SSL 在 Android 2.2 上不起作用(仅在 2.3 中)
当调用 httpsURLConnection.getInputStream() 时,我在 LogCat 上收到此消息
SSL 握手失败:SSL 库失败,通常是协议 错误错误:14094412:SSL 例程:SSL3_READ_BYTES:sslv3 警报坏 证书(外部/openssl/ssl/s3_pkt.c:1127 0x29eb40:0x00000003)
我已经在Andorid 2.3上测试过它,它运行得很好。
我的服务器需要客户端身份验证!也许FROYO不支持这种握手...我不知道...
我也尝试过使用httpclient。在每种情况下都会失败...
private void process() throws Exception {
char[] pass = "clientpass".toCharArray();
InputStream ksStream = getAssets().open("clientKeyStore.bks");
KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(ksStream, pass);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, pass);
ksStream.close();
X509TrustManager[] tm = new X509TrustManager[] { new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
} };
SSLContext context = SSLContext.getInstance("TLS");
context.init(kmf.getKeyManagers(), tm, null);
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
URL url = new URL("https://192.168.2.101:8443/RestTomcat/resources/veiculos/KKK1234");
HttpsURLConnection httpsURLConnection = (HttpsURLConnection) url.openConnection();
BufferedReader br = new BufferedReader(new InputStreamReader(httpsURLConnection.getInputStream()));
StringBuilder sb = new StringBuilder();
String line = null;
while ((line = br.readLine()) != null)
sb.append(line + "\n");
br.close();
Log.e("OUTPUT", sb.toString());
httpsURLConnection.disconnect();
}
I'm getting this on LogCat when httpsURLConnection.getInputStream() is called
SSL handshake failure: Failure in SSL library, usually a protocol
error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate (external/openssl/ssl/s3_pkt.c:1127 0x29eb40:0x00000003)
I have tested it on Andorid 2.3 and it works nicely.
My server requires client authentication! Maybe FROYO does not support this kind of handshake... I don't know...
I tried using httpclient as well. Fail in every case...
private void process() throws Exception {
char[] pass = "clientpass".toCharArray();
InputStream ksStream = getAssets().open("clientKeyStore.bks");
KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(ksStream, pass);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, pass);
ksStream.close();
X509TrustManager[] tm = new X509TrustManager[] { new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
} };
SSLContext context = SSLContext.getInstance("TLS");
context.init(kmf.getKeyManagers(), tm, null);
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
URL url = new URL("https://192.168.2.101:8443/RestTomcat/resources/veiculos/KKK1234");
HttpsURLConnection httpsURLConnection = (HttpsURLConnection) url.openConnection();
BufferedReader br = new BufferedReader(new InputStreamReader(httpsURLConnection.getInputStream()));
StringBuilder sb = new StringBuilder();
String line = null;
while ((line = br.readLine()) != null)
sb.append(line + "\n");
br.close();
Log.e("OUTPUT", sb.toString());
httpsURLConnection.disconnect();
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
确保 2.2 设备上的日期、时间和时区设置正确。
Make sure the date, time and timezone settings are correct on the 2.2 device.
我不确定您是否找到了答案,但这似乎是 Android 2.2 的一个错误,无需分析完整的证书链。如果您的 .p12 证书有多个链,Android 2.2 似乎并不遵循整个链。
我遇到了与我在 这个问题。我要求我们的管理员生成一个新的客户端证书,该证书由根 CA 直接颁发,无需子 CA,之后 2.2 就可以工作了。不过,它确实带来了在没有子 CA 作为中介的情况下拥有客户端证书的安全问题。
更新:
Android 团队确认这是 2.1/2.2 中的问题。详细信息位于以下问题跟踪器
I am not sure if you have found the answer, but this seems to be a bug with Android 2.2 not having to analyze the full certificate chain. If you .p12 cert has multiple chain, Android 2.2 doesn't seem to follow the entire chain.
I had the same problem that I asked the question in this SO question. I asked our administrator to generate a new client certificate that is directly issued by Root CA without having the Sub CA and afterwards 2.2 will work. It does bring the question of security of having client certificate without Sub CA as intermediary though.
UPDATE:
Android team confirm that this is an issue in 2.1/2.2. The details are in the following issue tracker