javax.net.ssl.SSLPeerUnverifiedException: 找不到已签名的受信任证书
javax.net.ssl.SSLPeerUnverifiedException: Failed to find a trusted cert that signed
我想实现证书固定,但我被困在 SSLPeerUnverifiedException。我尝试实现功能,默认情况下我会信任所有证书。
这是我的代码。
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("*.percolate.com", "sha256/gd0jw5Y5beTzcXkn1mrr9b+Dri2kx2IIkML8vU5Xz04=")
.build();
OkHttpClient.Builder client = new OkHttpClient.Builder().certificatePinner(certificatePinner);
try {
final X509TrustManager x509TrustManager = new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[]{};
}
};
final TrustManager[] trustAllCerts = new TrustManager[]{
x509TrustManager
};
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustAllCerts, new SecureRandom());
client.sslSocketFactory(sslContext.getSocketFactory(), x509TrustManager)
.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
} catch (GeneralSecurityException e) {
e.printStackTrace();
}
Request request = new Request.Builder()
.url("https://mobile-versions-api.percolate.com/api/config/")
.build();
final Response execute = client.build().newCall(request).execute();
更新:
添加属性后得到了详细的输出,但还是迷路了
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1507279555 bytes = { 153, 103, 215, 204, 115, 131, 8, 22, 109, 104, 37, 131, 131, 233, 138, 34, 63, 28, 3, 30, 54, 35, 251, 254, 95, 241, 185, 4 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=mobile-versions-api.percolate.com]
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1.2 Handshake, length = 210
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1507279555 bytes = { 19, 115, 138, 146, 56, 170, 146, 79, 4, 147, 249, 113, 32, 58, 32, 201, 238, 96, 87, 184, 97, 78, 1, 239, 107, 38, 172, 122 }
Session ID: {104, 44, 102, 109, 174, 183, 14, 5, 250, 56, 32, 54, 108, 122, 65, 133, 124, 209, 100, 56, 243, 86, 193, 102, 120, 103, 242, 36, 219, 90, 240, 180}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 1864
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.percolate.com, OU=Ops, O="Percolate Industries, Inc.", L=New York, ST=New York, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 27401232310841133798229367871778264888123281636579263087556493451455060403259520645144584781313630991090105503198253906558563466329078722164170243267435739582081442222282097054777661956394083571911323130008480518688103543574372442709650254253434253066390644674176409954924769117481644772680166177303275929599129288661414733297270603535292347906522589286324172574835433083241554969591753284712463949161543930921995788372612260539349349380608375726629159393031898512729904510137397763415534963786907974673280474817121866827512205197365492992497240546530049440471928541689855437508889763971224310008127580760255679638381
public exponent: 65537
Validity: [From: Wed Feb 28 01:00:00 CET 2018,
To: Fri Jun 26 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 098195a7 788de187 8021110d 87683a26]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 E7 04 82 01 E3 01 E1 00 76 00 A4 B9 09 ...........v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 61 DD A5 C5 64 00 00 04 03 00 47 30 45 02 21 00 a...d.....G0E.!.
0040: EF A8 D2 77 82 20 E8 F1 7E 1D 52 42 CF B9 F0 AA ...w. ....RB....
0050: 22 E7 70 B0 86 91 90 5A 64 A1 03 4A 59 9F 4A 5F ".p....Zd..JY.J_
0060: 02 20 3A 49 C7 56 ED 7A C8 F8 CF C3 A9 0D 3D 54 . :I.V.z......=T
0070: 7E 29 F7 CB 62 7B 5E 9A E2 EB CC 3B 5F 8D FA BA .)..b.^....;_...
0080: 3B FB 00 77 00 87 75 BF E7 59 7C F8 8C 43 99 5F ;..w..u..Y...C._
0090: BD F3 6E FF 56 8D 47 56 36 FF 4A B5 60 C1 B4 EA ..n.V.GV6.J.`...
00A0: FF 5E A0 83 0F 00 00 01 61 DD A5 C6 27 00 00 04 .^......a...'...
00B0: 03 00 48 30 46 02 21 00 B3 E6 9F 85 4F AA 24 4F ..H0F.!.....O.$O
00C0: A1 45 34 56 6C 90 D8 A7 29 04 4F 85 C3 B4 17 55 .E4Vl...).O....U
00D0: 1C B0 D8 AB E7 58 4F 7F 02 21 00 C8 07 C9 1C A0 .....XO..!......
00E0: 3C C4 77 21 2F E3 F0 A6 5F 95 A3 CA 85 BD D3 94 <.w!/..._.......
00F0: FF C0 B1 ED 0C 5C 8D C5 BD AF AB 00 76 00 EE 4B .....\......v..K
0100: BD B7 75 CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F ..u.`..Bi....f..
0110: 7E 5F B0 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 ._.r......z.....
0120: 01 61 DD A5 C7 B8 00 00 04 03 00 47 30 45 02 21 .a.........G0E.!
0130: 00 9A 4A CE FD 4B 77 3A 36 BD 2E 67 5F 14 82 47 ..J..Kw:6..g_..G
0140: 11 30 C8 CB 68 E4 84 B5 01 D4 77 2F 67 5A 39 81 .0..h.....w/gZ9.
0150: 1A 02 20 78 57 38 5C F6 DF 92 36 B4 96 2F C6 CB .. xW8\...6../..
0160: 83 1E 96 9D 87 C0 B9 DE 08 E2 B1 97 3A AF FF 19 ............:...
0170: 69 DD AC 00 76 00 BB D9 DF BC 1F 8A 71 B5 93 94 i...v.......q...
0180: 23 97 AA 92 7B 47 38 57 95 0A AB 52 E8 1A 90 96 #....G8W...R....
