草庐IT

Android SSL - 无对等证书

coder 2023-06-09 原文

每当此代码运行时,我都会收到“无对等证书”错误。

SSL 证书有效,从 Namecheap (PositiveSSL) 购买。它前面有 CA crt,可以在 Android 浏览器中正常打开。

HTTP 服务器:nginx

代码:

public void postData() {

// Add your data
List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);

nameValuePairs.add(new BasicNameValuePair("string", "myfirststring"));

try {

   HttpPost post = new HttpPost(new URI("https://example.com/submit"));
    post.setEntity(new UrlEncodedFormEntity(nameValuePairs));

    KeyStore trusted = KeyStore.getInstance("BKS");
    trusted.load(null, "".toCharArray());
    SSLSocketFactory sslf = new SSLSocketFactory(trusted);
    sslf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

    SchemeRegistry schemeRegistry = new SchemeRegistry();
    schemeRegistry.register(new Scheme ("https", sslf, 443));
    SingleClientConnManager cm = new SingleClientConnManager(post.getParams(),
            schemeRegistry);

    HttpClient client = new DefaultHttpClient(cm, post.getParams());

    // Execute HTTP Post Request
    @SuppressWarnings("unused")
    HttpResponse result = client.execute(post);

} catch (ClientProtocolException e) {
    // TODO Auto-generated catch block
    Log.e(TAG,e.getMessage());
    Log.e(TAG,e.toString());
    e.printStackTrace();
} catch (IOException e) {
    // TODO Auto-generated catch block
    Log.e(TAG,e.getMessage());
    Log.e(TAG,e.toString());
    e.printStackTrace();
} catch (URISyntaxException e) {
        // TODO Auto-generated catch block
    Log.e(TAG,e.getMessage());
    Log.e(TAG,e.toString());
    e.printStackTrace();
    } catch (KeyStoreException e) {
        // TODO Auto-generated catch block
        Log.e(TAG,e.getMessage());
        Log.e(TAG,e.toString());
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        // TODO Auto-generated catch block
        Log.e(TAG,e.getMessage());
        Log.e(TAG,e.toString());
        e.printStackTrace();
    } catch (CertificateException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
        Log.e(TAG,e.toString());
        Log.e(TAG,e.getMessage());
    } catch (KeyManagementException e) {
        // TODO Auto-generated catch block
        Log.e(TAG,e.getMessage());
        Log.e(TAG,e.toString());
        e.printStackTrace();
    } catch (UnrecoverableKeyException e) {
        // TODO Auto-generated catch block
        Log.e(TAG,e.getMessage());
        Log.e(TAG,e.toString());
        e.printStackTrace();
    }
}

adb logcat:

01-10 15:44:34.872: E/myfirstapp(572): No peer certificate
01-10 15:44:34.872: E/myfirstapp(572): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
01-10 15:44:34.883: W/System.err(572): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
01-10 15:44:34.883: W/System.err(572):  at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
01-10 15:44:34.883: W/System.err(572):  at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
01-10 15:44:34.908: W/System.err(572):  at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
01-10 15:44:34.908: W/System.err(572):  at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
01-10 15:44:34.908: W/System.err(572):  at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
01-10 15:44:34.914: W/System.err(572):  at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
01-10 15:44:34.914: W/System.err(572):  at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
01-10 15:44:34.914: W/System.err(572):  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
01-10 15:44:34.914: W/System.err(572):  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
01-10 15:44:34.914: W/System.err(572):  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
01-10 15:44:34.933: W/System.err(572):  at com.giggsey.myfirstapp.myfirstappIntent.postData(myfirstappIntent.java:126)
01-10 15:44:34.933: W/System.err(572):  at com.giggsey.myfirstapp.myfirstappIntent.onReceive(myfirstappIntent.java:77)
01-10 15:44:34.933: W/System.err(572):  at android.app.ActivityThread.handleReceiver(ActivityThread.java:2118)
01-10 15:44:34.945: W/System.err(572):  at android.app.ActivityThread.access$1500(ActivityThread.java:122)
01-10 15:44:34.945: W/System.err(572):  at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1196)
01-10 15:44:34.952: W/System.err(572):  at android.os.Handler.dispatchMessage(Handler.java:99)
01-10 15:44:34.952: W/System.err(572):  at android.os.Looper.loop(Looper.java:137)
01-10 15:44:34.962: W/System.err(572):  at android.app.ActivityThread.main(ActivityThread.java:4340)
01-10 15:44:34.962: W/System.err(572):  at java.lang.reflect.Method.invokeNative(Native Method)
01-10 15:44:34.962: W/System.err(572):  at java.lang.reflect.Method.invoke(Method.java:511)
01-10 15:44:34.972: W/System.err(572):  at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:784)
01-10 15:44:34.972: W/System.err(572):  at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:551)
01-10 15:44:34.981: W/System.err(572):  at dalvik.system.NativeStart.main(Native Method)

