。Apache http客户端独立于标准Java SSL/TLS库存在。

还有另一个没有得到答案的堆栈溢出问题:How do disable SSLv3 in Apache HttpClient

这个链接看起来最有希望:https://discretemkt.wordpress.com/2014/11/16/commons-httpclient-can-disable-sslv3/

在那里,关键的一行是

Protocol.registerProtocol(scheme, customHttps);

该调用似乎允许您绕过现有的ssl工厂。如果您首先运行该代码,那么它可能会工作,前提是apache http客户端版本兼容。

还要注意的是,TLS 1.0目前也被认为是不安全的。TLS 1.2和1.3以及现在的标准。

页面原文内容由Lee Tickett、Community、GuilhE、Sean F提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:https://stackoverflow.com/questions/34493334复制

扫码关注云+社区

领取腾讯云代金券