How to override the cipherlist sent to the server by Android when using HttpsURLConnection?

Question

During TLS negotiation, clients send a list of supported ciphers to the server, the server picks one, and encryption starts. I want to change this cipherlist sent to the ser

Answer 1

This code worked wonders for an unexpected javax.net.ssl.SSLHandshakeException.

Upgrading to jdk1.8.0_92 and Oracle JCE unlimited strength policy files did not help, and I was unsuccessful trying to apply specific SSLParameters to the HttpsUrlConnection.

In particular, attempting to use HttpsUrlConnection to read https://www.adrbnymellon.com results in the following error:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

This website worked OK prior to about 4/15/2016, and then started failing. I believe the failure is caused by the website discontinuing support for SSLv2Hello and SSLv3 due to the DROWN vulnerability. See this for a great analysis.

Access to the website started working by modifying the code with changes to just 2 constants:

private static final String PREFERRED_CIPHER_SUITE = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
SSLContext context = SSLContext.getInstance("TLSv1.2");

I hope this helps someone else.