0

我想在 android 客户端和 delphi 服务器之间创建一个安全连接。建议使用 TLS1.1 或 TLS1.2 和自签名证书。

目前最低 sdk 版本为 19。

我想出了如何连接自签名证书。但似乎 android 客户端总是尝试与 SSLv3 连接。我试图禁用 SSLv3 并且只使用 TLS,但我没有找到合适的解决方案来考虑自签名证书。

Ps:如果我告诉服务器不使用任何安全层或使用 SSLv3,则连接正常工作

11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x71698c50: Failure in SSL library, usually a protocol error
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x388da166:0x00000000)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:448)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at com.android.okhttp.Connection.upgradeToTls(Connection.java:146)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at com.android.okhttp.Connection.connect(Connection.java:107)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:294)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at com.android.okhttp.internal.http.HttpEngine.sendSocketRequest(HttpEngine.java:255)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:206)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:345)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at com.android.okhttp.internal.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:89)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at com.android.okhttp.internal.http.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:161)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at de.gold_software.wartungsmanager.server.TestController$TestAsyncTask.doInBackground(TestController.java:119)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at de.gold_software.wartungsmanager.server.TestController$TestAsyncTask.doInBackground(TestController.java:66)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at android.os.AsyncTask$2.call(AsyncTask.java:288)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at java.util.concurrent.FutureTask.run(FutureTask.java:237)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
11-25 13:19:10.418 10247-10291/de.gold_software.wartungsmanager W/System.err:     at java.lang.Thread.run(Thread.java:841)

我的 Asynctask 的代码

CertificateFactory cf = CertificateFactory.getInstance("X.509");
caInput = new BufferedInputStream(getMyContext().getResources().openRawResource(R.raw.proxyserver));
Certificate ca = cf.generateCertificate(caInput);

String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);

String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);

SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(null, tmf.getTrustManagers(), null);

URL url = new URL("https://192.168.1.177:443");
conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(context.getSocketFactory());
conn.setReadTimeout(10000);
conn.setConnectTimeout(15000);
conn.setRequestMethod("POST");
conn.setDoInput(true);
conn.setDoOutput(true);
conn.setRequestProperty("Content-Type", "text/plain; charset=utf-8");
conn.connect();
4

1 回答 1

0

你有没有试过这个:

SSLContext context = SSLContext.getInstance("TLS");

而不是 SSLContext context = SSLContext.getInstance("TLSv1.2");

另一件事可能是:

System.setProperty("https.protocols", "TLS"); //somewhere in Java code, in main f.e.

甚至可能

System.setProperty("https.protocols", "TLSv1"); //worked by me

但要小心,这个设置会被保存很长时间。

此外,在您的 Java JRE 文件夹中,您可以找到文件 jre/lib/security/java.security,您可以在其中找到这样的一行并更改它,或者只是添加这一行(仅当不存在时):

jdk.tls.disabledAlgorithms=SSLv3

或者结合最后两个解决方案。

于 2016-10-16T12:02:32.417 回答