本文共 3631 字,大约阅读时间需要 12 分钟。
接入某国外支付平台CashFree时,发现在低版本系统(小米红米1S青春版,Android4.3)上完全无法打开页面:
低版本Android上TLS协议问题导致的SSL握手失败1
详情提示SSL握手失败:
低版本Android上TLS协议问题导致的SSL握手失败2
在Logcat中可以看到大量报错:
低版本Android上TLS协议问题导致的SSL握手失败3
这些错误有几种:
E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225443:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned -1, SSL error code 1, net_error -113
W/chromium_net: external/chromium/net/http/http_stream_factory_impl_job.cc:865: [0404/225443:WARNING:http_stream_factory_impl_job.cc(865)] Falling back to SSLv3 because host is TLS intolerant: browser.sentry-cdn.com:443
E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225443:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned -1, SSL error code 1, net_error -107
E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225446:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned 0, SSL error code 5, net_error -107
W/chromium_net: external/chromium/net/http/http_stream_factory_impl_job.cc:865: [0404/225446:WARNING:http_stream_factory_impl_job.cc(865)] Falling back to SSLv3 because host is TLS intolerant: www.cashfree.com:443
E/chromium_net: external/chromium/net/socket/ssl_client_socket_openssl.cc:792: [0404/225446:ERROR:ssl_client_socket_openssl.cc(792)] handshake failed; returned 0, SSL error code 5, net_error -107
1
2
3
4
5
6
E/chromium_net:external/chromium/net/socket/ssl_client_socket_openssl.cc:792:[0404/225443:ERROR:ssl_client_socket_openssl.cc(792)]handshakefailed;returned-1,SSLerrorcode1,net_error-113
W/chromium_net:external/chromium/net/http/http_stream_factory_impl_job.cc:865:[0404/225443:WARNING:http_stream_factory_impl_job.cc(865)]FallingbacktoSSLv3becausehostisTLSintolerant:browser.sentry-cdn.com:443
E/chromium_net:external/chromium/net/socket/ssl_client_socket_openssl.cc:792:[0404/225443:ERROR:ssl_client_socket_openssl.cc(792)]handshakefailed;returned-1,SSLerrorcode1,net_error-107
E/chromium_net:external/chromium/net/socket/ssl_client_socket_openssl.cc:792:[0404/225446:ERROR:ssl_client_socket_openssl.cc(792)]handshakefailed;returned0,SSLerrorcode5,net_error-107
W/chromium_net:external/chromium/net/http/http_stream_factory_impl_job.cc:865:[0404/225446:WARNING:http_stream_factory_impl_job.cc(865)]FallingbacktoSSLv3becausehostisTLSintolerant:www.cashfree.com:443
E/chromium_net:external/chromium/net/socket/ssl_client_socket_openssl.cc:792:[0404/225446:ERROR:ssl_client_socket_openssl.cc(792)]handshakefailed;returned0,SSLerrorcode5,net_error-107
经过基本的搜索后初步判断问题为服务器端仅支持Android不支持的特定SSL/TLS版本导致。我们使用https://www.ssllabs.com/ssltest来测试www.cashfree.com对SSL/TLS的支持情况:
测试服务器对SSL/TLS的支持情况
可见,服务器只支持TLS 1.2,因此无论是否降级为SSLv3与否都是无法进行握手的。Android在4.4.2之后才开始支持TLS 1.2:
User Agent SSL/TLS Capabilities
因此设置证书信任并不能解决这个问题(实际上都还没有走到证书信任的代码就已经失败了)。Android 4.3只支持TLS1.0和SSLv3:
而对于已经不安全的SSLv3而言,在参考文档3中提到:
It is(SSL 3.0) enabled by default for:
Android 1.0, 1.1, 1.5, 1.6, 2.0–2.1, 2.2–2.2.3
And:
Android 2.3–2.3.7, 3.0–3.2.6, 4.0–4.0.4
And:
Android 5.0-5.0.2
But, seems like, it is not enabled for:
Android 5.1-5.1.1
Android 6.0-6.0.1
参考文档:1、https://www.ssllabs.com/ssltest/index.html
2、https://www.ssllabs.com/ssltest/clients.html,《User Agent Capabilities》,其中包含了各浏览器支持的TLS/SSL版本
3、https://stackoverflow.com/questions/35018510/android-4-3-webview-https-error-falling-back-to-sslv3-because-host-is-tls-int
4、https://stackoverflow.com/questions/28329652/enabling-specific-ssl-protocols-with-android-webviewclient,其中提到了利用OkHttpClient来处理ChromeWebClient的请求
5、https://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2
转载地址:https://blog.csdn.net/weixin_33780516/article/details/117594387 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!