OKHttp Android not connecting to nginx via http2 alpn -
i have android application (4.4.4+) uses following libraries:
compile 'com.squareup.okhttp3:okhttp:3.2.0' compile 'com.squareup.okhttp3:okhttp-urlconnection:3.2.0' compile 'com.squareup.okio:okio:1.7.0'
i have nginx (version 1.9.14) compiled openssl (version 1.0.2g source compiled) usage of openssl confirmed nginx -v on centos 7. configuration of nginx http2 enabled reverse proxy:
server { listen 443 ssl http2; ssl on; server_name mobile.site.com; ssl_certificate /etc/pki/tls/certs/start_cert.pem; ssl_certificate_key /etc/pki/tls/certs/start_cert.key; proxy_cache one; underscores_in_headers on; access_log /var/log/nginx/ssl.log ssl_custom; location / { proxy_set_header x-real-ip $remote_addr; proxy_set_header x-forwarded-for $remote_addr; proxy_set_header host $host; proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment; proxy_pass https://10.10.1.31:443; } }
running command on server:
echo | openssl s_client -alpn h2 -connect
returns:
no client certificate ca names sent peer signing digest: sha512 server temp key: ecdh, p-256, 256 bits --- ssl handshake has read 3718 bytes , written 442 bytes --- new, tlsv1/sslv3, cipher ecdhe-rsa-aes256-gcm-sha384 server public key 4096 bit secure renegotiation supported compression: none expansion: none alpn protocol: h2
browsing api url modern browser results http/2 connection showing in ssl logs , http/2 chrome add-in. assuming http/2 configured correctly in nginx / openssl.
android okhttp clients refuse http/2:
connectionspec spec = new connectionspec.builder(connectionspec.modern_tls) .tlsversions(tlsversion.tls_1_2) .build(); okhttpclient = new okhttpclient.builder() .followsslredirects(true) .protocols(arrays.aslist(protocol.http_2, protocol.http_1_1)) .connectionspecs(collections.singletonlist(spec)) .sslsocketfactory(new tlssocketfactory((sslsocketfactory) tlssocketfactory.getdefault())) .retryonconnectionfailure(true) .connecttimeout(25, timeunit.seconds) .connectionpool(new connectionpool(30, 120, timeunit.seconds)) .addinterceptor(new addcookiesinterceptor()) .addinterceptor(new receivedcookiesinterceptor()) .build();
i have written custom tls socket factory enable usage of tls 1.2 on <= android 4.4.4.
tlsv1.2 work on 4.4.4+ custom socket factory, have tried running on 5.0+ , without custom socket factory, no http/2 luck.
http/2 fails on kit-kat, lollipop , marshmallow, works on "n" developer preview (a.k.a. new york cheesecake). no errors thrown, ever connects http/1.1. having trouble finding articles relate okhttp , http/2, questions / posts use alpn, no resources elaborate on usage. okhttp documentation not clear on http/2 usages , deployment practices, main page says supports it. or expert guidance appreciated, nudge in right direction huge help. please let me know if have missed may in process, in advance!
update 1: found 1 of questions relate this, vague answer: [so link] how use http/2 okhttp on android devices? comment makes suggestion use jetty, in regards desktop usage, not android usage.
update 2: article shows alpn enabled android 4.4: https://github.com/http2/http2-spec/wiki/alpn-status
update 3: able connect http/2 using +5.0, not 4.4.4. don't need go lower 4.4.4, in-house target devices concern http/2 , run 4.4.4. able update app use google play services security protocol okhttp socket connection, 4.4.4 devices using not google enabled, can't use playservices security sockets on these.
according swankjesse,
next steps: don't use alpn on android 4.4 , earlier; it's broken there. restore npn versions of android stable.
Comments
Post a Comment