- 1微信小程序源码_微信小程序源代码
- 2【kotlin】使用MPAndroidChart实现PieChart(饼图)并设置每个数据的颜色、标签等属性_android studio kotlin 中调用mpandroidchart
- 3Java题目详解——LeetCode206.反转链表(包含三种解法,迭代,栈,递归)_java 链表反转 迭代
- 4shell中使用正则表达式_shell 加减乘除表达式 正则
- 5蓝牙应用层协议介绍
- 6Markdown中如何输入上标、下标?_markdown 向上箭头怎么打
- 7【第二章:OpenCv算法的基本介绍与应用】_opencv 常用算法
- 8kakka rebalance解决方案_如何解决kafka rebalance问题
- 9Python机器学习实例-逻辑回归模型预测泰坦尼克号生还_机器学习,使用python scikit-learn中提供的算法类搭建回归模型。选用泰坦尼克号幸
- 10使用eric5.5.4+PYQT5.0+python3.3.2=最强python GUI开发组合_eric 编写qt5
Android5.0以下https兼容ssl3的问题_httpurlconnection tls1.2 android
赞
踩
一、前言
一般来说大家请求一些经过CA认证的https网址时候是不需要做额外操作的,使用正常的https请求方式就好了,有些封装好的第三方库,比如OkHttp则更为方便,只是修改一下网址就可以了。但是https里面有很多不同版本的协议和套接字,比如TSL1.0, TSL2.0,TSL3.0,SSL1,SSL2,SSL3等,还有其余很多细小的东西。一般来说两边协议都一致才能访问成功,假设两边支持的协议不一致,就无法访问成功。一般来说都是没什么问题的,但是由于技术发展过快,在以前的Android5.0以下对ssl3兼容有问题。现在如果新生成的CA证书,或者使用nginx生成的证书在忽略这一点时候会出现无法访问的问题,虽然https://www.baidu.com在系统浏览器里面无法访问。
二、解决方式
解决方式的话就是在进行https校验的话强制使用TLS1.0、TLS2.0较低的也是较全的协议进行校验。
使用该解决方式的前提是:
在使用比较新的框架或者版本时候会默认使用ssl3进行通信,但是因为客户端系统比较旧不支持该协议,所以需要强制指定协议版本为TLS1.0、TLS2.0。但是假若,服务器只支持ssl3,或者双方没有共同的协议,该指定方式是无效的,所以文末会有查验服务器和手机支持的协议的方式以及拓展协议的方式
三、代码
这里主要使用的是HttpUrlConnection去编写的网络请求,在低版本的时候底层还是使用HttpClient,高版本改成了OkHttp。配置入口可能不一样,但是配置代码是一样的。另外网上流传的很多方式都不太好使,这些代码主要还是参考的OkHttp的部分源码改的。这个代码主要是我的朋友提供,这里仅作为收录。
TLSSocketFactory.java
import android.support.annotation.Nullable; import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.util.Arrays; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; public class TLSSocketFactory extends SSLSocketFactory { private SSLSocketFactory delegate; private TrustManager[] trustManagers; public TLSSocketFactory() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException { generateTrustManagers(); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, trustManagers, null); delegate = context.getSocketFactory(); } private void generateTrustManagers() throws KeyStoreException, NoSuchAlgorithmException { TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init((KeyStore) null); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) { throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers)); } this.trustManagers = trustManagers; } @Override public String[] getDefaultCipherSuites() { return delegate.getDefaultCipherSuites(); } @Override public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); } @Override public Socket createSocket() throws IOException { return enableTLSOnSocket(delegate.createSocket()); } @Override public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { return enableTLSOnSocket(delegate.createSocket(s, host, port, autoClose)); } @Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { return enableTLSOnSocket(delegate.createSocket(host, port)); } @Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return enableTLSOnSocket(delegate.createSocket(host, port, localHost, localPort)); } @Override public Socket createSocket(InetAddress host, int port) throws IOException { return enableTLSOnSocket(delegate.createSocket(host, port)); } @Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { return enableTLSOnSocket(delegate.createSocket(address, port, localAddress, localPort)); } private Socket enableTLSOnSocket(Socket socket) { if(socket != null && (socket instanceof SSLSocket)) { ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"}); } return socket; } @Nullable public X509TrustManager getTrustManager() { return (X509TrustManager) trustManagers[0]; } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
NullHostNameVerifier.java
import android.util.Log;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
public class NullHostNameVerifier implements HostnameVerifier {
@Override
public boolean verify(String hostname, SSLSession session) {
Log.i("RestUtilImpl", "Approving certificate for " + hostname);
return true;
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
SSLUtils.java
