我正在尝试在应用中进行SSL固定,并遵循https://developer.android.com/training/articles/security-ssl上的说明,并在服务器上位于https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04的服务器上使用https://coursescraper.tookmund.com/生成自己的证书
但是,当我尝试连接到服务器时,出现异常:
javax.net.ssl.SSLPeerUnverifiedException: Hostname coursescraper.tookmund.com not verified:
certificate: sha1/Uax3JSsdPAGgCg5XyWPR8mhrjRU=
DN: CN=coursescraper.tookmund.com
subjectAltNames: []
然后我按照https://developer.android.com/training/articles/security-config的指定将网络安全配置添加到我的应用程序中>
这使我可以删除所有SSLContext内容,但仍会产生完全相同的错误。
我试图关闭主机名验证程序只是为了查看发生了什么,但是在遇到相同的错误却没有在日志中看到VERIFY的情况下,所以甚至没有涉及主机名验证程序:
// TODO: FIX THIS!!! THIS IS BAD!!! connection.setDefaultHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String s, SSLSession sslSession) { Log.v("VERIFY", s); return true; } });
当我将应用程序中的证书文件切换到另一个证书时,我得到的是SSLHandshakeException:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
因此固定似乎正常,我的证书有问题。
公用名是域名,从错误中可以看出,所以我不确定自己在做什么错。
连接curl效果很好:
$ curl -v --cacert school/mobilesecCSCI420/nginx-selfsigned.crt https://coursescraper.tookmund.com
* Expire in 0 ms for 6 (transfer 0x558aada3ef50)
* Expire in 1 ms for 1 (transfer 0x558aada3ef50)
...
* Expire in 50 ms for 1 (transfer 0x558aada3ef50)
* Trying 54.165.223.53...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x558aada3ef50)
* Connected to coursescraper.tookmund.com (54.165.223.53) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: school/mobilesecCSCI420/nginx-selfsigned.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=coursescraper.tookmund.com
* start date: Feb 13 05:51:45 2020 GMT
* expire date: Feb 12 05:51:45 2021 GMT
* common name: coursescraper.tookmund.com (matched)
* issuer: CN=coursescraper.tookmund.com
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x558aada3ef50)
> GET / HTTP/2
> Host: coursescraper.tookmund.com
> User-Agent: curl/7.64.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx/1.10.3
< date: Thu, 13 Feb 2020 16:35:28 GMT
< content-type: text/html
< content-length: 691
< last-modified: Sun, 09 Feb 2020 21:13:06 GMT
< etag: "5e4075e2-2b3"
< accept-ranges: bytes
<
<!DOCTYPE html>
<html>
...
我正在尝试在我的应用程序中进行SSL固定,并已按照https://developer.android.com/training/articles/security-ssl上的说明进行操作,并通过https:// www生成了自己的证书。 ...
我终于明白了。证书缺少DNS使用者备用名称。