如何使用 OkHttp 添加对特定 TLSv1.2 CipherSuits 的支持 - Android 4.4 Kitkat (api 19)

Question

我的api只支持关注CipherSuits（在ssllab的帮助下找到这个）

TLSv1.2
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - OkHttp: yes
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - OkHttp: yes
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - OkHttp: yes
    TLS_DHE_RAS_WITH_AES_128_GCM_SHA256 - OkHttp: no

所有这些都在 Android api 20+ 上受支持，如 SSLSocket 所示

我尝试了adding support for TLSv1.2 到 OkHttp，但是我仍然得到通常的错误

HTTP FAILED: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: null

然后我将那些CipherSuits 添加到ConnectionSpec 并失败了

ConnectionSpec cs = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                    .tlsVersions(TlsVersion.TLS_1_2)
                    .cipherSuites(
                            TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                            TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
                    )
                    .build();

HTTP FAILED: java.net.UnknownServiceException: Unable to find acceptable protocols. isFallback=false, modes=[ConnectionSpec(cipherSuites=[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384], tlsVersions=[TLS_1_2], supportsTlsExtensions=true)], supported protocols=[TLSv1.2]

连接在 Android api 21 及更高版本上运行良好。

那么是否可以添加对这些CipherSuits 的支持？

Answer 1

将此添加到您的 okhttp 客户端

public class TLSSocketFactory extends SSLSocketFactory {

private SSLSocketFactory delegate;

public TLSSocketFactory() throws KeyManagementException, NoSuchAlgorithmException {
    SSLContext context = SSLContext.getInstance("TLS");
    context.init(null, null, null);
    delegate = context.getSocketFactory();
}

@Override
public String[] getDefaultCipherSuites() {
    return delegate.getDefaultCipherSuites();
}

@Override
public String[] getSupportedCipherSuites() {
    return delegate.getSupportedCipherSuites();
}

@Override
public Socket createSocket() throws IOException {
    return enableTLSOnSocket(delegate.createSocket());
}

@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
    return enableTLSOnSocket(delegate.createSocket(s, host, port, autoClose));
}

@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
    return enableTLSOnSocket(delegate.createSocket(host, port));
}

@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
    return enableTLSOnSocket(delegate.createSocket(host, port, localHost, localPort));
}

@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
    return enableTLSOnSocket(delegate.createSocket(host, port));
}

@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
    return enableTLSOnSocket(delegate.createSocket(address, port, localAddress, localPort));
}

private Socket enableTLSOnSocket(Socket socket) {
    if(socket != null && (socket instanceof SSLSocket)) {
        ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
    }
    return socket;
}

}

喜欢这个

OkHttpClient client=new OkHttpClient();
try {
    client = new OkHttpClient.Builder()
            .sslSocketFactory(new TLSSocketFactory())
            .build();
} catch (KeyManagementException e) {
    e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
    e.printStackTrace();
}