javax.net.ssl.SSLHandshakeException：Android 7.0中握手失败

I am calling API to login but I am getting error of ssl handshake in Android 7.0, other than this version everything is working fine. I am using retrofit. Following is the error.

我正在调用API登录,但我在Android 7.0中遇到ssl握手错误,除了这个版本一切正常。我正在使用改造。以下是错误。

SSL handshake terminated: ssl=0xcbcd0340: Failure in SSL library, usually a protocol error error:1000043e:SSL routines:OPENSSL_internal:TLSV1_ALERT_INAPPROPRIATE_FALLBACK (external/boringssl/src/ssl/s3_pkt.c:610 0xebc87640:0x00000001)

SSL握手终止:ssl = 0xcbcd0340:SSL库失败,通常是协议错误错误:1000043e:SSL例程:OPENSSL_internal:TLSV1_ALERT_INAPPROPRIATE_FALLBACK(external / boringssl / src / ssl / s3_pkt.c:610 0xebc87640:0x00000001)

Also as said by someone to add the following code so that this issue will be resolved but still no luck,

还有人说要添加以下代码以便解决这个问题,但仍然没有运气,

    ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                .tlsVersions(TlsVersion.TLS_1_2)
                .cipherSuites(
                        CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
                .build();
okHttpClient.connectionSpecs(Collections.singletonList(spec));

I have even tried to letgo trust each and every certificate but still no luck. Following is the code.

我甚至试图放弃信任每一个证书,但仍然没有运气。以下是代码。

    public static OkHttpClient.Builder sslSocketFactory(OkHttpClient.Builder okHttpClient)

    {

        try {
//             Create a trust manager that does not validate certificate chains
            final TrustManager[] trustAllCerts = new TrustManager[]{
                    new X509TrustManager() {
                        @Override
                        public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
                        }

                        @Override
                        public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
                        }

                        @Override
                        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                            return new java.security.cert.X509Certificate[]{};
                        }
                    }
            };
            ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                    .tlsVersions(TlsVersion.TLS_1_0)
                    .allEnabledCipherSuites()
                    .build();
            // Install the all-trusting trust manager
            final SSLContext sslContext = SSLContext.getInstance("SSL");
            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
            // Create an ssl socket factory with our all-trusting manager
            final javax.net.ssl.SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

////////            OkHttpClient.Builder builder = new OkHttpClient.Builder();
            okHttpClient.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]);
            okHttpClient.hostnameVerifier(new HostnameVerifier() {
                @Override
                public boolean verify(String hostname, SSLSession session) {
                    return true;
                }
            });
            return okHttpClient;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

Following are my ssllabs tested using android 7.0

以下是我使用android 7.0测试的ssllabs

ssllabs test In all other android versions all API's are working fine I do get response, but I am not able to get response in version 7.0.

ssllabs测试在所有其他Android版本中,所有API都正常工作我得到了响应,但我无法在7.0版中获得响应。

1 个解决方案

#1

Actually it's more likely to be a ssl_ciphers server-side settings problem.

实际上它更可能是一个ssl_ciphers服务器端设置问题。

Assuming nginx, change your ssl_ciphers settings to the one recommended by openHab :

假设nginx,将您的ssl_ciphers设置更改为openHab建议的设置:

ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;

Don't forget to reload (systemctl reload nginx) and now all problematic android devices should work just fine.

不要忘记重新加载(systemctl reload nginx),现在所有有问题的Android设备应该可以正常工作。

#1