import android.os.Build; import java.security.SecureRandom; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; public class SSLUtils { private static void trustAllHttpsCertificates() throws Exception { TrustManager[] trustAllCerts = new TrustManager[1]; TrustManager tm = new miTM(); trustAllCerts[0] = tm; SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, trustAllCerts, new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } static class miTM implements TrustManager, X509TrustManager { @Override public X509Certificate[] getAcceptedIssuers() { return null; } public boolean isServerTrusted(X509Certificate[] certs) { return true; } public boolean isClientTrusted(X509Certificate[] certs) { return true; } @Override public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException { return; } @Override public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException { return; } } /** * 忽略HTTPS请求的SSL证书,必须在openConnection之前调用 * * @throws Exception */ public static void ignoreSsl(HttpsURLConnection conn) throws Exception { if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {// 5.0以下做https兼容处理 HttpsURLConnection.setDefaultSSLSocketFactory(new TLSSocketFactory()); ((HttpsURLConnection) conn).setSSLSocketFactory(new TLSSocketFactory()); } // if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP) { // HttpsURLConnection.setDefaultHostnameVerifier(new NullHostNameVerifier()); // ((HttpsURLConnection) conn).setHostnameVerifier(new NullHostNameVerifier()); // trustAllHttpsCertificates(); // } else { // HttpsURLConnection.setDefaultSSLSocketFactory(new TLSSocketFactory()); // ((HttpsURLConnection) conn).setSSLSocketFactory(new TLSSocketFactory()); // // } } //这里是创建一个SSLSocketFactory,提供给上面的 .sslSocketFactory() public static SSLSocketFactory createSSLSocketFactory() { SSLSocketFactory ssfFactory = null; try { SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, new TrustManager[]{new TrustAllCerts()}, new SecureRandom()); ssfFactory = sc.getSocketFactory(); } catch (Exception e) { } return ssfFactory; } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
注释的代码是因为高版本无需处理,所以只处理低版本,如果高版本需要处理,则视情况决定
使用方式如下
在执行网络请求前调用
SSLUtils.ignoreSsl(connection);
本地不支持的加密套件
如果出现本地不支持的加密套件,服务器又无法修改,那么需要本地升级openssl.so。新的库去GitHub下载,该方案未测试
https://github.com/leenjewel/openssl_for_ios_and_android
待验证的搜集的链接:
-
SSLSocket,Android各个版本协议支持情况:
https://developer.android.google.cn/reference/javax/net/ssl/SSLSocket#cipher-suites -
检查服务器协议支持情况(使用nmap命令):
https://blog.csdn.net/wurensen/article/details/122343213
https://gist.github.com/gotev/f1a8a221e2d1d09bcb93e823b8e5a05a -
OkHttp对TLS1.2的兼容:support enabling TLSv1.2 on Android 4.1-4.4
-
服务器https在线测试情况1(这个网站更好点,会列出加密算法,比如x25519):
https://www.ssllabs.com/ssltest/ -
服务器https在线测试情况2:
https://myssl.com -
android版本对tls支持,Android 4.2 TLS1.2支持(包含了怎么添加不支持的加密套件):
https://www.codenong.com/js469fd525c191/ -
conscrypt(该库可以在Android SDK版本9 之上支持所有最新的tls协议及缺少的加密套件): https://github.com/google/conscrypt/
-
ssl-provider(一个轻量级加密库,如果协议缺少就会下载conscrypt进行支持):https://github.com/szkolny-eu/ssl-provider
-
wolfssljni(也是一个加密程序,但是应该是跟服务端配套使用,需要测试):https://github.com/wolfSSL/wolfssljni
-
https://blog.csdn.net/weixin_30249953/article/details/115781291
测试工具:
https://github.com/mozilla/cipherscan
可以验证椭圆曲线算法属于哪一种加密套件版本。然后选择启用哪一个加密套件
- X25519仅在Java13时候开始支持
https://zhuanlan.zhihu.com/p/491112832
关于X25519的一些帖子
- SSLHandshakeException: Handshake failed on Android N/7.0 :
https://stackoverflow.com/questions/39133437/sslhandshakeexception-handshake-failed-on-android-n-7-0 - Is X25519 available as curve for KEX in Android? :
https://stackoverflow.com/questions/47959542/is-x25519-available-as-curve-for-kex-in-android - Android - SSL/TLS and ECC (Elliptic curve cryptography) :
https://stackoverflow.com/questions/9114950/android-ssl-tls-and-ecc-elliptic-curve-cryptography - SSL/TLS深度解析–测试TLS/SSL加密
https://www.yisu.com/zixun/53187.html - KeyAgreement:
https://developer.android.com/reference/javax/crypto/KeyAgreement - 通过 HTTPS 和 SSL 确保安全:
https://developer.android.google.cn/training/articles/security-ssl - 关键词: Curve25519 X25519
利用openssl查看网站证书
https://blog.csdn.net/m0_46500807/article/details/113783957