0190: 64 36 8E 1E D1 85 00 00 01 61 DD A5 C6 4E 00 00 d6.......a...N..
01A0: 04 03 00 47 30 45 02 20 50 32 03 EB 43 F7 C2 E6 ...G0E. P2..C...
01B0: 73 08 4B 40 C3 1E 92 C2 77 8F 0D F9 CB EF 39 FA s.K@....w.....9.
01C0: 93 D0 92 DA DE 30 7E 49 02 21 00 8C B5 02 C6 BF .....0.I.!......
01D0: F4 86 00 27 4C 94 87 3D 4B 9A 5A 9E 9D B2 FE B7 ...'L..=K.Z.....
01E0: AC 6B FC 9B A9 D6 36 41 19 14 BE .k....6A...
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.percolate.com
DNSName: percolate.com
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 64 49 16 AF 41 B0 38 A9 15 FF 3F A3 74 EA 6C .dI..A.8...?.t.l
0010: E0 09 51 A0 ..Q.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 3D B8 D5 01 DB A2 56 90 DA F0 09 69 74 9C 4D 8A =.....V....it.M.
0010: 26 06 AE F0 90 F9 5E DD 8F DE 47 DD B0 A4 07 A4 &.....^...G.....
0020: 12 2B 42 CA 0B 76 16 FC D5 2F 3C 0B 97 BE DC 65 .+B..v.../<....e
0030: 77 F3 D1 77 F8 69 43 56 1E 25 E5 A3 8C CA 0C 0D w..w.iCV.%......
0040: CA E3 34 78 AB 2C 18 21 51 59 DD 9D 05 B1 1A 2B ..4x.,.!QY.....+
0050: 1E 42 68 C2 31 FC 05 EC 27 FD F1 8B B0 C6 72 82 .Bh.1...'.....r.
0060: 98 49 1D C5 09 2B DB A3 AF EB 0F 6A 96 28 54 45 .I...+.....j.(TE
0070: 15 C5 AC 7F 43 4F AC F5 66 AE 04 12 FE 52 D1 0A ....CO..f....R..
0080: E9 F8 82 3A AF 03 EF F1 36 9A 3F 33 23 A0 7B 79 ...:....6.?3#..y
0090: DD A7 0F 24 F5 0E 9B B0 C0 13 80 65 D2 F2 1E 7C ...$.......e....
00A0: 94 75 9D 87 44 F1 D5 0A 7C 7C 8D C5 ED 66 2A CE .u..D........f*.
00B0: 67 5E 0B F3 C5 C7 3D E7 B7 3E 45 C0 27 81 07 A0 g^....=..>E.'...
00C0: 23 76 FE 99 22 E6 E7 18 3F 6A 76 BC 96 BA B0 67 #v.."...?jv....g
00D0: 79 B4 2D 18 76 26 10 D5 26 B4 BF F8 55 75 4D 97 y.-.v&..&...UuM.
00E0: 6A 48 C9 22 08 27 27 A8 B9 3E AA DA A9 16 8C A8 jH.".''..>......
00F0: 04 6B 0E 79 C5 10 EF CB EA F7 CE 0D A9 61 3E 9A .k.y.........a>.
]
***
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 81286215691392024658297626500297003509559688137291949974573125267328187893559
public y coord: 55957327417096262980937642227003113979964272470252997235257545314551630655731
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 4, 89, 122, 32, 60, 110, 18, 176, 255, 160, 167, 60, 155, 112, 111, 52, 3, 74, 175, 208, 231, 82, 101, 50, 141, 93, 92, 183, 11, 6, 79, 64, 220, 247, 148, 253, 83, 153, 17, 129, 230, 23, 6, 135, 189, 39, 137, 177, 31, 124, 83, 214, 219, 71, 198, 68, 75, 160, 37, 154, 122, 236, 242, 13 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 1C 25 8A 21 86 10 8A A8 62 35 71 D7 A7 19 28 14 .%.!....b5q...(.
0010: 6E FE 19 6A CB F5 14 D3 45 D5 D6 DC E6 83 A4 E3 n..j....E.......
CONNECTION KEYGEN:
Client Nonce:
0000: 5A D7 43 C3 99 67 D7 CC 73 83 08 16 6D 68 25 83 Z.C..g..s...mh%.
0010: 83 E9 8A 22 3F 1C 03 1E 36 23 FB FE 5F F1 B9 04 ..."?...6#.._...
Server Nonce:
0000: 5A D7 43 C3 13 73 8A 92 38 AA 92 4F 04 93 F9 71 Z.C..s..8..O...q
0010: 20 3A 20 C9 EE 60 57 B8 61 4E 01 EF 6B 26 AC 7A : ..`W.aN..k&.z
Master Secret:
0000: 7C 56 5C D8 4D 51 65 AA 6C 27 91 3C 47 B0 0F B2 .V\.MQe.l'.<G...
0010: 8A 56 CB 20 3C C9 F3 17 4D 4B DE 34 14 7F F5 13 .V. <...MK.4....
0020: C6 35 E3 E8 DC 2D DC B0 92 6A F7 AD 81 62 17 7A .5...-...j...b.z
... no MAC keys used for this cipher
Client write key:
0000: 27 BA 3B 19 78 1C FA 94 D2 D6 93 59 02 FF 23 96 '.;.x......Y..#.
Server write key:
0000: 10 DD 0C FB 4C F2 7D 4C F5 4C E7 99 AD C6 50 6D ....L..L.L....Pm
Client write IV:
0000: 01 E8 75 75 ..uu
Server write IV:
0000: C7 A8 87 AD ....
