OkHttp SSLHandshakeException SSL handshake aborted Failure in SSL library, a protocol error

Question

04-23 17:17:38.434 21599-21956/ D/NativeCrypto: ssl=0x0 NativeCrypto_SSL_interrupt
04-23 17:17:38.435 21599-21956/ D/OkHttp: <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x635d8808: Failure in SSL library, usually a protocol error
    error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x5e6c46fd:0x00000000)

Android lower version devices (4.1 - 4.4) gives SSL error. Previously was working fine with following versions :

implementation 'com.squareup.okhttp3:okhttp:3.9.1'
implementation 'com.squareup.okhttp3:okhttp-urlconnection:3.9.1'
implementation 'com.squareup.okhttp3:logging-interceptor:3.9.1'

implementation 'com.squareup.retrofit2:retrofit:2.3.0'
implementation 'com.squareup.retrofit2:converter-jackson:2.3.0'
implementation 'com.squareup.retrofit2:adapter-rxjava:2.3.0'

But after upgrading these libraries things change. Every service call gives SSL handshake exception.

implementation 'com.squareup.okhttp3:okhttp:3.10.0'
implementation 'com.squareup.okhttp3:okhttp-urlconnection:3.10.0'
implementation 'com.squareup.okhttp3:logging-interceptor:3.10.0'

implementation 'com.squareup.retrofit2:retrofit:2.4.0'
implementation 'com.squareup.retrofit2:converter-jackson:2.4.0'
implementation 'com.squareup.retrofit2:adapter-rxjava:2.4.0'

Also if i downgrade these libraries to previous version it still doesnt work. But git checkout to the previous commit works fine. Clueless.

@Lucifer i think i didn't. Which certificate are you referring to ? — Ankur, Apr 23 '18 at 12:01
you are using SSL, so there should a security certificate at server side. — Lucifer, Apr 23 '18 at 12:03
Server is not even getting called. The services are getting blocked on android side — Ankur, Apr 23 '18 at 12:03
No i am not. if i checkout to the commit previous to the version upgrade, it works fine. — Ankur, Apr 23 '18 at 12:10
Have edited the solution in my question. Thanks anyways. Have added reference. It happened because OKHTTP3 removed some protocols in the upgraded library. Will have to add it by explicitely. — Ankur, Apr 23 '18 at 12:23
You should add it as answer rather than updating your question. This way it will help future visiters. — Lucifer, Apr 23 '18 at 12:28
@Robert Updated whatever error i got in stacktrace in the question — Ankur, Apr 23 '18 at 12:43
The client seems to send an SSLv3 request which is not accepted by the server. Modern server only accept TLSv1.x requests. SSLv3 is dead. — Robert, Apr 23 '18 at 12:58

score 18 · Accepted Answer · edited Apr 23 '18 at 12:46

18

So I solved it by adding the following to my http client object

 ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.COMPATIBLE_TLS)
            .tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_1, TlsVersion.TLS_1_0)
            .cipherSuites(
                    CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                    CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
                    CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                    CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
            .build();

httpClient.connectionSpecs(Collections.singletonList(spec))

reference : https://github.com/square/okhttp/issues/3894

edited Apr 23 '18 at 12:46

Lucifer

29,392
25
90
143

answered Apr 23 '18 at 12:45

Ankur

677
1
7
21

1

but how to use that solution with certificate pinning – Hoby Aug 27 '18 at 10:08
I am having the "CLEARTEXT communication not enabled for client", but already have the solution for it on newer android versions. – JoaoGalli Apr 17 '19 at 11:17
3

To know which TLS versions and Cipher suites are supported by your server, first analyse by any SSL Analyzer (i.e. https://sslanalyzer.comodoca.com) then update your ConnectionSpec code accordingly. – Shekh Akther Jul 16 '19 at 08:54
1

I have this problem on AppGlideModule that can not download images with this error: javax.net.ssl.SSLHandshakeException: Handshake failed – Mahdi Feb 27 '20 at 08:42

Stephen Talley · Answer 2 · 2020-01-22T19:43:43.560

I ran into this issue when upgrading to OkHttp 4.x. Rather than having to keep track of all known TLS versions and all known ciphers as Anker recommends, use OkHttp's allEnabledTlsVersions and allEnabledCipherSuites methods:

val builder = OkHttpClient.Builder()
…
// The default OkHttp configuration does not support older versions of TLS,
// or all cipher suites.  Make our support as reasonably broad as possible.
builder.connectionSpecs(listOf(ConnectionSpec.CLEARTEXT,
    ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
        .allEnabledTlsVersions()
        .allEnabledCipherSuites()
        .build()))
…
val okHttpClient = builder.build()

These lists will stay current as long as you upgrade OkHttp regularly. From the ConnectionSpec API doc:

Use Builder.allEnabledTlsVersions and Builder.allEnabledCipherSuites to defer all feature selection to the underlying SSL socket.

The configuration of each spec changes with each OkHttp release. This is annoying: upgrading your OkHttp library can break connectivity to certain web servers! But it’s a necessary annoyance because the TLS ecosystem is dynamic and staying up to date is necessary to stay secure. See OkHttp’s TLS Configuration History to track these changes.

OkHttp SSLHandshakeException SSL handshake aborted Failure in SSL library, a protocol error

2 Answers2

Linked