您的位置: 首页  >  技术问答  >  如何使用okhttp禁用SSLv3回退

如何使用okhttp禁用SSLv3回退

分类: 技术问答 2022-09-21 16:12:18
问题描述:

我的android应用程序依靠SNI访问正确的服务器,因此它需要TLS并且不能与SSLv3一起使用。我正在使用okhttp并进行了翻新,服务器日志表明突然TLS握手切换到SSLv3,并且可能在记录时间保持这种状态,导致由于缺少服务器名称指示支持而导致重复的主机名验证失败。如何使用okhttp禁用SSLv3回退

我知道在某些情况下(哪些?)okhttp停止使用TLS并切换到SSL作为后备。但是,在SNI的情况下,这是不可接受的,是否有办法禁用回退?

实例Apache日志:

[Wed May 07 18:00:12.799511 2014] [ssl:debug] [pid 20369:tid 140532403599104] ssl_engine_kernel.c(1891): [client <removed>:51431] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:00:28.563170 2014] [ssl:debug] [pid 20455:tid 140532646553344] ssl_engine_kernel.c(1891): [client <removed>:51432] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:00:45.884075 2014] [ssl:debug] [pid 20371:tid 140532445562624] ssl_engine_kernel.c(1891): [client <removed>:51433] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:01.322657 2014] [ssl:debug] [pid 20455:tid 140532395206400] ssl_engine_kernel.c(1891): [client <removed>:51434] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:18.361705 2014] [ssl:debug] [pid 20370:tid 140532462348032] ssl_engine_kernel.c(1891): [client <removed>:51435] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:25.378294 2014] [ssl:debug] [pid 20371:tid 140532487526144] ssl_engine_kernel.c(1891): [client <removed>:51436] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:40.807100 2014] [ssl:debug] [pid 20369:tid 140532445562624] ssl_engine_kernel.c(1891): [client <removed>:51437] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:41.154782 2014] [ssl:debug] [pid 20371:tid 140532479133440] ssl_engine_kernel.c(1891): [client <removed>:51438] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:56.695645 2014] [ssl:debug] [pid 20369:tid 140532504311552] ssl_engine_kernel.c(1891): [client <removed>:51439] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:57.252515 2014] [ssl:debug] [pid 20455:tid 140532521096960] ssl_engine_kernel.c(1891): [client <removed>:51440] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits)

Open a feature request我们会照顾它。

+2

这样做得到实施? –

感谢上面提到的功能请求,这是作为配置选项添加的,请参阅here了解更多信息。

如果你想有一个严格的/安全的客户端不回落到不安全的加密套件使用这个ConnectionSpec接口:

client.setConnectionSpecs(Collections.singletonList(ConnectionSpec.MODERN_TLS));

另外,您可以定义自己的ConnectionSpec接口:

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) 
     .tlsVersions(TlsVersion.TLS_1_2) 
     .cipherSuites(
       CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
       CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
       CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) 
     .build(); 

    client.setConnectionSpecs(Collections.singletonList(spec));

相关推荐