1. 首頁
  2. 問答
  3. 如何使用okhttp禁用SSLv3回退

如何使用okhttp禁用SSLv3回退

2014-05-08 88 views
3

我的android應用程序依靠SNI訪問正確的服務器,因此它需要TLS並且不能與SSLv3一起使用。我正在使用okhttp並進行了翻新,服務器日誌表明突然TLS握手切換到SSLv3,並且可能在記錄時間保持這種狀態,導致由於缺少服務器名稱指示支持而導致重複的主機名驗證失敗。如何使用okhttp禁用SSLv3回退

我知道在某些情況下(哪些?)okhttp停止使用TLS並切換到SSL作爲後備。但是,在SNI的情況下,這是不可接受的,是否有辦法禁用回退?

實例Apache日誌:

[Wed May 07 18:00:12.799511 2014] [ssl:debug] [pid 20369:tid 140532403599104] ssl_engine_kernel.c(1891): [client <removed>:51431] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:00:28.563170 2014] [ssl:debug] [pid 20455:tid 140532646553344] ssl_engine_kernel.c(1891): [client <removed>:51432] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:00:45.884075 2014] [ssl:debug] [pid 20371:tid 140532445562624] ssl_engine_kernel.c(1891): [client <removed>:51433] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:01.322657 2014] [ssl:debug] [pid 20455:tid 140532395206400] ssl_engine_kernel.c(1891): [client <removed>:51434] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:18.361705 2014] [ssl:debug] [pid 20370:tid 140532462348032] ssl_engine_kernel.c(1891): [client <removed>:51435] AH02041: Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:25.378294 2014] [ssl:debug] [pid 20371:tid 140532487526144] ssl_engine_kernel.c(1891): [client <removed>:51436] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:40.807100 2014] [ssl:debug] [pid 20369:tid 140532445562624] ssl_engine_kernel.c(1891): [client <removed>:51437] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:41.154782 2014] [ssl:debug] [pid 20371:tid 140532479133440] ssl_engine_kernel.c(1891): [client <removed>:51438] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:56.695645 2014] [ssl:debug] [pid 20369:tid 140532504311552] ssl_engine_kernel.c(1891): [client <removed>:51439] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits) 
[Wed May 07 18:01:57.252515 2014] [ssl:debug] [pid 20455:tid 140532521096960] ssl_engine_kernel.c(1891): [client <removed>:51440] AH02041: Protocol: SSLv3, Cipher: RC4-SHA (128/128 bits)

來源

2014-05-08 hdante

回答

5

感謝上面提到的功能請求,這是作爲配置選項添加的,請參閱here瞭解更多信息。

如果你想有一個嚴格的/安全的客戶端不回落到不安全的加密套件使用這個ConnectionSpec接口:

client.setConnectionSpecs(Collections.singletonList(ConnectionSpec.MODERN_TLS));

另外,您可以定義自己的ConnectionSpec接口:

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) 
     .tlsVersions(TlsVersion.TLS_1_2) 
     .cipherSuites(
       CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
       CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
       CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) 
     .build(); 

    client.setConnectionSpecs(Collections.singletonList(spec));

來源

2015-10-06 11:36:10

相關問題

 相關問題