Hot questions for Handling SSLHandshakeException in Retrofit

Top 10 Java Open Source / Retrofit / Handling SSLHandshakeException

javax.net.ssl.SSLHandshakeException: Handshake failed on Android 5.0.0 when SSLv2 and SSlv3 are disabled (TLS only) (and greater)

Question: I'm using retrofit:1.9.0 and okhttp:2.7.5 to perform API call. Everything was fine until my server provider disable SLLv2 and SSLv3 cause of sercurity trouble (Drown fail found on first March).

Now I check the information about my provider and he allows only TLSv1 with cypher (TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA No FS) from https://www.ssllabs.com/.

It seems that the problems comes from the google API version. When I test on API 18 everything is working fine. When it's on Android greather or equal to 5.0.0 it fails.

First test

Conf. recap:

  1. compileSdkVersion 23
  2. buildToolsVersion '23.0.2'
  3. minSdkVersion 18
  4. targetSdkVersion 21
  5. retrofit:1.9.0
  6. okhttp:2.7.5
  7. Android version > 5.0.0 (but it's the same on every device...)

Rest Client (LoginRestClient):

public class LoginRestClient
{
    private static final String BASE_URL = "";
    private LoginApiService apiService;

    public LoginRestClient()
    {
        Gson gson = new GsonBuilder()
                .setDateFormat("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'SSS'Z'")
                .create();

        RestAdapter restAdapter = new RestAdapter.Builder()
                .setLogLevel(RestAdapter.LogLevel.FULL)
                .setEndpoint(ApiIntentService.getHostAddress())
                .setConverter(new GsonConverter(gson))
                .setClient(new OkClient(ApiIntentService.getConnectionHttpClient()))
                .build();

        apiService = restAdapter.create(LoginApiService.class);
    }

    public LoginApiService getApiService() {
        return apiService;
    }
}

Function to create client OkHttpClient getConnectionHttpClient()

public static OkHttpClient getConnectionHttpClient()
{
    OkHttpClient okHttpClient = new OkHttpClient();
    okHttpClient.setReadTimeout(60, TimeUnit.SECONDS);
    okHttpClient.setConnectTimeout(60, TimeUnit.SECONDS);



        ConnectionSpec specs = new ConnectionSpec.Builder(ConnectionSpec.COMPATIBLE_TLS)
                .tlsVersions(TlsVersion.TLS_1_0)
                .cipherSuites(CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
                .build();

        okHttpClient.setConnectionSpecs(Collections.singletonList(specs));

    return okHttpClient;
}

Result in public void failure(RetrofitError error) from custom CallBack

java.net.UnknownServiceException: Unable to find acceptable protocols. isFallback=false, modes=[ConnectionSpec(cipherSuites=[TLS_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_0], supportsTlsExtensions=true)], supported protocols=[SSLv3, TLSv1, TLSv1.1, TLSv1.2]

Second test

I've made a custom SSLSocketFactory to disable SSLv3 and force TLS:

public class TLSSocketFactory extends SSLSocketFactory {

    private SSLSocketFactory internalSSLSocketFactory;

    public TLSSocketFactory() throws KeyManagementException, NoSuchAlgorithmException {
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, null, null);
        internalSSLSocketFactory = context.getSocketFactory();
    }

    @Override
    public String[] getDefaultCipherSuites() {
        return internalSSLSocketFactory.getDefaultCipherSuites();
    }

    @Override
    public String[] getSupportedCipherSuites() {
        return internalSSLSocketFactory.getSupportedCipherSuites();
    }

    @Override
    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(s, host, port, autoClose));
    }

    @Override
    public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port));
    }

    @Override
    public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port, localHost, localPort));
    }

    @Override
    public Socket createSocket(InetAddress host, int port) throws IOException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port));
    }

    @Override
    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(address, port, localAddress, localPort));
    }

    private Socket enableTLSOnSocket(Socket socket) {
        if(socket != null && (socket instanceof SSLSocket)) {
            ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1"});
        }
        return socket;
    }
}

I use it like this:

public static OkHttpClient getConnectionHttpClient()
    {
        OkHttpClient okHttpClient = new OkHttpClient();
        okHttpClient.setReadTimeout(60, TimeUnit.SECONDS);
        okHttpClient.setConnectTimeout(60, TimeUnit.SECONDS);

        try {
            TLSSocketFactory tlsSocketFactory = new TLSSocketFactory();
            HttpsURLConnection.setDefaultSSLSocketFactory(tlsSocketFactory);
            okHttpClient.setSslSocketFactory(tlsSocketFactory);
        } catch (KeyManagementException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }

 return okHttpClient;
}

Result in public void failure(RetrofitError error) from custom CallBack

javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7f87885280: Failure in SSL library, usually a protocol error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:770 0x7f87c2fdf0:0x00000000)

If anyone can help me It will be very cool. All my apps are down and I'm fighting against this problem since yesterday morning to restore my services. I'm removing my hair one by one...