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 247, 75, 23, 155, 57, 223, 125, 250, 51, 193, 142, 238 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data: { 248, 22, 39, 116, 98, 207, 124, 72, 147, 152, 215, 71 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: Failed to find a trusted cert that signed [
[
Version: V3
Subject: CN=*.percolate.com, OU=Ops, O="Percolate Industries, Inc.", L=New York, ST=New York, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 27401232310841133798229367871778264888123281636579263087556493451455060403259520645144584781313630991090105503198253906558563466329078722164170243267435739582081442222282097054777661956394083571911323130008480518688103543574372442709650254253434253066390644674176409954924769117481644772680166177303275929599129288661414733297270603535292347906522589286324172574835433083241554969591753284712463949161543930921995788372612260539349349380608375726629159393031898512729904510137397763415534963786907974673280474817121866827512205197365492992497240546530049440471928541689855437508889763971224310008127580760255679638381
public exponent: 65537
Validity: [From: Wed Feb 28 01:00:00 CET 2018,
To: Fri Jun 26 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 098195a7 788de187 8021110d 87683a26]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 E7 04 82 01 E3 01 E1 00 76 00 A4 B9 09 ...........v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 61 DD A5 C5 64 00 00 04 03 00 47 30 45 02 21 00 a...d.....G0E.!.
0040: EF A8 D2 77 82 20 E8 F1 7E 1D 52 42 CF B9 F0 AA ...w. ....RB....
0050: 22 E7 70 B0 86 91 90 5A 64 A1 03 4A 59 9F 4A 5F ".p....Zd..JY.J_
0060: 02 20 3A 49 C7 56 ED 7A C8 F8 CF C3 A9 0D 3D 54 . :I.V.z......=T
0070: 7E 29 F7 CB 62 7B 5E 9A E2 EB CC 3B 5F 8D FA BA .)..b.^....;_...
0080: 3B FB 00 77 00 87 75 BF E7 59 7C F8 8C 43 99 5F ;..w..u..Y...C._
0090: BD F3 6E FF 56 8D 47 56 36 FF 4A B5 60 C1 B4 EA ..n.V.GV6.J.`...
00A0: FF 5E A0 83 0F 00 00 01 61 DD A5 C6 27 00 00 04 .^......a...'...
00B0: 03 00 48 30 46 02 21 00 B3 E6 9F 85 4F AA 24 4F ..H0F.!.....O.$O
00C0: A1 45 34 56 6C 90 D8 A7 29 04 4F 85 C3 B4 17 55 .E4Vl...).O....U
00D0: 1C B0 D8 AB E7 58 4F 7F 02 21 00 C8 07 C9 1C A0 .....XO..!......
00E0: 3C C4 77 21 2F E3 F0 A6 5F 95 A3 CA 85 BD D3 94 <.w!/..._.......
00F0: FF C0 B1 ED 0C 5C 8D C5 BD AF AB 00 76 00 EE 4B .....\......v..K
0100: BD B7 75 CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F ..u.`..Bi....f..
0110: 7E 5F B0 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 ._.r......z.....
0120: 01 61 DD A5 C7 B8 00 00 04 03 00 47 30 45 02 21 .a.........G0E.!
0130: 00 9A 4A CE FD 4B 77 3A 36 BD 2E 67 5F 14 82 47 ..J..Kw:6..g_..G
0140: 11 30 C8 CB 68 E4 84 B5 01 D4 77 2F 67 5A 39 81 .0..h.....w/gZ9.
0150: 1A 02 20 78 57 38 5C F6 DF 92 36 B4 96 2F C6 CB .. xW8\...6../..
0160: 83 1E 96 9D 87 C0 B9 DE 08 E2 B1 97 3A AF FF 19 ............:...
0170: 69 DD AC 00 76 00 BB D9 DF BC 1F 8A 71 B5 93 94 i...v.......q...
0180: 23 97 AA 92 7B 47 38 57 95 0A AB 52 E8 1A 90 96 #....G8W...R....
0190: 64 36 8E 1E D1 85 00 00 01 61 DD A5 C6 4E 00 00 d6.......a...N..
01A0: 04 03 00 47 30 45 02 20 50 32 03 EB 43 F7 C2 E6 ...G0E. P2..C...
01B0: 73 08 4B 40 C3 1E 92 C2 77 8F 0D F9 CB EF 39 FA s.K@....w.....9.
01C0: 93 D0 92 DA DE 30 7E 49 02 21 00 8C B5 02 C6 BF .....0.I.!......
01D0: F4 86 00 27 4C 94 87 3D 4B 9A 5A 9E 9D B2 FE B7 ...'L..=K.Z.....
01E0: AC 6B FC 9B A9 D6 36 41 19 14 BE .k....6A...
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.percolate.com
DNSName: percolate.com
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 64 49 16 AF 41 B0 38 A9 15 FF 3F A3 74 EA 6C .dI..A.8...?.t.l
0010: E0 09 51 A0 ..Q.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 3D B8 D5 01 DB A2 56 90 DA F0 09 69 74 9C 4D 8A =.....V....it.M.
0010: 26 06 AE F0 90 F9 5E DD 8F DE 47 DD B0 A4 07 A4 &.....^...G.....
0020: 12 2B 42 CA 0B 76 16 FC D5 2F 3C 0B 97 BE DC 65 .+B..v.../<....e
0030: 77 F3 D1 77 F8 69 43 56 1E 25 E5 A3 8C CA 0C 0D w..w.iCV.%......
0040: CA E3 34 78 AB 2C 18 21 51 59 DD 9D 05 B1 1A 2B ..4x.,.!QY.....+
0050: 1E 42 68 C2 31 FC 05 EC 27 FD F1 8B B0 C6 72 82 .Bh.1...'.....r.
0060: 98 49 1D C5 09 2B DB A3 AF EB 0F 6A 96 28 54 45 .I...+.....j.(TE
0070: 15 C5 AC 7F 43 4F AC F5 66 AE 04 12 FE 52 D1 0A ....CO..f....R..
