SSLHandshakeException on Android 4.4 and lower

Question

I have a problem when I want to connect with Paypal Rest API with POST method. When I am not using modernhttpclient I got error

The authentication or decryption has failed. 

But when I am using modernhttpclient it work in Android API 23 (Marshmallow) and when I test in Android API 19 (device) and Android API 16 (emulator) I got error

ex {Javax.Net.Ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=…} Javax.Net.Ssl.SSLHandshakeException

According to ssl handshake exception android I need to use custom socket factory. But how can I implement it in HttpClient or modernHttpClient?

Answer 1

if you use Picasso library, update that to last version the last version now is : implementation 'com.squareup.picasso:picasso:2.71828' just it

Answer 2

This was due to a few reasons:

1. There is a lack of clarity surrounding TLS 1.2 support on older Android devices.
2. Device manufacturers have differing commitments to the official Android specs for shipping TLS 1.2 on their devices
3. Carriers and device manufacturers have differing commitments to providing software and security updates to their customers.

you can force TLS v1.2 for Android 4.0 devices that don't have it enabled by default

To fix it use the following code as async call.

    ProviderInstaller.installIfNeededAsync(getApplicationContext(), new 
    ProviderInstaller.ProviderInstallListener() {
                @Override
                public void onProviderInstalled() {
                    SSLContext sslContext;
                    try {
                        sslContext = SSLContext.getInstance("TLSv1.2");
                        sslContext.init(null, null, null);
                        sslContext.createSSLEngine();
                    } catch (Exception e) {
                        e.printStackTrace();
                    }
                }

                @Override
                public void onProviderInstallFailed(int i, Intent intent) {

                }
            });

For more info use this reference

https://ankushg.com/posts/tls-1.2-on-android/

Answer 3

You can use the ProviderInstaller from Google Play Services, it replaces the system SSL provider with a more recent one provided by Google:

https://developer.android.com/training/articles/security-gms-provider.html

I initialize it in the onCreate() of my application and that error is gone. I am sure you can do that from Xamarin somehow.

Answer 4

Basically this issue comes when SSL at server side have a broken chain, server need to include the complete the chain and include the intermediate Root chain,

for more Info please have a refer to this link.

https://developer.android.com/training/articles/security-ssl.html

Answer 5

Not sure if I can fully answer your question, but I'll give it a try:

If you analyze the Paypal REST API endpoint, for example with SSL Labs like so https://www.ssllabs.com/ssltest/analyze.html?d=api.sandbox.paypal.com&hideResults=on, you see they only support the TLS 1.2 protocol.

Now Android does support this since API Level 16, as you can see here https://developer.android.com/reference/javax/net/ssl/SSLSocket.html, but it is disabled by default and only in API Levels 20+ they enabled it.

In the Xamarin forums someone posted a solution for enabling TLS 1.2 for Android with API Levels 16 to 19 by forking ModernHttpClient and adding an improved SSL socket factory: https://forums.xamarin.com/discussion/63005/modernhttpclient-tls-1-2-android-api-19

This should fix your issue with those Android versions, but it will not help you with versions before Android 4.1.