Android 到 Tomcat 的 SSL 连接(自签名证书)SSLPeerUnverifiedException
Android SSL Connection to Tomcat (self signed certificate) SSLPeerUnverifiedException
我目前正在尝试在一个简单的测试应用程序中实现 ssl 连接。
设置:
Ubuntu 服务器 14.04.3 Tomcat 7
内网IP:192.168.189.42
Tomcat SSL:
https://192.168.177.42:8443/
通过以下方式创建的 SSL 证书:Tomcat Tutorial
设备:API23 平板电脑虚拟机(Hyper-V,Visual Studio)
IDE: Android 工作室
首先,我通过 AsyncTask 测试了与 Google 的 ssl 连接:
URL url = new URL("https://google.de");
URLConnection urlConnection = url.openConnection();
InputStream in = urlConnection.getInputStream();
in.close();
效果很好。
所以我用这个命令从密钥库中提取了证书:
keytool -export -alias tomcat -file server.cer -keystore .keystore
我将该文件放入:myproject/res/raw/server.cer
在另一个 AsyncTask 中,我使用 google 开发人员的 sample code 创建了一个连接:
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(context.getResources().openRawResource(R.raw.server));
Certificate ca;
ca = cf.generateCertificate(caInput);
Log.d("CERT: ", "ca=" + ((X509Certificate) ca).getSubjectDN());
caInput.close();
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
URL url = new URL("https://192.168.177.42:8443/");
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
in.close();
如果我尝试执行这段代码,我会得到以下异常:
11-13 18:39:02.508 12135-12280/moe.testapp W/System.err﹕ javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.177.42 not verified:
11-13 18:39:02.508 12135-12280/moe.testapp W/System.err﹕ certificate: sha1/wFJI0CzwVvJ2MuGvpoJaFO8y4z8=
11-13 18:39:02.508 12135-12280/moe.testapp W/System.err﹕ DN: CN=Alcardis,OU=AL,O=AL,L=test,ST=state,C=XX
11-13 18:39:02.508 12135-12280/moe.testapp W/System.err﹕ subjectAltNames: []
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:120)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.Connection.connect(Connection.java:143)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:185)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.OkHttpClient.connectAndSetOwner(OkHttpClient.java:128)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:341)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:433)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:384)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:231)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getInputStream(DelegatingHttpsURLConnection.java:210)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at moe.testapp.TomcatWebservice.doInBackground(TomcatWebservice.java:64)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at moe.testapp.TomcatWebservice.doInBackground(TomcatWebservice.java:28)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at android.os.AsyncTask.call(AsyncTask.java:295)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at java.util.concurrent.FutureTask.run(FutureTask.java:237)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at android.os.AsyncTask$SerialExecutor.run(AsyncTask.java:234)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at java.lang.Thread.run(Thread.java:818)
不明白楼主怎么验证不了。证书被正确读取(我至少可以在调试器中使用正确的值访问它)并且 android 应用程序也可以在标准网络浏览器中通过 https 访问 tomcat。
好的,从带有评论的答案中我得到了一些见解并尝试了另一种方法。
服务器没有 FQDN,CN 应该等于 FQND,这就是它在上面的代码中不起作用的原因。
因为服务器没有 FQDN,所以我搜索了使用 ip 地址的替代方法。我找到了这个 howto 并创建了一个没有 CN 但具有替代名称的证书并将 ip 放在那里我还必须将 keystoreType="PKCS12" 行添加到 tomcat 的 server.xml 因为我从默认密钥库更改为 PKCS12。
SSL 证书的默认行为是让客户端验证服务器名称是否与证书中的名称匹配。这有助于防止中间人攻击和服务器欺骗。当你的服务器没有名字(192.168.x.x)时,就无法验证。对于您的初始应用程序,您可以关闭此验证。
您应该为任何实际应用程序保留服务器名称验证。
我目前正在尝试在一个简单的测试应用程序中实现 ssl 连接。
设置: Ubuntu 服务器 14.04.3 Tomcat 7 内网IP:192.168.189.42 Tomcat SSL:
https://192.168.177.42:8443/
通过以下方式创建的 SSL 证书:Tomcat Tutorial 设备:API23 平板电脑虚拟机(Hyper-V,Visual Studio) IDE: Android 工作室
首先,我通过 AsyncTask 测试了与 Google 的 ssl 连接:
URL url = new URL("https://google.de");
URLConnection urlConnection = url.openConnection();
InputStream in = urlConnection.getInputStream();
in.close();
效果很好。
所以我用这个命令从密钥库中提取了证书:
keytool -export -alias tomcat -file server.cer -keystore .keystore
我将该文件放入:myproject/res/raw/server.cer
在另一个 AsyncTask 中,我使用 google 开发人员的 sample code 创建了一个连接:
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(context.getResources().openRawResource(R.raw.server));
Certificate ca;
ca = cf.generateCertificate(caInput);
Log.d("CERT: ", "ca=" + ((X509Certificate) ca).getSubjectDN());
caInput.close();
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
URL url = new URL("https://192.168.177.42:8443/");
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
in.close();
如果我尝试执行这段代码,我会得到以下异常:
11-13 18:39:02.508 12135-12280/moe.testapp W/System.err﹕ javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.177.42 not verified:
11-13 18:39:02.508 12135-12280/moe.testapp W/System.err﹕ certificate: sha1/wFJI0CzwVvJ2MuGvpoJaFO8y4z8=
11-13 18:39:02.508 12135-12280/moe.testapp W/System.err﹕ DN: CN=Alcardis,OU=AL,O=AL,L=test,ST=state,C=XX
11-13 18:39:02.508 12135-12280/moe.testapp W/System.err﹕ subjectAltNames: []
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:120)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.Connection.connect(Connection.java:143)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:185)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.OkHttpClient.connectAndSetOwner(OkHttpClient.java:128)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:341)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:433)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:384)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:231)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getInputStream(DelegatingHttpsURLConnection.java:210)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at moe.testapp.TomcatWebservice.doInBackground(TomcatWebservice.java:64)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at moe.testapp.TomcatWebservice.doInBackground(TomcatWebservice.java:28)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at android.os.AsyncTask.call(AsyncTask.java:295)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at java.util.concurrent.FutureTask.run(FutureTask.java:237)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at android.os.AsyncTask$SerialExecutor.run(AsyncTask.java:234)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
11-13 18:39:02.509 12135-12280/moe.testapp W/System.err﹕ at java.lang.Thread.run(Thread.java:818)
不明白楼主怎么验证不了。证书被正确读取(我至少可以在调试器中使用正确的值访问它)并且 android 应用程序也可以在标准网络浏览器中通过 https 访问 tomcat。
好的,从带有评论的答案中我得到了一些见解并尝试了另一种方法。 服务器没有 FQDN,CN 应该等于 FQND,这就是它在上面的代码中不起作用的原因。
因为服务器没有 FQDN,所以我搜索了使用 ip 地址的替代方法。我找到了这个 howto 并创建了一个没有 CN 但具有替代名称的证书并将 ip 放在那里我还必须将 keystoreType="PKCS12" 行添加到 tomcat 的 server.xml 因为我从默认密钥库更改为 PKCS12。
SSL 证书的默认行为是让客户端验证服务器名称是否与证书中的名称匹配。这有助于防止中间人攻击和服务器欺骗。当你的服务器没有名字(192.168.x.x)时,就无法验证。对于您的初始应用程序,您可以关闭此验证。
您应该为任何实际应用程序保留服务器名称验证。