收到来自 google play 的警告。
如何处理 WebViewClient.onReceivedSslError 处理程序的不安全实现的“SSL 错误处理程序漏洞”。
“请尽快解决此漏洞并增加升级后 APK 的版本号。为了正确处理 SSL 证书验证,请更改您的代码以在服务器提供的证书符合您的期望时调用 SslErrorHandler.proceed(),并调用 SslErrorHandler .cancel() 否则。”
问问题
12275 次
5 回答
9
我今天收到了同样的警告,它告诉我问题来自我的一个广告网络的 SDK(InMobi,我真的在考虑放弃它们,因为它们有很多欺诈性的自动重定向横幅,现在这个...):
com.inmobi.commons.analytics.iat.impl.net.AdTrackerWebViewLoader$MyWebViewClient
在您的情况下,受影响的班级是什么?如果它是您自己的类之一,您必须阅读技术文档并修复您的实现。
如果像我一样,您只是其中一个外部库的受害者,请联系开发人员要求他们提供固定库(或删除该库)。
于 2015-09-25T08:30:13.287 回答
3
您应该首先检查您是否正确使用了 WebViewClient.onReceivedSslError 处理程序。
如果您没有使用 WebViewClient 库,或者您已经在正确使用它,则问题可能来自第三方库。您可以首先在项目的根目录中使用此 linux 命令来确定哪些库可能导致该问题:
find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;
这将列出所有 jar 文件中具有“OnReceivedSslError”字符串的文件。
之后,您可以检查是否在每个匹配的文件中遵守 Google 处理漏洞的建议。
于 2016-02-17T15:25:42.917 回答
2
如果你不需要处理里面的东西onReceivedSslErr(WebView,SslErrorHandler,SslError),只要去掉这个方法就可以避免google play warning.Otherwise,你也不应该直接进行。这是@sakiM 的示例,Webview 在实现 onReceivedSslError 时避免来自 google play 的安全警报
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
如果该方法onReceivedSslErr已被第三个库调用,请联系提供者。
于 2016-05-16T06:03:46.433 回答
0
您好,这是解决您问题的最新解决方案。希望它会帮助某人:
//复制粘贴此代码并删除 onReceivedError() 方法。
/**
* Notify the host application that an SSL error occurred while loading a
* resource. The host application must call either handler.cancel() or
* handler.proceed(). Note that the decision may be retained for use in
* response to future SSL errors. The default behavior is to cancel the
* load.
*
* @param view The WebView that is initiating the callback.
* @param handler An SslErrorHandler object that will handle the user's
* response.
* @param error The SSL error object.
*/
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
//final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
String msg="";
if(error.getPrimaryError()==SslError.SSL_DATE_INVALID
|| error.getPrimaryError()== SslError.SSL_EXPIRED
|| error.getPrimaryError()== SslError.SSL_IDMISMATCH
|| error.getPrimaryError()== SslError.SSL_INVALID
|| error.getPrimaryError()== SslError.SSL_NOTYETVALID
|| error.getPrimaryError()==SslError.SSL_UNTRUSTED) {
if(error.getPrimaryError()==SslError.SSL_DATE_INVALID){
msg="The date of the certificate is invalid";
}else if(error.getPrimaryError()==SslError.SSL_INVALID){
msg="A generic error occurred";
}
else if(error.getPrimaryError()== SslError.SSL_EXPIRED){
msg="The certificate has expired";
}else if(error.getPrimaryError()== SslError.SSL_IDMISMATCH){
msg="Hostname mismatch";
}
else if(error.getPrimaryError()== SslError.SSL_NOTYETVALID){
msg="The certificate is not yet valid";
}
else if(error.getPrimaryError()==SslError.SSL_UNTRUSTED){
msg="The certificate authority is not trusted";
}
}
final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
builder.setMessage(msg);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
于 2016-12-30T13:08:14.480 回答
-6
这可能是因为您的应用程序中使用了第三方库,包括 open ssl。它发生在我的案例中。Google play 的警报中提到了该库。我使用了包含该库的以下 grep 命令
$ unzip -p YourApp.apk | strings | grep "OpenSSL"
如果由于该库而存在打开的 ssl 问题,此命令将显示一个冗长的日志。
+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
CAMELLIA part of OpenSSL 1.0.1h 5 Jun 2014
EDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
RC4 part of OpenSSL 1.0.1h 5 Jun 2014
:Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
%s(%d): OpenSSL internal error, assertion failed: %s
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
OpenSSL default
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
DSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014
在没有该库的情况下,对另一个 apk 尝试相同的命令。它只会显示如下两行
+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl
于 2015-09-25T12:45:36.790 回答