Okhttp: Update to 3.10 => Android 4.4 SLL Handcheck Error

Created on 27 Feb 2018 · 8Comments · Source: square/okhttp

Hi,
just to warn that i've got an SLL error on Android 4.4 version when i update from 3.9.1 to 3.10.

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x5c528d38:0x00000000) ---> Java.IO.IOException: SSL handshake aborted: ssl=0x59a0feb8: Failure in SSL library, usually a protocol error

I try many things like : https://github.com/square/okhttp/issues/2372 or this :

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)  
    .tlsVersions(TlsVersion.TLS_1_2)
    .cipherSuites(
          CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
          CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
          CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
    .build();

OkHttpClient client = new OkHttpClient.Builder() 
    .connectionSpecs(Collections.singletonList(spec))
    .build();

or this :
ProviderInstaller.installIfNeededAsync(this.getApplicationContext())

But nothing works and i've got unsuportedSLLEncryption or unknow

Source

thelittlefireman

All 8 comments

Can you share hostname you are connecting to?
Also try https://www.ssllabs.com/ssltest/analyze.html to get better understanding of what your server supports.

plastiv on 27 Feb 2018

it's https://rappel_produits.berlioz.me

thelittlefireman on 27 Feb 2018

Yup, it looks like removed from okhttp 3.10 ciphers are your server only supported

https://www.ssllabs.com/ssltest/analyze.html?d=berlioz.me&s=2400%3acb00%3a2048%3a1%3a0%3a0%3a6818%3a69ee

https://github.com/square/okhttp/blob/master/CHANGELOG.md#version-3100

Try to enable them back

          ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.COMPATIBLE_TLS)
                    .tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_1, TlsVersion.TLS_1_0)
                    .cipherSuites(
                            CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                            CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
                            CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                            CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
                    .build();

Or better enable suggested ones on server.

plastiv on 27 Feb 2018

❤1

how should i fix the issue ? I'm on a synology behind cloudflare

thelittlefireman on 27 Feb 2018

Which service has your SSL certificates and cipher suites config? I don't think this is the typical set for Cloudflare.

Did somebody remove these?
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
They're what Android 4.4 will negotiate on cloudflare.com.

One other workaround is to install the Google security provider in the client. That'll give you a new TLS stack even on old Android 4.4 devices.
https://developer.android.com/training/articles/security-gms-provider.html

swankjesse on 27 Feb 2018

👍1

i add this :
if (Build.VERSION.SDK_INT >= 16 && Build.VERSION.SDK_INT < 22){ ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.COMPATIBLE_TLS) .tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_1, TlsVersion.TLS_1_0) .cipherSuites( CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) .build(); httpClientBuilder.connectionSpecs(Collections.singletonList(spec)); }

And it works perfectly thanks :)

thelittlefireman on 27 Feb 2018

👍1

thanks @thelittlefireman thelittlefireman it works for me :)

Radwa13 on 19 Mar 2019

To know which TLS versions and Cipher suites are supported by your server, first analyse by any SSL Analyzer (i.e. https://sslanalyzer.comodoca.com) then update your ConnectionSpec code accordingly.