CLEARTEXT communication not supported on Retrofit
I'm trying to connect to https server on android using Retrofit. Here's my OkHttpClient
@Provides
public OkHttpClient provideContactClient(){
HttpLoggingInterceptor interceptor = new HttpLoggingInterceptor();
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.tlsVersions(TlsVersion.TLS_1_2)
.cipherSuites(CipherSuite.TLS_RSA_WITH_DES_CBC_SHA,
CipherSuite.TLS_RSA_WITH_AES_128_GCM_SHA256,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
.build();
interceptor.setLevel(HttpLoggingInterceptor.Level.BODY);
SSLSocketFactory sslSocketFactory = null;
try {
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, null, null);
sslSocketFactory = sslContext.getSocketFactory();
}catch (GeneralSecurityException e){
e.printStackTrace();
}
return new OkHttpClient.Builder()
.addInterceptor(interceptor)
.connectionSpecs(Collections.singletonList(spec))
.sslSocketFactory(sslSocketFactory)
.authenticator(new Authenticator() {
@Override
public Request authenticate(Route route, Response response) throws IOException {
if(responseCount(response) >= 5){
return null;
}
String credential = Credentials.basic("user", "pass");
return response.request().newBuilder().header("Authorization", credential).build();
}
})
.build();
}
However I keep getting CLEARTEXT communication not supported:
exception
While debugging the RealConnection
class I notice route.address()
member does not have the sslSocketFactory
despite it being assigned in Bulider.
According to Network security configuration
The guidance in this section applies only to apps that target Android 8.1 (API level 27) or lower. Starting with Android 9 (API level 28), cleartext support is disabled by default.
Create file res/xml/network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">Your URL(ex: 127.0.0.1)</domain>
</domain-config>
</network-security-config>
AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
<uses-permission android:name="android.permission.INTERNET" />
<application
...
android:networkSecurityConfig="@xml/network_security_config"
...>
...
</application>
</manifest>
OR you can directly set in application in manifest like this.
<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
<uses-permission android:name="android.permission.INTERNET" />
<application
...
android:usesCleartextTraffic="true"
...>
...
</application>
</manifest>
Adding only this to manifest (inside application)
android:usesCleartextTraffic="true"
works!
The CLEARTEXT message is due to requesting an http
URL, either directly or via a server-side redirect (e.g., starts with https
, then redirects to http
).
In terms of your "trust anchor for certification path not found" message, your server appears to be using some SSL certificate that is not backed by one of the standard ones on whatever Android environment you are testing on. For example, perhaps your server is using an self-signed SSL certificate.
Options include:
Using network security configuration on Android 7.0+
Using my backport of network security configuration on Android 4.2+
Setting up an
SSLContext
that knows about your self-signed certificate, then attaching that to OkHttp, such as is illustrated by this OkHttp recipe