HTTPS
OkHttp attempts to balance two competing concerns:
OkHttp試圖平衡兩個相互競爭的關(guān)注點(diǎn):
-
Connectivity to as many hosts as possible. That includes advanced hosts that run the latest versions of boringssl and less out of date hosts running older versions of OpenSSL.
連接到盡可能多的主機(jī)吝羞。這包括運(yùn)行最新版本的boringssl的高級主機(jī)始鱼,以及運(yùn)行舊版本OpenSSL的過時主機(jī)。
-
Security of the connection. This includes verification of the remote webserver with certificates and the privacy of data exchanged with strong ciphers.
連接的安全性脆贵。這包括使用證書驗(yàn)證遠(yuǎn)程web服務(wù)器医清,以及使用強(qiáng)密碼交換數(shù)據(jù)的隱私性。
When negotiating a connection to an HTTPS server, OkHttp needs to know which TLS versions and cipher suites to offer. A client that wants to maximize connectivity would include obsolete TLS versions and weak-by-design cipher suites. A strict client that wants to maximize security would be limited to only the latest TLS version and strongest cipher suites.
當(dāng)協(xié)商到HTTPS服務(wù)器的連接時卖氨,OkHttp需要知道提供哪些TLS版本和密碼套件会烙。希望最大限度地提高連通性的客戶機(jī)將包括過時的TLS版本和設(shè)計較弱的密碼套件。希望最大限度地提高安全性的嚴(yán)格客戶機(jī)將被限制在最新的TLS版本和最強(qiáng)的密碼套件中筒捺。
Specific security vs. connectivity decisions are implemented by ConnectionSpec. OkHttp includes four built-in connection specs:
特定的安全性和連接性決策由ConnectionSpec實(shí)現(xiàn)柏腻。OkHttp包含四個內(nèi)置連接規(guī)范:
-
RESTRICTED_TLSis a secure configuration, intended to meet stricter compliance requirements.restricted ted_tls是一種安全配置,旨在滿足更嚴(yán)格的遵從性需求系吭。
-
MODERN_TLSis a secure configuration that connects to modern HTTPS servers.moderni_tls是一種連接到現(xiàn)代HTTPS服務(wù)器的安全配置五嫂。
-
COMPATIBLE_TLSis a secure configuration that connects to secure–but not current–HTTPS servers.COMPATIBLE_TLS是一種安全配置,可以連接到安全的——但不是當(dāng)前的https服務(wù)器。
-
CLEARTEXTis an insecure configuration that is used forhttp://URLs.CLEARTEXT是用于http:// url的不安全配置沃缘。
These loosely follow the model set in Google Cloud Policies.
這些沒有嚴(yán)格遵循 Google Cloud Policies中的模型
By default, OkHttp will attempt a MODERN_TLS connection. However by configuring the client connectionSpecs you can allow a fall back to COMPATIBLE_TLS connection if the modern configuration fails.
默認(rèn)情況下躯枢,OkHttp將嘗試一個moderni_tls連接。然而槐臀,通過配置client connectionSpecs锄蹂,如果現(xiàn)代配置失敗,您可以允許退回到COMPATIBLE_TLS連接水慨。
OkHttpClient client = new OkHttpClient.Builder()
.connectionSpecs(Arrays.asList(ConnectionSpec.MODERN_TLS, ConnectionSpec.COMPATIBLE_TLS))
.build();
The TLS versions and cipher suites in each spec can change with each release. For example, in OkHttp 2.2 we dropped support for SSL 3.0 in response to the POODLE attack. And in OkHttp 2.3 we dropped support for RC4. As with your desktop web browser, staying up-to-date with OkHttp is the best way to stay secure.
每個規(guī)范中的TLS版本和密碼套件可以隨著每個版本的變化而變化得糜。例如,在OkHttp 2.2中晰洒,我們放棄了對SSL 3.0的支持朝抖,以應(yīng)對POODLE的攻擊。在OkHttp 2.3中谍珊,我們放棄了對RC4的支持槽棍。與桌面web瀏覽器一樣,使用最新的OkHttp是保持安全的最佳方法抬驴。
You can build your own connection spec with a custom set of TLS versions and cipher suites. For example, this configuration is limited to three highly-regarded cipher suites. Its drawback is that it requires Android 5.0+ and a similarly current webserver.
您可以使用一組定制的TLS版本和密碼套件構(gòu)建自己的連接規(guī)范炼七。例如,此配置僅限于三個高度重視的密碼套件布持。它的缺點(diǎn)是需要Android 5.0+和類似的當(dāng)前web服務(wù)器豌拙。
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.tlsVersions(TlsVersion.TLS_1_2)
.cipherSuites(
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
.build();
OkHttpClient client = new OkHttpClient.Builder()
.connectionSpecs(Collections.singletonList(spec))
.build();
Certificate Pinning
By default, OkHttp trusts the certificate authorities of the host platform. This strategy maximizes connectivity, but it is subject to certificate authority attacks such as the 2011 DigiNotar attack. It also assumes your HTTPS servers’ certificates are signed by a certificate authority.
默認(rèn)情況下,OkHttp信任主機(jī)平臺的證書頒發(fā)機(jī)構(gòu)题暖。這種策略最大限度地提高了連接性按傅,但也會受到證書頒發(fā)機(jī)構(gòu)的攻擊,比如2011 DigiNotar attack攻擊。它還假設(shè)HTTPS服務(wù)器的證書由證書頒發(fā)機(jī)構(gòu)簽名。
Use CertificatePinner to restrict which certificates and certificate authorities are trusted. Certificate pinning increases security, but limits your server team’s abilities to update their TLS certificates. Do not use certificate pinning without the blessing of your server’s TLS administrator!
使用CertificatePinner來限制哪些證書和證書頒發(fā)機(jī)構(gòu)是受信任的肺樟。證書固定增加了安全性,但限制了服務(wù)器團(tuán)隊(duì)更新其TLS證書的能力况芒。如果沒有服務(wù)器TLS管理員的許可,不要使用證書固定!
public CertificatePinning() {
client = new OkHttpClient.Builder()
.certificatePinner(new CertificatePinner.Builder()
.add("publicobject.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
.build())
.build();
}
public void run() throws Exception {
Request request = new Request.Builder()
.url("https://publicobject.com/robots.txt")
.build();
Response response = client.newCall(request).execute();
if (!response.isSuccessful()) throw new IOException("Unexpected code " + response);
for (Certificate certificate : response.handshake().peerCertificates()) {
System.out.println(CertificatePinner.pin(certificate));
}
}
Customizing Trusted Certificates
The full code sample shows how to replace the host platform’s certificate authorities with your own set. As above, do not use custom certificates without the blessing of your server’s TLS administrator!
完整的代碼示例展示了如何用您自己的設(shè)置替換主機(jī)平臺的證書頒發(fā)機(jī)構(gòu)叶撒。如上所述绝骚,如果沒有服務(wù)器的TLS管理員的許可,請不要使用自定義證書!
private final OkHttpClient client;
public CustomTrust() {
SSLContext sslContext = sslContextForTrustedCertificates(trustedCertificatesInputStream());
client = new OkHttpClient.Builder()
.sslSocketFactory(sslContext.getSocketFactory())
.build();
}
public void run() throws Exception {
Request request = new Request.Builder()
.url("https://publicobject.com/helloworld.txt")
.build();
Response response = client.newCall(request).execute();
System.out.println(response.body().string());
}
private InputStream trustedCertificatesInputStream() {
... // Full source omitted. See sample.
}
public SSLContext sslContextForTrustedCertificates(InputStream in) {
... // Full source omitted. See sample.
}
