我在使用 Android 的 WebView 加载 SSL 安全网页时遇到问题。我总是收到如下错误: onReceivedSslError: primary error: 3 certificate: Issued to: CN=intranet.<company>.de,C=DE,O=<company>,OU=<compay org unit>

我已经通过“设置”->“安全”->“从 SD 卡安装”将此服务器证书链的所有证书安装到 Android 的钥匙串(keychain)中。我什至可以看到其中一个已安装的证书与 LogCat 的错误输出完全匹配。 如果我使用默认的浏览器应用程序，它会变得更加奇怪:即使我卸载了前面提到的所有证书，它也可以毫无问题地加载页面。 我真的不知道如何在不信任所有证书的情况下通过调用 handler.proceed() 来解决这个问题。在onReceivedSslError()这是一个潜在的安全问题。 任何帮助表示赞赏。谢谢!

干杯 比约恩

编辑:根证书是自签名的，因为它仅用于内部网服务器。我认为我添加到 Android 可信凭证中的所有证书都是可信的。

最佳答案

onReceiveSslError() 和 handler.proceed() 应该在连接到具有自签名证书的服务时使用，webview 与它们不兼容。

我现在想看的是服务器端 ssl 实现。如果您有多个具有相同证书的服务，请检查是否支持 SNI 以及它是否配置良好。然后查看您连接的服务是否返回正确的证书。还要从您的服务器检查主题备用名称并根据您的需要进行配置。

对于该任务，您可以使用这些命令。

openssl s_client -showcerts -connect yourhost.com:443

openssl s_client -connect yourhost.com:443

openssl s_client -servername yourhost.com -connect yourhost.com:443

openssl s_client -connect yourhost.com:443 | openssl x509 -text

这里有一些来自 Android 文档的更多信息

Common Problems with Hostname Verification As mentioned at the beginning of this article, there are two key parts to verifying an SSL connection. The first is to verify the certificate is from a trusted source, which was the focus of the previous section. The focus of this section is the second part: making sure the server you are talking to presents the right certificate. When it doesn't, you'll typically see an error like this:

java.io.IOException: Hostname 'example.com' was not verified at libcore.net.http.HttpConnection.verifySecureSocketHostname(HttpConnection.java:223) at libcore.net.http.HttpsURLConnectionImpl$HttpsEngine.connect(HttpsURLConnectionImpl.java:446) at libcore.net.http.HttpEngine.sendSocketRequest(HttpEngine.java:290) at libcore.net.http.HttpEngine.sendRequest(HttpEngine.java:240) at libcore.net.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:282) at libcore.net.http.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:177) at libcore.net.http.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:271) One reason this can happen is due to a server configuration error. The server is configured with a certificate that does not have a subject or subject alternative name fields that match the server you are trying to reach. It is possible to have one certificate be used with many different servers. For example, looking at the google.com certificate with openssl s_client -connect google.com:443 | openssl x509 -text you can see that a subject that supports *.google.com but also subject alternative names for *.youtube.com, *.android.com, and others. The error occurs only when the server name you are connecting to isn't listed by the certificate as acceptable.

Unfortunately this can happen for another reason as well: virtual hosting. When sharing a server for more than one hostname with HTTP, the web server can tell from the HTTP/1.1 request which target hostname the client is looking for. Unfortunately this is complicated with HTTPS, because the server has to know which certificate to return before it sees the HTTP request. To address this problem, newer versions of SSL, specifically TLSv.1.0 and later, support Server Name Indication (SNI), which allows the SSL client to specify the intended hostname to the server so the proper certificate can be returned.

Fortunately, HttpsURLConnection supports SNI since Android 2.3. Unfortunately, Apache HTTP Client does not, which is one of the many reasons we discourage its use. One workaround if you need to support Android 2.2 (and older) or Apache HTTP Client is to set up an alternative virtual host on a unique port so that it's unambiguous which server certificate to return.

希望对您有所帮助。

关于android - WebView 和 SSL 证书，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/24573037/