0080: E9 F8 82 3A AF 03 EF F1 36 9A 3F 33 23 A0 7B 79 ...:....6.?3#..y
0090: DD A7 0F 24 F5 0E 9B B0 C0 13 80 65 D2 F2 1E 7C ...$.......e....
00A0: 94 75 9D 87 44 F1 D5 0A 7C 7C 8D C5 ED 66 2A CE .u..D........f*.
00B0: 67 5E 0B F3 C5 C7 3D E7 B7 3E 45 C0 27 81 07 A0 g^....=..>E.'...
00C0: 23 76 FE 99 22 E6 E7 18 3F 6A 76 BC 96 BA B0 67 #v.."...?jv....g
00D0: 79 B4 2D 18 76 26 10 D5 26 B4 BF F8 55 75 4D 97 y.-.v&..&...UuM.
00E0: 6A 48 C9 22 08 27 27 A8 B9 3E AA DA A9 16 8C A8 jH.".''..>......
00F0: 04 6B 0E 79 C5 10 EF CB EA F7 CE 0D A9 61 3E 9A .k.y.........a>.
]
at okhttp3.internal.tls.CertificateChainCleaner$BasicCertificateChainCleaner.clean(CertificateChainCleaner.java:132)
at okhttp3.CertificatePinner.check(CertificatePinner.java:149)
at okhttp3.internal.io.RealConnection.connectTls(RealConnection.java:252)
at okhttp3.internal.io.RealConnection.establishProtocol(RealConnection.java:196)
at okhttp3.internal.io.RealConnection.buildConnection(RealConnection.java:171)
at okhttp3.internal.io.RealConnection.connect(RealConnection.java:111)
at okhttp3.internal.http.StreamAllocation.findConnection(StreamAllocation.java:187)
at okhttp3.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:123)
at okhttp3.internal.http.StreamAllocation.newStream(StreamAllocation.java:93)
at okhttp3.internal.http.HttpEngine.connect(HttpEngine.java:296)
at okhttp3.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)
at okhttp3.RealCall.getResponse(RealCall.java:243)
at okhttp3.RealCall$ApplicationInterceptorChain.proceed(RealCall.java:201)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:163)
at okhttp3.RealCall.execute(RealCall.java:57)
at com.percoalte.sdk.python.bridge.PercolateSdkPythonBridge.main(PercolateSdkPythonBridge.java:96)
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT: warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 26
main, called closeSocket(true)
不确定为什么会显示此异常。
知道为什么会发生这种情况吗?
不是一个明确的答案,但评论太多了。
马上,它不是我猜想的 SNI。
您的跟踪显示 TLS 握手(在 JSSE 中)成功完成(并使用 SNI)。收到的证书链并不是真正有效的,因为它只有 DigiCert SHA2 Secure Server CA 颁发的服务器证书,它是一个中间 CA 而不是根证书,并且没有提供中间 aka 链证书,但是您使用了 accept-任何 TrustManager 都会导致 JSSE 不注意这一点。
然后 SSLPeerUnverifiedException 出现在 CertificatePinner 中。我能找到的唯一来源是 https://github.com/square/okhttp/tree/master/okhttp/src/main/java/okhttp3,虽然它在 .internal.tls.BasicCertificateChainCleaner.clean 中有异常消息,但 class 单独没有嵌套在 CertificateChainCleaner 中。此外,它只能从 CertificatePinner.check 在与您不同的行调用,并使用不应由您使用的 Builder 调用设置的实例变量——尽管有一种方法可以有效地设置该实例在以后某个未知的时间变量具有一些未知的值。
评论——如果它们对于您实际使用的任何版本都没有显着差异——建议应该使用有效或可验证的链调用此方法,并且代码似乎需要它。 javadoc 对摘要 class CertificateChainCleaner 的评论说
/**
* Computes the effective certificate chain from the raw array returned by Java's built in TLS APIs.
* Cleaning a chain returns a list of certificates where the first element is {@code chain[0]}, each
* certificate is signed by the certificate that follows, and the last certificate is a trusted CA
* certificate.
*
* <p>Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
* the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
* pinning.
*/
和实现 class BasicChainCertificateCleaner 说
/**
* A certificate chain cleaner that uses a set of trusted root certificates to build the trusted
* chain. This class duplicates the clean chain building performed during the TLS handshake. We
* prefer other mechanisms where they exist, such as with
* {@code okhttp3.internal.platform.AndroidPlatform.AndroidCertificateChainCleaner}.
*
* <p>This class includes code from <a href="https://conscrypt.org/">Conscrypt's</a> {@code
* TrustManagerImpl} and {@code TrustedCertificateIndex}.
*/
及其clean方法说
* <p>This method throws if the complete chain to a trusted CA certificate cannot be constructed.
* This is unexpected unless the trust root index in this class has a different trust manager than
* what was used to establish {@code chain}.
它们一起强烈地向我暗示这是为了与普通 TrustManager 完成的普通(PKIX 链)验证一起工作。此处完成的链 'finishing' 类似于 Java 的普通 PKIX 或 X.509 验证器完成的链,但被简化了。顶层 CertificatePinner class:
的部分 javadoc 注释进一步支持了这一点
* <h4>Note about self-signed certificates</h4>
*
* <p>{@link CertificatePinner} can not be used to pin self-signed certificate if such certificate
* is not accepted by {@link javax.net.ssl.TrustManager}.
因此我建议您恢复正常的 TrustManager,但由于它不接受 'chain' 此服务器当前发送的信息,您需要:
修复服务器以遵守 RFC5246 并发送适当的 Digicert 中间证书,或
获取中间值(根据 AIA,来自 http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt,但不是使用遵守 MIME 类型的浏览器——尝试 curl wget 或类似的)并将其添加到 JSSE 使用的信任库中,如果它与 CertificatePinner 使用的信任库不同,您可能还需要将其添加到那里。
我想实现证书固定,但我被困在 SSLPeerUnverifiedException。我尝试实现功能,默认情况下我会信任所有证书。
这是我的代码。
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("*.percolate.com", "sha256/gd0jw5Y5beTzcXkn1mrr9b+Dri2kx2IIkML8vU5Xz04=")
.build();
OkHttpClient.Builder client = new OkHttpClient.Builder().certificatePinner(certificatePinner);
try {
final X509TrustManager x509TrustManager = new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[]{};
}
};
final TrustManager[] trustAllCerts = new TrustManager[]{
x509TrustManager
};
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustAllCerts, new SecureRandom());
client.sslSocketFactory(sslContext.getSocketFactory(), x509TrustManager)
.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
} catch (GeneralSecurityException e) {
e.printStackTrace();
}
Request request = new Request.Builder()
.url("https://mobile-versions-api.percolate.com/api/config/")
.build();
final Response execute = client.build().newCall(request).execute();
更新:
添加属性后得到了详细的输出,但还是迷路了
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1507279555 bytes = { 153, 103, 215, 204, 115, 131, 8, 22, 109, 104, 37, 131, 131, 233, 138, 34, 63, 28, 3, 30, 54, 35, 251, 254, 95, 241, 185, 4 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=mobile-versions-api.percolate.com]
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1.2 Handshake, length = 210
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1507279555 bytes = { 19, 115, 138, 146, 56, 170, 146, 79, 4, 147, 249, 113, 32, 58, 32, 201, 238, 96, 87, 184, 97, 78, 1, 239, 107, 38, 172, 122 }
Session ID: {104, 44, 102, 109, 174, 183, 14, 5, 250, 56, 32, 54, 108, 122, 65, 133, 124, 209, 100, 56, 243, 86, 193, 102, 120, 103, 242, 36, 219, 90, 240, 180}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 1864
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.percolate.com, OU=Ops, O="Percolate Industries, Inc.", L=New York, ST=New York, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 27401232310841133798229367871778264888123281636579263087556493451455060403259520645144584781313630991090105503198253906558563466329078722164170243267435739582081442222282097054777661956394083571911323130008480518688103543574372442709650254253434253066390644674176409954924769117481644772680166177303275929599129288661414733297270603535292347906522589286324172574835433083241554969591753284712463949161543930921995788372612260539349349380608375726629159393031898512729904510137397763415534963786907974673280474817121866827512205197365492992497240546530049440471928541689855437508889763971224310008127580760255679638381
public exponent: 65537
Validity: [From: Wed Feb 28 01:00:00 CET 2018,
To: Fri Jun 26 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 098195a7 788de187 8021110d 87683a26]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 E7 04 82 01 E3 01 E1 00 76 00 A4 B9 09 ...........v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 61 DD A5 C5 64 00 00 04 03 00 47 30 45 02 21 00 a...d.....G0E.!.
0040: EF A8 D2 77 82 20 E8 F1 7E 1D 52 42 CF B9 F0 AA ...w. ....RB....
0050: 22 E7 70 B0 86 91 90 5A 64 A1 03 4A 59 9F 4A 5F ".p....Zd..JY.J_
0060: 02 20 3A 49 C7 56 ED 7A C8 F8 CF C3 A9 0D 3D 54 . :I.V.z......=T
0070: 7E 29 F7 CB 62 7B 5E 9A E2 EB CC 3B 5F 8D FA BA .)..b.^....;_...
0080: 3B FB 00 77 00 87 75 BF E7 59 7C F8 8C 43 99 5F ;..w..u..Y...C._
0090: BD F3 6E FF 56 8D 47 56 36 FF 4A B5 60 C1 B4 EA ..n.V.GV6.J.`...
00A0: FF 5E A0 83 0F 00 00 01 61 DD A5 C6 27 00 00 04 .^......a...'...
00B0: 03 00 48 30 46 02 21 00 B3 E6 9F 85 4F AA 24 4F ..H0F.!.....O.$O
00C0: A1 45 34 56 6C 90 D8 A7 29 04 4F 85 C3 B4 17 55 .E4Vl...).O....U
00D0: 1C B0 D8 AB E7 58 4F 7F 02 21 00 C8 07 C9 1C A0 .....XO..!......
00E0: 3C C4 77 21 2F E3 F0 A6 5F 95 A3 CA 85 BD D3 94 <.w!/..._.......
00F0: FF C0 B1 ED 0C 5C 8D C5 BD AF AB 00 76 00 EE 4B .....\......v..K
0100: BD B7 75 CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F ..u.`..Bi....f..
0110: 7E 5F B0 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 ._.r......z.....
0120: 01 61 DD A5 C7 B8 00 00 04 03 00 47 30 45 02 21 .a.........G0E.!
0130: 00 9A 4A CE FD 4B 77 3A 36 BD 2E 67 5F 14 82 47 ..J..Kw:6..g_..G
0140: 11 30 C8 CB 68 E4 84 B5 01 D4 77 2F 67 5A 39 81 .0..h.....w/gZ9.
0150: 1A 02 20 78 57 38 5C F6 DF 92 36 B4 96 2F C6 CB .. xW8\...6../..
0160: 83 1E 96 9D 87 C0 B9 DE 08 E2 B1 97 3A AF FF 19 ............:...
0170: 69 DD AC 00 76 00 BB D9 DF BC 1F 8A 71 B5 93 94 i...v.......q...
0180: 23 97 AA 92 7B 47 38 57 95 0A AB 52 E8 1A 90 96 #....G8W...R....
0190: 64 36 8E 1E D1 85 00 00 01 61 DD A5 C6 4E 00 00 d6.......a...N..
01A0: 04 03 00 47 30 45 02 20 50 32 03 EB 43 F7 C2 E6 ...G0E. P2..C...
01B0: 73 08 4B 40 C3 1E 92 C2 77 8F 0D F9 CB EF 39 FA s.K@....w.....9.
01C0: 93 D0 92 DA DE 30 7E 49 02 21 00 8C B5 02 C6 BF .....0.I.!......
01D0: F4 86 00 27 4C 94 87 3D 4B 9A 5A 9E 9D B2 FE B7 ...'L..=K.Z.....
01E0: AC 6B FC 9B A9 D6 36 41 19 14 BE .k....6A...
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.percolate.com
DNSName: percolate.com
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 64 49 16 AF 41 B0 38 A9 15 FF 3F A3 74 EA 6C .dI..A.8...?.t.l
0010: E0 09 51 A0 ..Q.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 3D B8 D5 01 DB A2 56 90 DA F0 09 69 74 9C 4D 8A =.....V....it.M.
0010: 26 06 AE F0 90 F9 5E DD 8F DE 47 DD B0 A4 07 A4 &.....^...G.....
0020: 12 2B 42 CA 0B 76 16 FC D5 2F 3C 0B 97 BE DC 65 .+B..v.../<....e
0030: 77 F3 D1 77 F8 69 43 56 1E 25 E5 A3 8C CA 0C 0D w..w.iCV.%......
0040: CA E3 34 78 AB 2C 18 21 51 59 DD 9D 05 B1 1A 2B ..4x.,.!QY.....+
0050: 1E 42 68 C2 31 FC 05 EC 27 FD F1 8B B0 C6 72 82 .Bh.1...'.....r.
0060: 98 49 1D C5 09 2B DB A3 AF EB 0F 6A 96 28 54 45 .I...+.....j.(TE
0070: 15 C5 AC 7F 43 4F AC F5 66 AE 04 12 FE 52 D1 0A ....CO..f....R..
0080: E9 F8 82 3A AF 03 EF F1 36 9A 3F 33 23 A0 7B 79 ...:....6.?3#..y
0090: DD A7 0F 24 F5 0E 9B B0 C0 13 80 65 D2 F2 1E 7C ...$.......e....
00A0: 94 75 9D 87 44 F1 D5 0A 7C 7C 8D C5 ED 66 2A CE .u..D........f*.
00B0: 67 5E 0B F3 C5 C7 3D E7 B7 3E 45 C0 27 81 07 A0 g^....=..>E.'...
00C0: 23 76 FE 99 22 E6 E7 18 3F 6A 76 BC 96 BA B0 67 #v.."...?jv....g
00D0: 79 B4 2D 18 76 26 10 D5 26 B4 BF F8 55 75 4D 97 y.-.v&..&...UuM.
00E0: 6A 48 C9 22 08 27 27 A8 B9 3E AA DA A9 16 8C A8 jH.".''..>......
00F0: 04 6B 0E 79 C5 10 EF CB EA F7 CE 0D A9 61 3E 9A .k.y.........a>.
]
***
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 81286215691392024658297626500297003509559688137291949974573125267328187893559
public y coord: 55957327417096262980937642227003113979964272470252997235257545314551630655731
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 4, 89, 122, 32, 60, 110, 18, 176, 255, 160, 167, 60, 155, 112, 111, 52, 3, 74, 175, 208, 231, 82, 101, 50, 141, 93, 92, 183, 11, 6, 79, 64, 220, 247, 148, 253, 83, 153, 17, 129, 230, 23, 6, 135, 189, 39, 137, 177, 31, 124, 83, 214, 219, 71, 198, 68, 75, 160, 37, 154, 122, 236, 242, 13 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 1C 25 8A 21 86 10 8A A8 62 35 71 D7 A7 19 28 14 .%.!....b5q...(.
0010: 6E FE 19 6A CB F5 14 D3 45 D5 D6 DC E6 83 A4 E3 n..j....E.......
CONNECTION KEYGEN:
Client Nonce:
0000: 5A D7 43 C3 99 67 D7 CC 73 83 08 16 6D 68 25 83 Z.C..g..s...mh%.
0010: 83 E9 8A 22 3F 1C 03 1E 36 23 FB FE 5F F1 B9 04 ..."?...6#.._...
Server Nonce:
0000: 5A D7 43 C3 13 73 8A 92 38 AA 92 4F 04 93 F9 71 Z.C..s..8..O...q
0010: 20 3A 20 C9 EE 60 57 B8 61 4E 01 EF 6B 26 AC 7A : ..`W.aN..k&.z
Master Secret:
0000: 7C 56 5C D8 4D 51 65 AA 6C 27 91 3C 47 B0 0F B2 .V\.MQe.l'.<G...
0010: 8A 56 CB 20 3C C9 F3 17 4D 4B DE 34 14 7F F5 13 .V. <...MK.4....
0020: C6 35 E3 E8 DC 2D DC B0 92 6A F7 AD 81 62 17 7A .5...-...j...b.z
... no MAC keys used for this cipher
Client write key:
0000: 27 BA 3B 19 78 1C FA 94 D2 D6 93 59 02 FF 23 96 '.;.x......Y..#.
Server write key:
0000: 10 DD 0C FB 4C F2 7D 4C F5 4C E7 99 AD C6 50 6D ....L..L.L....Pm
Client write IV:
0000: 01 E8 75 75 ..uu
Server write IV:
0000: C7 A8 87 AD ....
