Android 5.0以下Glide加载https图片问题

glide加载https图片：https://futurestud.io/tutorials/glide-module-example-accepting-self-signed-https-certificates#0

OkHttp在4.4及以下不支持TLS协议的解决方法:

http://www.cnblogs.com/daquexian/p/5883585.html

在做超理论坛app的过程中，遇到许多用户反馈在他们的手机上客户端不能访问网络，我问了他们的手机型号和Android系统版本，全部是5.0以下的，之后我自己运行API19（4.4）的Android模拟器，也遇到了同样的错误。

错误信息如下：

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x79f145b0: Failure in SSL library, usually a protocol error

error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

因为之前没有太多接触过网络协议，这个问题也确实很难搜到，所以我找了很久，才找到了原因：Android 4.4及以下的系统默认不支持TLS协议，所以遇到使用TLS协议的网站就无法访问了。

解决方法如下：创建一个SSLSocketFactoryCompat.java文件，内容如下：

import java.io.IOException;

import java.net.InetAddress;

import java.net.Socket;

import java.net.UnknownHostException;

import java.security.GeneralSecurityException;

import java.util.Arrays;

import java.util.HashSet;

import java.util.LinkedList;

import java.util.List;

import javax.net.ssl.SSLContext;

import javax.net.ssl.SSLSocket;

import javax.net.ssl.SSLSocketFactory;

import javax.net.ssl.X509TrustManager;

public class SSLSocketFactoryCompat extends SSLSocketFactory {

private SSLSocketFactory defaultFactory;

// Android 5.0+ (API level21) provides reasonable default settings

// but it still allows SSLv3

// https://developer.android.com/about/versions/android-5.0-changes.html#ssl

static String protocols[] = null, cipherSuites[] = null;

static {

try {

SSLSocket socket = (SSLSocket)SSLSocketFactory.getDefault().createSocket();

if (socket != null) {

/* set reasonable protocol versions */

// - enable all supported protocols (enables TLSv1.1 and TLSv1.2 on Android <5.0)

// - remove all SSL versions (especially SSLv3) because they're insecure now

List protocols = new LinkedList<>();

for (String protocol : socket.getSupportedProtocols())

if (!protocol.toUpperCase().contains("SSL"))

protocols.add(protocol);

SSLSocketFactoryCompat.protocols = protocols.toArray(new String[protocols.size()]);

/* set up reasonable cipher suites */

if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {

// choose known secure cipher suites

List allowedCiphers = Arrays.asList(

// TLS 1.2

"TLS_RSA_WITH_AES_256_GCM_SHA384",

"TLS_RSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",

"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",

"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

"TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256",

// maximum interoperability

"TLS_RSA_WITH_3DES_EDE_CBC_SHA",

"TLS_RSA_WITH_AES_128_CBC_SHA",

// additionally

"TLS_RSA_WITH_AES_256_CBC_SHA",

"TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",

"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",

"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",

"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA");

List availableCiphers = Arrays.asList(socket.getSupportedCipherSuites());

// take all allowed ciphers that are available and put them into preferredCiphers

HashSet preferredCiphers = new HashSet<>(allowedCiphers);

preferredCiphers.retainAll(availableCiphers);

/* For maximum security, preferredCiphers should *replace* enabled ciphers (thus disabling

* ciphers which are enabled by default, but have become unsecure), but I guess for

* the security level of DAVdroid and maximum compatibility, disabling of insecure

* ciphers should be a server-side task */

// add preferred ciphers to enabled ciphers

HashSet enabledCiphers = preferredCiphers;

enabledCiphers.addAll(new HashSet<>(Arrays.asList(socket.getEnabledCipherSuites())));

SSLSocketFactoryCompat.cipherSuites = enabledCiphers.toArray(new String[enabledCiphers.size()]);

}

}

} catch (IOException e) {

throw new RuntimeException(e);

}

}

public SSLSocketFactoryCompat(X509TrustManager tm) {

try {

SSLContext sslContext = SSLContext.getInstance("TLS");

sslContext.init(null, (tm != null) ? new X509TrustManager[] { tm } : null, null);

defaultFactory = sslContext.getSocketFactory();

} catch (GeneralSecurityException e) {

throw new AssertionError(); // The system has no TLS. Just give up.

}

}

private void upgradeTLS(SSLSocket ssl) {

// Android 5.0+ (API level21) provides reasonable default settings

// but it still allows SSLv3

// https://developer.android.com/about/versions/android-5.0-changes.html#ssl

if (protocols != null) {

ssl.setEnabledProtocols(protocols);

}

if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP && cipherSuites != null) {

ssl.setEnabledCipherSuites(cipherSuites);

}

}

@Override

public String[] getDefaultCipherSuites() {

return cipherSuites;

}

@Override

public String[] getSupportedCipherSuites() {

return cipherSuites;

}

@Override

public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {

Socket ssl = defaultFactory.createSocket(s, host, port, autoClose);

if (ssl instanceof SSLSocket)

upgradeTLS((SSLSocket)ssl);

return ssl;

}

@Override

public Socket createSocket(String host, int port) throws IOException, UnknownHostException {

Socket ssl = defaultFactory.createSocket(host, port);

if (ssl instanceof SSLSocket)

upgradeTLS((SSLSocket)ssl);

return ssl;

}

@Override

public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {

Socket ssl = defaultFactory.createSocket(host, port, localHost, localPort);

if (ssl instanceof SSLSocket)

upgradeTLS((SSLSocket)ssl);

return ssl;

}

@Override

public Socket createSocket(InetAddress host, int port) throws IOException {

Socket ssl = defaultFactory.createSocket(host, port);

if (ssl instanceof SSLSocket)

upgradeTLS((SSLSocket)ssl);

return ssl;

}

@Override

public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {

Socket ssl = defaultFactory.createSocket(address, port, localAddress, localPort);

if (ssl instanceof SSLSocket)

upgradeTLS((SSLSocket)ssl);

return ssl;

}

}

在创建OkHttpClient的时候，添加这个SSLSocketFactory（我用单例模式来每次获取同一个全局的OkHttpClient，每个人的实现不一定一样，从我的代码里参考问题的解决方法就好）：

public synchronized static OkHttpClient getClient(){

if (okHttpClient == null) {

OkHttpClient.Builder builder = new OkHttpClient.Builder();

try {

// 自定义一个信任所有证书的TrustManager，添加SSLSocketFactory的时候要用到

final X509TrustManager trustAllCert =

new X509TrustManager() {

@Override

public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {

}

@Override

public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {

}

@Override

public java.security.cert.X509Certificate[] getAcceptedIssuers() {

return new java.security.cert.X509Certificate[]{};

}

};

final SSLSocketFactory sslSocketFactory = new SSLSocketFactoryCompat(trustAllCert);

builder.sslSocketFactory(sslSocketFactory, trustAllCert);

} catch (Exception e) {

throw new RuntimeException(e);

}

okHttpClient = builder.build();

}

return okHttpClient;

}