Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OkHttp 3.10.0 breaks TLS handling on Android 4.*

See original GitHub issue

Probably related to: https://github.com/square/okhttp/issues/4042 Works as charm on Android 5 and up, but…

Device:

2 devices with Android:
Sony E2003 4.4.4
Samsung GT-I9506 4.4.2

Setup:

okHttpVersion = '3.10.0'
retrofitVersion = '2.4.0'
implementation "com.squareup.okhttp3:okhttp:$okHttpVersion"
implementation "com.squareup.okhttp3:logging-interceptor:$okHttpVersion"
implementation "com.squareup.retrofit2:retrofit:$retrofitVersion"
implementation "com.squareup.retrofit2:converter-gson:$retrofitVersion"
implementation "com.squareup.retrofit2:converter-scalars:$retrofitVersion"
implementation "com.squareup.retrofit2:adapter-rxjava2:$retrofitVersion"

This is working for

okHttpVersion = '3.9.1'
retrofitVersion = '2.3.0'

but it looks like the reason is okhttpVersion=‘3.10.0’ (also in retrofit 2.4.0 dependencies)

Stacktrace part:

 Cannot establish TLS with new.services.tv.nu:443 (sni: {OUR_SERVER_ADDRESS}: TlsException("SSL handshake error: Error([('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')],)",)

Caused by: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7b7ce0c8: Failure in SSL library, usually a protocol error

I expect failure lies within Cipher Suites scope: version = 3.10.0 Client supported

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Server Chosen

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

version = 3.9.1

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - Server Chosen
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Server Chosen

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:14 (3 by maintainers)

github_iconTop GitHub Comments

9reactions
swankjessecommented, Jul 5, 2018

No further action for us to take on this.

Best fix: change your server’s TLS configuration to support one of the 5 good Android 4.x cipher suites (above).

Workaround: customize cipher suites to restore legacy behavior:

    // Necessary because our servers don't have the right cipher suites.
    // https://github.com/square/okhttp/issues/4053
    List<CipherSuite> cipherSuites = new ArrayList<>();
    cipherSuites.addAll(ConnectionSpec.MODERN_TLS.cipherSuites());
    cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
    cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);

    ConnectionSpec legacyTls = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
        .cipherSuites(cipherSuites.toArray(new CipherSuite[0]))
        .build();
    
    OkHttpClient client = new OkHttpClient.Builder()
        .connectionSpecs(Arrays.asList(legacyTls, ConnectionSpec.CLEARTEXT))
        .build();
6reactions
florianreinhartcommented, Jun 30, 2018

You can manually enable the legacy ciphers suites by creating a custom ConnectionSpec.

// Add legacy cipher suite for Android 4
List<CipherSuite> cipherSuites = ConnectionSpec.MODERN_TLS.cipherSuites();
if (!cipherSuites.contains(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)) {
    cipherSuites = new ArrayList(cipherSuites);
    cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
}
final ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
        .cipherSuites(cipherSuites.toArray(new CipherSuite[0]))
        .build();

OkHttpClient client = new OkHttpClient.Builder()
        .connectionSpecs(Collections.singletonList(spec))
        .build();
Read more comments on GitHub >

github_iconTop Results From Across the Web

3.x Change Log - OkHttp
OkHttp now supports TLS 1.3. This requires either Conscrypt or Java 11+. Proxy authenticators are now asked for preemptive authentication. OkHttp will now ......
Read more >
OkHttp SSLHandshakeException SSL handshake aborted ...
I am having the "CLEARTEXT communication not enabled for client", but already have the solution for it on newer android versions. – JoaoGalli....
Read more >
A complete guide to OkHttp - LogRocket Blog
Support for modern TLS features (TLS 1.3, ALPN, certificate pinning); Synchronous and asynchronous call support. In this guide, we'll cover the ...
Read more >
Uses of Class okhttp3.OkHttpClient.Builder (OkHttp 3.10.0 API)
Sets the handler that can accept cookies from incoming HTTP responses and provides cookies to outgoing HTTP requests. OkHttpClient.Builder, OkHttpClient.Builder ...
Read more >
OkHttp - Jenkins Plugins
With a few small exceptions, OkHttp 4.x is both binary- and Java source-compatible with OkHttp 3.x. The okhttp team has worked very hard...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

HttpLoggingInterceptor logs multipart form data

Next page

Must-revalidate does not revalidate