發生情境:
通過sslsocket在Android API23以下正常通訊,但在Android6.0時,報錯;錯誤信息如下:
Android端報錯:
core_booster, getBoosterConfig = false
javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:396)
at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:629)
at com.android.org.conscrypt.OpenSSLSocketImpl.getOutputStream(OpenSSLSocketImpl.java:615)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x7fa0a92880: Failure in SSL library, usually a protocol error
error:100c5410:SSL routines:ssl3_read_bytes:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:972 0x7f9e04c860:0x00000001)
error:100c009f:SSL routines:ssl3_get_server_hello:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:750 0x7f92721518:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324)
服務端報錯:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)
at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readDataRecord(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at sun.security.ssl.AppInputStream.read(Unknown Source)
at java.io.DataInputStream.readLine(Unknown Source)
at com.bbcvision.ssl.Server$ReceiveSocket.getHttpHeader(Server.java:209)
at com.bbcvision.ssl.Server$ReceiveSocket.run(Server.java:236)
原因:
SSLSocket簽名算法默認爲DSA,Android6.0(API 23)以後KeyStore發生更改,不再支持DSA,但仍支持ECDSA。所以,查看你的SSLSocket簽名算法是否包含DSA,是的話就更換掉。若有其它原因,歡迎交流。
Android Keystore Changes
With this release, the Android Keystore provider no
longer supports DSA. ECDSA is still supported.
Keys which do not require encryption at rest will no
longer be deleted when secure lock screen is disabled or
reset (for example, by the user or a Device Administrator).
Keys which require encryption at rest will be deleted during these events.
這是官方文檔裏的更改說明。