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 247, 75, 23, 155, 57, 223, 125, 250, 51, 193, 142, 238 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data: { 248, 22, 39, 116, 98, 207, 124, 72, 147, 152, 215, 71 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: Failed to find a trusted cert that signed [
[
Version: V3
Subject: CN=*.percolate.com, OU=Ops, O="Percolate Industries, Inc.", L=New York, ST=New York, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 27401232310841133798229367871778264888123281636579263087556493451455060403259520645144584781313630991090105503198253906558563466329078722164170243267435739582081442222282097054777661956394083571911323130008480518688103543574372442709650254253434253066390644674176409954924769117481644772680166177303275929599129288661414733297270603535292347906522589286324172574835433083241554969591753284712463949161543930921995788372612260539349349380608375726629159393031898512729904510137397763415534963786907974673280474817121866827512205197365492992497240546530049440471928541689855437508889763971224310008127580760255679638381
public exponent: 65537
Validity: [From: Wed Feb 28 01:00:00 CET 2018,
To: Fri Jun 26 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 098195a7 788de187 8021110d 87683a26]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 E7 04 82 01 E3 01 E1 00 76 00 A4 B9 09 ...........v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 61 DD A5 C5 64 00 00 04 03 00 47 30 45 02 21 00 a...d.....G0E.!.
0040: EF A8 D2 77 82 20 E8 F1 7E 1D 52 42 CF B9 F0 AA ...w. ....RB....
0050: 22 E7 70 B0 86 91 90 5A 64 A1 03 4A 59 9F 4A 5F ".p....Zd..JY.J_
0060: 02 20 3A 49 C7 56 ED 7A C8 F8 CF C3 A9 0D 3D 54 . :I.V.z......=T
0070: 7E 29 F7 CB 62 7B 5E 9A E2 EB CC 3B 5F 8D FA BA .)..b.^....;_...
0080: 3B FB 00 77 00 87 75 BF E7 59 7C F8 8C 43 99 5F ;..w..u..Y...C._
0090: BD F3 6E FF 56 8D 47 56 36 FF 4A B5 60 C1 B4 EA ..n.V.GV6.J.`...
00A0: FF 5E A0 83 0F 00 00 01 61 DD A5 C6 27 00 00 04 .^......a...'...
00B0: 03 00 48 30 46 02 21 00 B3 E6 9F 85 4F AA 24 4F ..H0F.!.....O.$O
00C0: A1 45 34 56 6C 90 D8 A7 29 04 4F 85 C3 B4 17 55 .E4Vl...).O....U
00D0: 1C B0 D8 AB E7 58 4F 7F 02 21 00 C8 07 C9 1C A0 .....XO..!......
00E0: 3C C4 77 21 2F E3 F0 A6 5F 95 A3 CA 85 BD D3 94 <.w!/..._.......
00F0: FF C0 B1 ED 0C 5C 8D C5 BD AF AB 00 76 00 EE 4B .....\......v..K
0100: BD B7 75 CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F ..u.`..Bi....f..
0110: 7E 5F B0 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 ._.r......z.....
0120: 01 61 DD A5 C7 B8 00 00 04 03 00 47 30 45 02 21 .a.........G0E.!
0130: 00 9A 4A CE FD 4B 77 3A 36 BD 2E 67 5F 14 82 47 ..J..Kw:6..g_..G
0140: 11 30 C8 CB 68 E4 84 B5 01 D4 77 2F 67 5A 39 81 .0..h.....w/gZ9.
0150: 1A 02 20 78 57 38 5C F6 DF 92 36 B4 96 2F C6 CB .. xW8\...6../..
0160: 83 1E 96 9D 87 C0 B9 DE 08 E2 B1 97 3A AF FF 19 ............:...
0170: 69 DD AC 00 76 00 BB D9 DF BC 1F 8A 71 B5 93 94 i...v.......q...
0180: 23 97 AA 92 7B 47 38 57 95 0A AB 52 E8 1A 90 96 #....G8W...R....
0190: 64 36 8E 1E D1 85 00 00 01 61 DD A5 C6 4E 00 00 d6.......a...N..
01A0: 04 03 00 47 30 45 02 20 50 32 03 EB 43 F7 C2 E6 ...G0E. P2..C...
01B0: 73 08 4B 40 C3 1E 92 C2 77 8F 0D F9 CB EF 39 FA s.K@....w.....9.
01C0: 93 D0 92 DA DE 30 7E 49 02 21 00 8C B5 02 C6 BF .....0.I.!......
01D0: F4 86 00 27 4C 94 87 3D 4B 9A 5A 9E 9D B2 FE B7 ...'L..=K.Z.....
01E0: AC 6B FC 9B A9 D6 36 41 19 14 BE .k....6A...
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.percolate.com
DNSName: percolate.com
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 64 49 16 AF 41 B0 38 A9 15 FF 3F A3 74 EA 6C .dI..A.8...?.t.l
0010: E0 09 51 A0 ..Q.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 3D B8 D5 01 DB A2 56 90 DA F0 09 69 74 9C 4D 8A =.....V....it.M.
0010: 26 06 AE F0 90 F9 5E DD 8F DE 47 DD B0 A4 07 A4 &.....^...G.....
0020: 12 2B 42 CA 0B 76 16 FC D5 2F 3C 0B 97 BE DC 65 .+B..v.../<....e
0030: 77 F3 D1 77 F8 69 43 56 1E 25 E5 A3 8C CA 0C 0D w..w.iCV.%......
0040: CA E3 34 78 AB 2C 18 21 51 59 DD 9D 05 B1 1A 2B ..4x.,.!QY.....+
0050: 1E 42 68 C2 31 FC 05 EC 27 FD F1 8B B0 C6 72 82 .Bh.1...'.....r.
0060: 98 49 1D C5 09 2B DB A3 AF EB 0F 6A 96 28 54 45 .I...+.....j.(TE
0070: 15 C5 AC 7F 43 4F AC F5 66 AE 04 12 FE 52 D1 0A ....CO..f....R..
