Unable to connect to Android if disable SSLv2 / SSLv3 on HTTPS server

Question

Unable to connect to Android if disable SSLv2 / SSLv3 on HTTPS server

On an Android app (Kitkat 4.4.4 on a Nexus 7) I am using the Retrofit REST library to access an HTTPS server, which I have configured to only allow TLS but not SSL (to fix the Poodle vulnerability).

My setup code for my customization is simple

RetrofitInterface retrofitInterface = new RestAdapter.Builder()
    .setEndpoint(API.API_URL).build().create(RetrofitInterface.class);

and I am no longer setting up SSL specific configuration.

If I deny SSLv2 / SSLv3 in the server configuration, the REST resource request fails with this error message:

failure retrofit.RetrofitError: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0x69978800: Failure in SSL library, usually a protocol error
    error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure (external/openssl/ssl/s3_pkt.c:1256 0x683cddf8:0x00000003)

When I configure my HTTPS server to allow SSLv2 / SSLv3 the problem goes away.

Is there any additional configuration needed to force the HTTP HTTP library to use TLS instead of SSL?

+3

java android ssl https retrofit

mjn 13 nov. 14 at 20:02

source to share

1 answer

mjn · Accepted Answer · 2014-11-17T15:36:05+0000

I found a solution to use the OkHttp client provided by the Retrofit developers.

So, I think the default HTTP client used in Retrofit has problems with SSL / TLS handshakes.

Unable to connect to Android if disable SSLv2 / SSLv3 on HTTPS server

More articles: