-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OkHttp 3.10.0 breaks TLS handling on Android 4.* #4053
Comments
Can confirm, that this issue exists in 10 version. And none of available workarounds didn't help. |
Would the GMS provider help you here? The reason for reducing old ciphers and protocols is that they are not secure and shouldn't be used. https://developer.android.com/training/articles/security-gms-provider |
We have the same issue on Android 4. Is there any known workaround? |
@florianreinhart only downgrading into 9 version helps me. You can try using GMS provider. It will work on 4.4. But user need have installed Google Play Services and this "hack" may not work on systems that <4.4. |
You can manually enable the legacy ciphers suites by creating a custom // Add legacy cipher suite for Android 4
List<CipherSuite> cipherSuites = ConnectionSpec.MODERN_TLS.cipherSuites();
if (!cipherSuites.contains(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)) {
cipherSuites = new ArrayList(cipherSuites);
cipherSuites.add(CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
}
final ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.cipherSuites(cipherSuites.toArray(new CipherSuite[0]))
.build();
OkHttpClient client = new OkHttpClient.Builder()
.connectionSpecs(Collections.singletonList(spec))
.build(); |
If it's easy for anyone here, could you test with a snapshot build? https://oss.jfrog.org/artifactory/libs-snapshot/com/squareup/okhttp3/okhttp/3.11.0-SNAPSHOT/ It theoretically supports TLS1.2 on Android back to 4.1. I'd love confirmation that is really the case. |
In order to support OkHttp 3.10 + Android 4.x your server needs to support one of these cipher suites:
More details on the spreadsheet! http://tinyurl.com/okhttp-cipher-suites |
No further action for us to take on this. Best fix: change your server’s TLS configuration to support one of the 5 good Android 4.x cipher suites (above). Workaround: customize cipher suites to restore legacy behavior:
|
@swankjesse So OkHttp versioning does not follow semver? I’d consider this a breaking change. |
@florianreinhart specifically with HTTPS, OkHttp tries to stay current with the dynamic TLS ecosystem it interacts with. We retire obsolete cipher suites tracking major browsers. Details on our reasoning are here: https://github.com/square/okhttp/wiki/HTTPS |
@Swirastlynn looks like cloudflare cdn not supporting any of this ciphers. |
@stalkerg have you tested with 3.11? I'm curious whether the additional TLS 1.2 support helps here. |
@yschimke I still need to use hack with custom |
@PromanSEW Any working solution for Android < 5? i had to downgrade to 3.8.0 |
Probably related to: #4042
Works as charm on Android 5 and up, but...
Device:
Setup:
This is working for
but it looks like the reason is okhttpVersion='3.10.0' (also in retrofit 2.4.0 dependencies)
Stacktrace part:
I expect failure lies within Cipher Suites scope:
version = 3.10.0
Client supported
Server Chosen
version = 3.9.1
Server Chosen
The text was updated successfully, but these errors were encountered: