HttpClient的有握手失败，失败中的Andr​​oid 5.0棒棒糖 [英] HttpClient fails with Handshake Failed in Android 5.0 Lollipop

问题描述

DefaultHttpClient在安卓5.0棒棒堂似乎被打破。它不能设置连接到一些网站已成功搭载Android的previous版本的设置。

DefaultHttpClient in Android 5.0 Lollipop seems to be broken. It can not set the connection to some sites that were successfully set by previous versions of Android.

例如我尝试连接到 https://uralsg.megafon.ru

//Create httpclient like in http://stackoverflow.com/questions/18523784/ssl-tls-protocols-and-cipher-suites-with-the-androidhttpclient
HttpClient client = new DefaultHttpClient(manager, params);
HttpGet httpGet = new HttpGet("https://uralsg.megafon.ru");
HttpResponse client = httpclient.execute(httpGet);

这code工作在Android的2.3-4.4，但没有在Android 5.0（设备和仿真器）与同伴关闭错误连接。 当然，这是可以理解的，因为Android的5.0尝试连接这个老服务器TLSv1.2和现代密码，它不支持他们。

This code works in Android 2.3-4.4, but fails on Android 5.0 (devices and emulator) with error Connection closed by peer. Of course this is understandable because Android 5.0 tries to connect this old server with TLSv1.2 and modern ciphers and it does not support them.

好了，使用样品code在<一个href="http://stackoverflow.com/questions/18523784/ssl-tls-protocols-and-cipher-suites-with-the-androidhttpclient">SSL/TLS协议和密码套件与AndroidHttpClient 我们限制的协议和密码到的的TLSv1 和 SSL_RSA_WITH_RC4_128_MD5 的。现在，它失败，不同的​​错误：

Ok, using the sample code in SSL/TLS protocols and cipher suites with the AndroidHttpClient we limit the protocol and cipher to TLSv1 and SSL_RSA_WITH_RC4_128_MD5. Now it fails with a different error:

javax.net.ssl.SSLHandshakeException: Handshake failed
caused by 
    error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac 
    (external/openssl/ssl/s3_pkt.c:1286 0x7f74c1ef16e0:0x00000003) 
    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake

当然，这code顺利运行在Android 2.3-4.4。

And of course this code runs smoothly on Android 2.3-4.4.

我检查了交通使用Wireshark：

I examined the traffic with wireshark:

302 4002.147873000  192.168.156.30  83.149.32.13    TLSv1   138 Client Hello
303 4002.185362000  83.149.32.13    192.168.156.30  TLSv1   133 Server Hello
304 4002.186700000  83.149.32.13    192.168.156.30  TLSv1   1244    Certificate
305 4002.186701000  83.149.32.13    192.168.156.30  TLSv1   63  Server Hello Done
307 4002.188117000  192.168.156.30  83.149.32.13    TLSv1   364 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
308 4002.240695000  83.149.32.13    192.168.156.30  TLSv1   61  Alert (Level: Fatal, Description: Bad Record MAC)

您可以看到已建立的连接，但服务器的警告，因为它可能无法解除code加密握手消息。

You can see that connection was established but server alerted because it probably could not decode encrypted handshake message.

我没使用HttpClient的连接到 https://uralsg.megafon.ru 在Android 5.0。股票的浏览器确实，虽然连接。 Android的2.3-4.4连接以任何方式这个网站没有任何困难。

I didn't manage to connect to https://uralsg.megafon.ru using HttpClient on Android 5.0. Stock browser does connect it though. Android 2.3-4.4 connects this site in any way without any difficulties.

有没有什么办法可以使得HttpClient的连接这样的网站？这只是一个例子，我相信有很多无法通过Android的5.0和HttpClient的连接旧式服务器的。

Is there any way to make it possible for HttpClient to connect such sites? This is only one example, I am sure there are plenty of legacy servers that couldn't be connected by Android 5.0 and HttpClient.

推荐答案

更新：它原来是在后端的错误，而不是android的5 ，但确实与密码有问题。的

update: it turned out to be a bug in the back-end, not android 5, though indeed with the cipher in question.

我有同样的问题。对于我来说，原来是密码 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 这是由机器人5的（更新）一套默认的密码。

I had the same problem. For me it turned out to be the cipher TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 which was chosen from android 5's (updated) set of default ciphers.

当我从接受密码的客户名单中删除它，重新连接工作。

As soon as i removed it from the client list of acceptable ciphers, connections worked again.

href="http://developer.android.com/about/versions/android-5.0-changes.html#ssl" rel="nofollow">机器人5更改日志提到

The android 5 change log mentions:

  
• AES-GCM（AEAD）加密套件现已启用，
  

我是pretty的肯定，这是罪魁祸首。只要 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 是preferred（服务器），连接将失败。

I'm pretty sure this is the culprit. As soon as TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 is preferred (by the server), the connection will fail.

请注意， TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 和

我的猜测是，无论是Android的实施 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 的是越野车，或者你说的服务器之一。

My guess is that either the Android implementation of TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 is buggy, or the one of the server you're talking to.

解决方案：

1. 从服务器（无需重新部署应用程序）上的可用密码删除 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 。
2. 从密码列表中删除 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 客户端提供的。
（即 CLIENT_HELLO 期间）

1. Remove TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 from the available ciphers on the server (no app redeployment needed).
2. Remove TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 from the list of ciphers the client offers (during the CLIENT_HELLO).

您可以做到这一点在客户端上通过实现自己的SSLSocketFactory和呼叫

You can do that on the client side by implementing your own SSLSocketFactory and calling

sslSocket.setEnabledCipherSuites(String[] suites);

在SSLSocket创作。

on SSLSocket creation.

编辑：注意，这并不一定是一个Android的错误，它可能是服务器实现故障。如果你的问题是由密码的确引起的，请留在Android的bug跟踪评论]（的 HTTPS：//$c$c.google.com/p/android/issues/detail ID = 81603 ）？谢谢！

edit: note that this isn't necessarily an android bug, it might be that the server implementation is faulty. if your problem is indeed caused by the cipher, please leave a comment on the android bug tracker](https://code.google.com/p/android/issues/detail?id=81603). thank you!

这篇关于HttpClient的有握手失败，失败中的Andr​​oid 5.0棒棒糖的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！