retrofit + okhttp on android 4 ssl

Question

I found out that android 4 doesn't play well with ssl , when trying to contact an api with https it causes a crash

javax.net.ssl.SSLException: SSL handshake aborted: ssl=0xb8dbad20: I/O error during system call, Connection reset by peer

Here's what i tried from other similar questions:

   if (Build.VERSION.SDK_INT >= 16 && Build.VERSION.SDK_INT < 22) {
        try {
            Logger.e("under lolipop");
            SSLContext sc = SSLContext.getInstance("TLS");
            sc.init(null, new TrustManager[] { new MyTrustManager() }, new SecureRandom());
            client.sslSocketFactory(sc.getSocketFactory());
        } catch (Exception e) {
            Logger.e("HTTPS"+ e.getMessage() );
        }
    }

Which didn't effect the outcome

And

 if (Build.VERSION.SDK_INT >= 16 && Build.VERSION.SDK_INT < 22) {

        try {
            client.sslSocketFactory(new TLSSocketFactory(), (X509TrustManager)trustAllCerts[0])
                    .build();
            Logger.e("SETUP TRUST SSL");
            return client.build();
        } catch (KeyManagementException e) {
            Logger.e("SETUP TRUST SSL Failed "+e.getMessage());

            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            Logger.e("SETUP TRUST SSL Failed "+e.getMessage());

            e.printStackTrace();
        }
    }
    return client.build();

}
final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
    @Override
    public void checkClientTrusted(
            java.security.cert.X509Certificate[] chain,
            String authType) throws CertificateException {
    }

    @Override
    public void checkServerTrusted(
            java.security.cert.X509Certificate[] chain,
            String authType) throws CertificateException {
    }

    @Override
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return new java.security.cert.X509Certificate[0];
    }
} };

This code gives a different error :

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Is there anyway to fix this , I must support android 4 and also use https ,

Any help will do !

Answer 1

I ran into a similar issue on Android 4.4 some time ago when our backend dropped support for TLS 1.0 and 1.1. I solved this by installing a new security provider with Google Play Services ProviderInstaller.

In your apps gradle.build file add

implementation "com.google.android.gms:play-services-auth:16.0.1"

In your startup Activity call ProviderInstaller.installIfNeeded() as early as possible. Here is an example method that tries to install the provider:

private static void installGooglePlayServicesProvider(Context context) {
    if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) { //Devices with Android 5.1+ should support TLS 1.x out of the box
        try {
            ProviderInstaller.installIfNeeded(context);
        } catch (GooglePlayServicesRepairableException e) {
            Log.e("ProviderInstaller", "Google Play Services is out of date!", e);
            GoogleApiAvailability.getInstance().showErrorNotification(context, e.getConnectionStatusCode());
        } catch (GooglePlayServicesNotAvailableException e) {
            Log.e("ProviderInstaller", "Google Play Services is unavailable!", e);
        }
    }
}

For more information on ProviderInstaller see Goolge developer page: Patch the security provider with ProviderInstaller

When using TLS 1.2 you might have to force enable support on some devices. Take a look at the following acticle and their Tls12SocketFactory implementation: Working with TLS 1.2 on Android 4.4 and Lower