最佳答案

尽管这个问题有一个公认的答案,但我认为值得回答,因为我在运行 2.3.3 的旧 Android 设备上遇到了同样的错误:

javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

在阅读了几个关于 SO 的不同相关问题后,我得出的结论是,这可能有两个(也许更多?)原因:

  • 中间证书安装不当
  • 证书链的顺序不正确

在我的情况下,证书的顺序不正确。例如,我从 this question 发布证书订单。来自用户 bdc 的富有洞察力的回答.您可以通过从终端执行以下操作来获取证书排序:

openssl s_client -connect eu.battle.net:443

(显然将 eu.battle.net 替换为您自己的服务器)。以 eu.battle.net 为例,当时的顺序是:

Certificate chain
 0 s:/C=US/ST=California/L=Irvine/O=Blizzard Entertainment, Inc./CN=*.battle.net
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
 2 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

虽然它应该是:

Certificate chain
 0 s:/C=US/ST=California/L=Irvine/O=Blizzard Entertainment, Inc./CN=*.battle.net
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

规则是证书“n”在链中的颁发者应该匹配证书“n+1”的主题。

一旦我发现问题,更改服务器上的证书顺序是微不足道的,事情立即开始在 Android 2.3.3 设备上运行。我想旧的 Android 版本对证书顺序有点讨厌是件好事,但这也是一场噩梦,因为较新的 Android 版本会自动重新排序证书。该死,即使是旧的 iPhone 3GS 也无法正常使用证书。

关于Android SSL - 无对等证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/8806128/

AndroidSSLSystemjava572

有关Android SSL - 无对等证书的更多相关文章

  1. 区块链之加解密算法&数字证书 - 2

    目录一.加解密算法数字签名对称加密DES(DataEncryptionStandard)3DES(TripleDES)AES(AdvancedEncryptionStandard)RSA加密法DSA(DigitalSignatureAlgorithm)ECC(EllipticCurvesCryptography)非对称加密签名与加密过程非对称加密的应用对称加密与非对称加密的结合二.数字证书图解一.加解密算法加密简单而言就是通过一种算法将明文信息转换成密文信息,信息的的接收方能够通过密钥对密文信息进行解密获得明文信息的过程。根据加解密的密钥是否相同,算法可以分为对称加密、非对称加密、对称加密和非

  2. ruby - 如何获得带有 SSL 客户端证书的 HTTPS 请求以与 Ruby EventMachine 一起使用? - 2

    我正在尝试使用RubyEventMachine访问使用SSL证书身份验证的HTTPSWeb服务,但我没有让它工作。我编写了以下简单代码块来对其进行端到端测试:require'rubygems'require'em-http'EventMachine.rundourl='https://foobar.com/'ssl_opts={:private_key_file=>'/tmp/private.key',:cert_chain_file=>'/tmp/ca.pem',:verify_peer=>false}http=EventMachine::HttpRequest.new(url).g

  3. ruby - OpenSSL 验证来自自己 CA 的证书 - 2

    大家好,感谢您花时间阅读本文。我需要验证由我自己的CA颁发的证书,我有一个证书。我怎样才能做相当于openssl的openssl验证-CAfile在Ruby代码中?OpenSSL的RDoc在这方面不是很有帮助。我试过:require'openssl'ca=OpenSSL::X509::Certificate.new(File.read('ca-cert.pem'))lic=OpenSSL::X509::Certificate.new(File.read('cert.pem'))putslic.verify(ca)但我得到:test.rb:7:in`verify':wrongargume

