如何添加特定TLSv1.2工作CipherSuits与OkHttp支持 - Android 4.4的奇巧（API 19）

Question

我的API仅支持以下CipherSuits（发现这个与ssllab帮助）

TLSv1.2 
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - OkHttp: yes 
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - OkHttp: yes 
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - OkHttp: yes 
    TLS_DHE_RAS_WITH_AES_128_GCM_SHA256 - OkHttp: no 

所有这些都支持作为上看到SSLSocket

Android的API 20+我试图adding support for TLSv1.2到OkHttp但是，我仍然可以照常错误

HTTP FAILED: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: null

然后我加入那些CipherSuits到ConnectionSpec和在Android API 21和上述失败

ConnectionSpec cs = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) 
        .tlsVersions(TlsVersion.TLS_1_2) 
        .cipherSuites(
          TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
          TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
        ) 
        .build(); 

HTTP FAILED: java.net.UnknownServiceException: Unable to find acceptable protocols. isFallback=false, modes=[ConnectionSpec(cipherSuites=[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384], tlsVersions=[TLS_1_2], supportsTlsExtensions=true)], supported protocols=[TLSv1.2]

连接工作正常。

那么是否有可能为这些CipherSuits添加支持？

Answer 1

添加到您的okhttp客户

public class TLSSocketFactory extends SSLSocketFactory { 

private SSLSocketFactory delegate; 

public TLSSocketFactory() throws KeyManagementException, NoSuchAlgorithmException { 
    SSLContext context = SSLContext.getInstance("TLS"); 
    context.init(null, null, null); 
    delegate = context.getSocketFactory(); 
} 

@Override 
public String[] getDefaultCipherSuites() { 
    return delegate.getDefaultCipherSuites(); 
} 

@Override 
public String[] getSupportedCipherSuites() { 
    return delegate.getSupportedCipherSuites(); 
} 

@Override 
public Socket createSocket() throws IOException { 
    return enableTLSOnSocket(delegate.createSocket()); 
} 

@Override 
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException { 
    return enableTLSOnSocket(delegate.createSocket(s, host, port, autoClose)); 
} 

@Override 
public Socket createSocket(String host, int port) throws IOException, UnknownHostException { 
    return enableTLSOnSocket(delegate.createSocket(host, port)); 
} 

@Override 
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { 
    return enableTLSOnSocket(delegate.createSocket(host, port, localHost, localPort)); 
} 

@Override 
public Socket createSocket(InetAddress host, int port) throws IOException { 
    return enableTLSOnSocket(delegate.createSocket(host, port)); 
} 

@Override 
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { 
    return enableTLSOnSocket(delegate.createSocket(address, port, localAddress, localPort)); 
} 

private Socket enableTLSOnSocket(Socket socket) { 
    if(socket != null && (socket instanceof SSLSocket)) { 
     ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"}); 
    } 
    return socket; 
} 

} 

这样

OkHttpClient client=new OkHttpClient(); 
try { 
    client = new OkHttpClient.Builder() 
      .sslSocketFactory(new TLSSocketFactory()) 
      .build(); 
} catch (KeyManagementException e) { 
    e.printStackTrace(); 
} catch (NoSuchAlgorithmException e) { 
    e.printStackTrace(); 
}