Answer: try this library: https://guardianproject.info/code/netcipher

It permits to provide to Android a better way to work with cypher and TLS in case where SSLv2 and SSlv3 are disabled.

First create this class NoSSLv3SocketFactory.java and couple this with a CypherUrl connection by creating a constructor like this

public class NoSSLv3SocketFactory extends SSLSocketFactory{
    private final SSLSocketFactory delegate;

    public NoSSLv3SocketFactory(URL sourceUrl) throws IOException {
        this.delegate = NetCipher.getHttpsURLConnection(sourceUrl).getDefaultSSLSocketFactory();
    }

    public NoSSLv3SocketFactory() {
        this.delegate = HttpsURLConnection.getDefaultSSLSocketFactory();
    }

    public NoSSLv3SocketFactory(SSLSocketFactory delegate) {
        this.delegate = delegate;
    }

    @Override
    public String[] getDefaultCipherSuites() {
        return delegate.getDefaultCipherSuites();
    }

    @Override
    public String[] getSupportedCipherSuites() {
        return delegate.getSupportedCipherSuites();
    }

    private Socket makeSocketSafe(Socket socket) {
        if (socket instanceof SSLSocket) {
            socket = new NoSSLv3SSLSocket((SSLSocket) socket);
        }
        return socket;
    }

    @Override
    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
        return makeSocketSafe(delegate.createSocket(s, host, port, autoClose));
    }

    @Override
    public Socket createSocket(String host, int port) throws IOException {
        return makeSocketSafe(delegate.createSocket(host, port));
    }

    @Override
    public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException {
        return makeSocketSafe(delegate.createSocket(host, port, localHost, localPort));
    }

    @Override
    public Socket createSocket(InetAddress host, int port) throws IOException {
        return makeSocketSafe(delegate.createSocket(host, port));
    }

    @Override
    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
        return makeSocketSafe(delegate.createSocket(address, port, localAddress, localPort));
    }

    private class NoSSLv3SSLSocket extends DelegateSSLSocket {

        private NoSSLv3SSLSocket(SSLSocket delegate) {
            super(delegate);

        }

        @Override
        public void setEnabledProtocols(String[] protocols) {
            if (protocols != null && protocols.length == 1 && "SSLv3".equals(protocols[0])) {

                List<String> enabledProtocols = new ArrayList<String>(Arrays.asList(delegate.getEnabledProtocols()));
                if (enabledProtocols.size() > 1) {
                    enabledProtocols.remove("SSLv3");
                    System.out.println("Removed SSLv3 from enabled protocols");
                } else {
                    System.out.println("SSL stuck with protocol available for " + String.valueOf(enabledProtocols));
                }
                protocols = enabledProtocols.toArray(new String[enabledProtocols.size()]);
            }

            super.setEnabledProtocols(protocols);
        }
    }

    public class DelegateSSLSocket extends SSLSocket {

        protected final SSLSocket delegate;

        DelegateSSLSocket(SSLSocket delegate) {
            this.delegate = delegate;
        }

        @Override
        public String[] getSupportedCipherSuites() {
            return delegate.getSupportedCipherSuites();
        }

        ...
    }
}

and now (in my case with retrofit) just use it like this:

So first, Add a static method (or as you want create it on use) to make a okHttpClient with our previously created NoSSlv3Factory.java class.

public static OkClient createClient(int readTimeout, TimeUnit readTimeoutUnit, int connectTimeout, TimeUnit connectTimeoutUnit)
{
    final OkHttpClient okHttpClient = new OkHttpClient();
    okHttpClient.setReadTimeout(readTimeout, readTimeoutUnit);
    okHttpClient.setConnectTimeout(connectTimeout, connectTimeoutUnit);

    try {
        URL url = new URL(ApiIntentService.getHostAddress());
        SSLSocketFactory NoSSLv3Factory = new NoSSLv3SocketFactory(url);
        okHttpClient.setSslSocketFactory(NoSSLv3Factory);
    } catch (MalformedURLException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    }

    return new OkClient(okHttpClient);