  4. Ruby Gem Twitter - 证书验证失败(Twitter::Error::ClientError) - 2

    我正在尝试使用ruby​​gem'twitter',但由于未知原因我无法使用它。这是.rb代码:require'twitter'puts"Greetings,World!"puts"Checkpoint1"Twitter.configuredo|config|config.consumer_key="xxxxxxx"#removedforpostingconfig.consumer_secret="xxxxxxx"#removedforpostingconfig.oauth_token="xxxxxxx"#removedforpostingconfig.oauth_token_secr

  5. ruby - 具有 HTTPS、SSL 客户端证书和 Keep-Alive 支持的 Ruby HTTP 库? - 2

    我正在尝试用Ruby编写一个HTTPS客户端。它将使用HTTPS连接到服务器,传递身份验证token(通过单独的登录过程获得)和SSL客户端证书。我正在使用rest-client执行以下操作:client=RestClient::Resource.new(url,:ssl_client_cert=>OpenSSL::X509::Certificate.new(File.read('./certificate/client-2048.pem')),:ssl_client_key=>OpenSSL::PKey::RSA.new(File.read('./certificate/client

  6. ruby - 使用自签名证书 - 2

    我只是想了解SSL。我已经在我的本地主机上设置了一个Jetty服务器,并使用Keytool生成了我自己的证书.现在当我去https://localhost:8443/我收到无法信任此证书错误。我用keytool-export-aliaspongus-keystorekeystore-filecertfile.cer创建我认为是客户端需要向服务器进行身份验证的证书。(这是我可能大错特错的地方!)我有以下ruby代码:require'net/https'require'openssl'require'open-uri'puts'yay'ifFile.exists?('certfile.ce

  7. ruby-on-rails - 如何验证服务器SSL证书? - 2

    我是SSL概念的新手,我正在尝试使用HTTParty连接到具有x509相互身份验证的API。我得到了客户端证书、客户端key和服务器证书(都是pem文件)。我让它与客户端证书和key以及verify:false一起工作。下一步是如何验证服务器证书?HTTPParty文档链接https://github.com/jnunemaker/httparty/tree/master/docs#working-with-sslclassServiceClientincludeHTTPartyDEFAULT_HEADERS={'Content-Type'=>'application/json'}.f

  8. ruby - 如何让 ruby​​ 的 xmlrpc 客户端忽略 SSL 证书错误? - 2

    在ruby​​中使用xmlrpc/client访问XML-RPC服务时,如果服务器证书无效,它会抛出OpenSSL::SSL::SSLError。我怎样才能让它忽略这个错误并继续连接? 最佳答案 原来是这样的:xmlrpc=::XMLRPC::Client.new("foohost")xmlrpc.instance_variable_get(:@http).instance_variable_set(:@verify_mode,OpenSSL::SSL::VERIFY_NONE)这适用于ruby​​1.9.2,但显然是在探究内部结构

  9. Ruby 1.8.7 和 Net::HTTP:使用客户端证书发出 SSL GET 请求? - 2

    我正在尝试使用Net::HTTP通过SSL获取资源。这是相关的代码片段:req=Net::HTTP::Get.new(ContentURI.path)https=Net::HTTP.new(ContentURI.host,ContentURI.port)https.use_ssl=truehttps.cert=OpenSSL::X509::Certificate.new(@cert_raw)https.key=OpenSSL::PKey::RSA.new(@cert_key_raw)https.verify_mode=OpenSSL::SSL::VERIFY_PEERhttps.ca_

  10. ruby - 在 Ruby 中使用 SSLServer 验证客户端证书 - 2

    这是我用来设置服务器的代码:require'socket'require'openssl'socket=TCPServer.new('127.0.0.1',4433)ssl_context=OpenSSL::SSL::SSLContext.new()ssl_context.cert=OpenSSL::X509::Certificate.new(File.open("ssl/server/server.crt"))ssl_context.key=OpenSSL::PKey::RSA.new(File.open("ssl/server/server.key"))ca_cert=OpenSS

随机推荐