0080: E9 F8 82 3A AF 03 EF F1 36 9A 3F 33 23 A0 7B 79 ...:....6.?3#..y
0090: DD A7 0F 24 F5 0E 9B B0 C0 13 80 65 D2 F2 1E 7C ...$.......e....
00A0: 94 75 9D 87 44 F1 D5 0A 7C 7C 8D C5 ED 66 2A CE .u..D........f*.
00B0: 67 5E 0B F3 C5 C7 3D E7 B7 3E 45 C0 27 81 07 A0 g^....=..>E.'...
00C0: 23 76 FE 99 22 E6 E7 18 3F 6A 76 BC 96 BA B0 67 #v.."...?jv....g
00D0: 79 B4 2D 18 76 26 10 D5 26 B4 BF F8 55 75 4D 97 y.-.v&..&...UuM.
00E0: 6A 48 C9 22 08 27 27 A8 B9 3E AA DA A9 16 8C A8 jH.".''..>......
00F0: 04 6B 0E 79 C5 10 EF CB EA F7 CE 0D A9 61 3E 9A .k.y.........a>.
]
at okhttp3.internal.tls.CertificateChainCleaner$BasicCertificateChainCleaner.clean(CertificateChainCleaner.java:132)
at okhttp3.CertificatePinner.check(CertificatePinner.java:149)
at okhttp3.internal.io.RealConnection.connectTls(RealConnection.java:252)
at okhttp3.internal.io.RealConnection.establishProtocol(RealConnection.java:196)
at okhttp3.internal.io.RealConnection.buildConnection(RealConnection.java:171)
at okhttp3.internal.io.RealConnection.connect(RealConnection.java:111)
at okhttp3.internal.http.StreamAllocation.findConnection(StreamAllocation.java:187)
at okhttp3.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:123)
at okhttp3.internal.http.StreamAllocation.newStream(StreamAllocation.java:93)
at okhttp3.internal.http.HttpEngine.connect(HttpEngine.java:296)
at okhttp3.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)
at okhttp3.RealCall.getResponse(RealCall.java:243)
at okhttp3.RealCall$ApplicationInterceptorChain.proceed(RealCall.java:201)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:163)
at okhttp3.RealCall.execute(RealCall.java:57)
at com.percoalte.sdk.python.bridge.PercolateSdkPythonBridge.main(PercolateSdkPythonBridge.java:96)
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT: warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 26
main, called closeSocket(true)
不确定为什么会显示此异常。 知道为什么会发生这种情况吗?
不是一个明确的答案,但评论太多了。
马上,它不是我猜想的 SNI。
您的跟踪显示 TLS 握手(在 JSSE 中)成功完成(并使用 SNI)。收到的证书链并不是真正有效的,因为它只有 DigiCert SHA2 Secure Server CA 颁发的服务器证书,它是一个中间 CA 而不是根证书,并且没有提供中间 aka 链证书,但是您使用了 accept-任何 TrustManager 都会导致 JSSE 不注意这一点。
然后 SSLPeerUnverifiedException 出现在 CertificatePinner 中。我能找到的唯一来源是 https://github.com/square/okhttp/tree/master/okhttp/src/main/java/okhttp3,虽然它在 .internal.tls.BasicCertificateChainCleaner.clean 中有异常消息,但 class 单独没有嵌套在 CertificateChainCleaner 中。此外,它只能从 CertificatePinner.check 在与您不同的行调用,并使用不应由您使用的 Builder 调用设置的实例变量——尽管有一种方法可以有效地设置该实例在以后某个未知的时间变量具有一些未知的值。
评论——如果它们对于您实际使用的任何版本都没有显着差异——建议应该使用有效或可验证的链调用此方法,并且代码似乎需要它。 javadoc 对摘要 class CertificateChainCleaner 的评论说
/**
* Computes the effective certificate chain from the raw array returned by Java's built in TLS APIs.
* Cleaning a chain returns a list of certificates where the first element is {@code chain[0]}, each
* certificate is signed by the certificate that follows, and the last certificate is a trusted CA
* certificate.
*
* <p>Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
* the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
* pinning.
*/
和实现 class BasicChainCertificateCleaner 说
/**
* A certificate chain cleaner that uses a set of trusted root certificates to build the trusted
* chain. This class duplicates the clean chain building performed during the TLS handshake. We
* prefer other mechanisms where they exist, such as with
* {@code okhttp3.internal.platform.AndroidPlatform.AndroidCertificateChainCleaner}.
*
* <p>This class includes code from <a href="https://conscrypt.org/">Conscrypt's</a> {@code
* TrustManagerImpl} and {@code TrustedCertificateIndex}.
*/
及其clean方法说
* <p>This method throws if the complete chain to a trusted CA certificate cannot be constructed.
* This is unexpected unless the trust root index in this class has a different trust manager than
* what was used to establish {@code chain}.
它们一起强烈地向我暗示这是为了与普通 TrustManager 完成的普通(PKIX 链)验证一起工作。此处完成的链 'finishing' 类似于 Java 的普通 PKIX 或 X.509 验证器完成的链,但被简化了。顶层 CertificatePinner class:
* <h4>Note about self-signed certificates</h4>
*
* <p>{@link CertificatePinner} can not be used to pin self-signed certificate if such certificate
* is not accepted by {@link javax.net.ssl.TrustManager}.
因此我建议您恢复正常的 TrustManager,但由于它不接受 'chain' 此服务器当前发送的信息,您需要:
修复服务器以遵守 RFC5246 并发送适当的 Digicert 中间证书,或
获取中间值(根据 AIA,来自 http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt,但不是使用遵守 MIME 类型的浏览器——尝试 curl wget 或类似的)并将其添加到 JSSE 使用的信任库中,如果它与
CertificatePinner使用的信任库不同,您可能还需要将其添加到那里。