}

Then, in my case when you create your RestAdapter just make it like this, and don't forget to set you client.

public class LoginRestClient
{
    private static final String BASE_URL = "";
    private LoginApiService apiService;

    public LoginRestClient()
    {
        Gson gson = new GsonBuilder()
                .setDateFormat("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'SSS'Z'")
                .create();

        RestAdapter restAdapter = new RestAdapter.Builder()
                .setLogLevel(RestAdapter.LogLevel.FULL)
                .setEndpoint(ApiIntentService.getHostAddress())
                .setConverter(new GsonConverter(gson))
                .setClient(ApiIntentService.createClient(60, TimeUnit.SECONDS, 20, TimeUnit.SECONDS))
                .build();

        apiService = restAdapter.create(LoginApiService.class);
    }

    public LoginApiService getApiService() {
        return apiService;
    }
}

With this it should be working. I hope it will be usefull for someone else.


Retrofit OkHttp SSLHandshakeException

Question: I am using OkHttp as the client in Retrofit. I am unable to hit a certain https url. This server supports TLS 1.0 only and the following ciphers "TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5"

Here's how I am instantiating my OkHttpClient:

OkHttpClient client = new OkHttpClient();

    try {
        // Create a trust manager that does not validate certificate chains
        final TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
            @Override
            public void checkClientTrusted(
                    java.security.cert.X509Certificate[] chain,
                    String authType) throws CertificateException {
            }

            @Override
            public void checkServerTrusted(
                    java.security.cert.X509Certificate[] chain,
                    String authType) throws CertificateException {
            }

            @Override
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        }};

        // Install the all-trusting trust manager
        final SSLContext sslContext = SSLContext.getInstance("TLSv1");
        sslContext.init(null, trustAllCerts, new java.security.SecureRandom());

        // Create an ssl socket factory with our all-trusting manager
        final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
        client.setSslSocketFactory(sslSocketFactory);

        client.setHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        });
    } catch (Exception e) {
        throw new RuntimeException(e);
    }


    return client;
}

And my app keeps throwing this exception:

javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x9742f000: Failure in SSL library, usually a protocol error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:770 0xab9fcc4d:0x00000000)

Answer: OkHttp no longer supports RC4 in its default config since OkHttp v2.3. You can use the ConnectionSpec to enable it, the ConnectionSpecTest.java (source code) shows some examples.


OkHttp SSLHandshakeException SSL handshake aborted Failure in SSL library, a protocol error

Question: Android lower version devices (4.1 - 4.4) gives SSL error.

04-23 17:17:38.434 21599-21956/ D/NativeCrypto: ssl=0x0 NativeCrypto_SSL_interrupt
04-23 17:17:38.435 21599-21956/ D/OkHttp: <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x635d8808: Failure in SSL library, usually a protocol error
    error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x5e6c46fd:0x00000000)

Previously was working fine with following versions :

implementation 'com.squareup.okhttp3:okhttp:3.9.1'
implementation 'com.squareup.okhttp3:okhttp-urlconnection:3.9.1'
implementation 'com.squareup.okhttp3:logging-interceptor:3.9.1'

implementation 'com.squareup.retrofit2:retrofit:2.3.0'
implementation 'com.squareup.retrofit2:converter-jackson:2.3.0'
implementation 'com.squareup.retrofit2:adapter-rxjava:2.3.0'

But after upgrading these libraries things change. Every service call gives SSL handshake exception.

implementation 'com.squareup.okhttp3:okhttp:3.10.0'
implementation 'com.squareup.okhttp3:okhttp-urlconnection:3.10.0'
implementation 'com.squareup.okhttp3:logging-interceptor:3.10.0'

implementation 'com.squareup.retrofit2:retrofit:2.4.0'
implementation 'com.squareup.retrofit2:converter-jackson:2.4.0'
implementation 'com.squareup.retrofit2:adapter-rxjava:2.4.0'

Also if i downgrade these libraries to previous version it still doesnt work. But git checkout to the previous commit works fine

Answer: solved it by adding the following to your http client object

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.COMPATIBLE_TLS)
            .tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_1, TlsVersion.TLS_1_0)
            .cipherSuites(
                    CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                    CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
                    CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                    CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
            .build();

httpClient.connectionSpecs(Collections.singletonList(spec))