20 
04-23 17:17:38.434 21599-21956/ D/NativeCrypto: ssl=0x0 NativeCrypto_SSL_interrupt 04-23 17:17:38.435 21599-21956/ D/OkHttp: <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x635d8808: Failure in SSL library, usually a protocol error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x5e6c46fd:0x00000000)

Android lower version devices (4.1 - 4.4) gives SSL error. Previously was working fine with following versions : 

implementation 'com.squareup.okhttp3:okhttp:3.9.1' implementation 'com.squareup.okhttp3:okhttp-urlconnection:3.9.1' implementation 'com.squareup.okhttp3:logging-interceptor:3.9.1' implementation 'com.squareup.retrofit2:retrofit:2.3.0' implementation 'com.squareup.retrofit2:converter-jackson:2.3.0' implementation 'com.squareup.retrofit2:adapter-rxjava:2.3.0'

But after upgrading these libraries things change. Every service call gives SSL handshake exception.

implementation 'com.squareup.okhttp3:okhttp:3.10.0' implementation 'com.squareup.okhttp3:okhttp-urlconnection:3.10.0' implementation 'com.squareup.okhttp3:logging-interceptor:3.10.0' implementation 'com.squareup.retrofit2:retrofit:2.4.0' implementation 'com.squareup.retrofit2:converter-jackson:2.4.0' implementation 'com.squareup.retrofit2:adapter-rxjava:2.4.0'

Also if i downgrade these libraries to previous version it still doesnt work. But git checkout to the previous commit works fine. Clueless.

Improve this question
12
  • Did you add certificate in keystore ? Commented Apr 23, 2018 at 11:56
  • 1
    @Lucifer i think i didn't. Which certificate are you referring to ? Commented Apr 23, 2018 at 12:01
  • you are using SSL, so there should a security certificate at server side. Commented Apr 23, 2018 at 12:03
  • Server is not even getting called. The services are getting blocked on android side Commented Apr 23, 2018 at 12:03
  • 2
    You should add it as answer rather than updating your question. This way it will help future visiters. Commented Apr 23, 2018 at 12:28

2 Answers 2

Reset to default
18

So I solved it by adding the following to my http client object

 ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.COMPATIBLE_TLS) .tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_1, TlsVersion.TLS_1_0) .cipherSuites( CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) .build(); httpClient.connectionSpecs(Collections.singletonList(spec))

reference : https://github.com/square/okhttp/issues/3894

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

but how to use that solution with certificate pinning
I am having the "CLEARTEXT communication not enabled for client", but already have the solution for it on newer android versions.
To know which TLS versions and Cipher suites are supported by your server, first analyse by any SSL Analyzer (i.e. sslanalyzer.comodoca.com) then update your ConnectionSpec code accordingly.
I have this problem on AppGlideModule that can not download images with this error: javax.net.ssl.SSLHandshakeException: Handshake failed
12

I ran into this issue when upgrading to OkHttp 4.x. Rather than having to keep track of all known TLS versions and all known ciphers as Anker recommends, use OkHttp's allEnabledTlsVersions and allEnabledCipherSuites methods:

val builder = OkHttpClient.Builder() … // The default OkHttp configuration does not support older versions of TLS, // or all cipher suites. Make our support as reasonably broad as possible. builder.connectionSpecs(listOf(ConnectionSpec.CLEARTEXT, ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) .allEnabledTlsVersions() .allEnabledCipherSuites() .build())) … val okHttpClient = builder.build()

These lists will stay current as long as you upgrade OkHttp regularly. From the ConnectionSpec API doc:

Use Builder.allEnabledTlsVersions and Builder.allEnabledCipherSuites to defer all feature selection to the underlying SSL socket.

The configuration of each spec changes with each OkHttp release. This is annoying: upgrading your OkHttp library can break connectivity to certain web servers! But it’s a necessary annoyance because the TLS ecosystem is dynamic and staying up to date is necessary to stay secure. See OkHttp’s TLS Configuration History to track these changes.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.