Why is Volley reverting to SSLV3?

Question

Why is Volley reverting to SSLV3?

I keep track of my application errors and I see the following error too many times

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb8f0fc28: Failure in SSL library, usually a protocol error

error: 14077410: SSL routines: SSL23_GET_SERVER_HELLO: sslv3 handshake error message (external / openssl / ssl / s23_clnt.c: 741 0xaa48cd5c: 0x00000000) -javax.net.ssl.SSLHandshakeException: javaxLenoploadlssocol.net : ssl = 0xb8f0fc28: Error in the SSL library, usually a protocol error Error: 14077410: SSL routines: SSL23_GET_SERVER_HELLO: sslv3 confirmation call failed (external / openssl / ssl / s23_clnt.c: 741 0xaa48cd5c: 0x00000000)

You can see that the error is related to SSLV3, and my server only supports TLSV1.2.

It seems that on some clients Volley refuses to use SSLV3 (for some reason) and they get an error message.

Users who receive this error are on Android 4.4.2, 4.4.4 and 4.1.1 or more.

Interestingly, I also use DefaultHttpClient in the same application, but it does not seem to report the same problem.

I use the default HurlStack in Volley

I saw the following ... Disable SSL as a protocol in HttpsURLConnection

and https://code.google.com/p/android/issues/detail?id=78187

So what are my options?

Is my assumption correct that Volley is reverting to SSLV3?
Why does volleyball return to SSLV3? In other words, what was the initial failure that caused the rollback and how to resolve it?
I recently downloaded Volley, but I'm not sure if this is the last. How to find the version that I have?

Any thoughts?

+7

android ssl android-volley sslv3

Oved yavine Jul 17 '15 at 8:03

source share

1 answer

crubio · Answer 1 · 2015-10-23T08:40:53+0000

Your server does not support SSLv3 perfectly, as it has some security issues and should not be used.

If you are using Android versions prior to Kitkat, you should use a factory socket that removes SSLv3 for use as the default configuration:

 public class VolleyToolboxExtension extends Volley { /** Default on-disk cache directory. */ private static final String DEFAULT_CACHE_DIR = "volley"; /** * Creates a default instance of the worker pool and calls {@link RequestQueue#start()} on it. * * @param context A {@link Context} to use for creating the cache dir. * @param stack An {@link HttpStack} to use for the network, or null for default. * @return A started {@link RequestQueue} instance. */ public static RequestQueue newRequestQueue(Context context, HttpStack stack) { File cacheDir = new File(context.getCacheDir(), DEFAULT_CACHE_DIR); String userAgent = "volley/0"; try { String packageName = context.getPackageName(); PackageInfo info = context.getPackageManager().getPackageInfo(packageName, 0); userAgent = packageName + "/" + info.versionCode; } catch (PackageManager.NameNotFoundException e) { } if (stack == null) { if (Build.VERSION.SDK_INT >= 9) { if (Build.VERSION.SDK_INT < Build.VERSION_CODES.KITKAT) { // Use a socket factory that removes sslv3 stack = new HurlStack(null, new NoSSLv3Compat.NoSSLv3Factory()); } else { stack = new HurlStack(); } } else { // Prior to Gingerbread, HttpUrlConnection was unreliable. // See: http://android-developers.blogspot.com/2011/09/androids-http-clients.html stack = new HttpClientStack(AndroidHttpClient.newInstance(userAgent)); } } Network network = new BasicNetwork(stack); RequestQueue queue = new RequestQueue(new DiskBasedCache(cacheDir), network); queue.start(); return queue; } /** * Creates a default instance of the worker pool and calls {@link RequestQueue#start()} on it. * * @param context A {@link Context} to use for creating the cache dir. * @return A started {@link RequestQueue} instance. */ public static RequestQueue newRequestQueue(Context context) { return newRequestQueue(context, null); } }

The NoSSLv3Compat class can be found here: https://github.com/Floens/volley/blob/master/src/com/android/volley/compat/NoSSLv3Compat.java

Use this extension to create a request queue:

  /** * @return The Volley Request queue, the queue will be created if it is null */ public RequestQueue getRequestQueue() { // lazy initialize the request queue, the queue instance will be // created when it is accessed for the first time if (mRequestQueue == null) { // Create the request queue mRequestQueue = VolleyToolboxExtension.newRequestQueue(getApplicationContext()); } return mRequestQueue; }

You can also use Retrofit instead of Volley, as Square has released a version of this version 2.1 that supports the configuration of the TLS version:

http://square.imtqy.com/retrofit/

Why is Volley reverting to SSLV3?

More articles: