1

我们的后端从 SHA-1 & TLS 1.0 更新为SHA-2 证书 & TLS 1.2它在API 级别低于 20 ( Android 4.1-4.4 )的平台上破坏了我们的 Android 应用程序的 HTTPS 通信。

(我们的 Android 项目使用的是Retrofit 2.4.0 & okhttp 3.10.0

我尝试通过使用TLS 1.2在 Android 4.x 上强制我们的应用程序来解决上述问题,我的代码受到本教程的启发(但我排除了教程代码的公钥固定):

我首先创建了一个TLSSocketFactory

public class TLSSocketFactory extends SSLSocketFactory {

    private SSLSocketFactory internalSSLSocketFactory;

    public TLSSocketFactory() throws KeyManagementException, NoSuchAlgorithmException {

        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, new TrustManager[] { systemDefaultTrustManager() }, null);
        internalSSLSocketFactory = sslContext.getSocketFactory();
    }

    @Override
    public String[] getDefaultCipherSuites() {
        return internalSSLSocketFactory.getDefaultCipherSuites();
    }

    @Override
    public String[] getSupportedCipherSuites() {
        return internalSSLSocketFactory.getSupportedCipherSuites();
    }

    @Override
    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(s, host, port, autoClose));
    }

    @Override
    public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port));
    }

    @Override
    public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port, localHost, localPort));
    }

    @Override
    public Socket createSocket(InetAddress host, int port) throws IOException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(host, port));
    }

    @Override
    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
        return enableTLSOnSocket(internalSSLSocketFactory.createSocket(address, port, localAddress, localPort));
    }

    private Socket enableTLSOnSocket(Socket socket) {
        if(socket != null && (socket instanceof SSLSocket)) {
            ((SSLSocket)socket).setEnabledProtocols(new String[] {"TLSv1.1", "TLSv1.2"});
        }
        return socket;
    }

    public X509TrustManager systemDefaultTrustManager() {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
                    TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
                throw new IllegalStateException("Unexpected default trust managers:"
                        + Arrays.toString(trustManagers));
            }
            return (X509TrustManager) trustManagers[0];
        } catch (GeneralSecurityException e) {
            throw new AssertionError(); // The system has no TLS. Just give up.
        }
    }
}

然后,将上述TLSSocketFactory应用于OkHttpClient

OkHttpClient.Builder builder = new OkHttpClient.Builder();

ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
                .tlsVersions(TlsVersion.TLS_1_1, TlsVersion.TLS_1_2)
                .cipherSuites(
                        CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
                .build();

builder.connectionSpecs(Collections.singletonList(spec));


builder.readTimeout(10, TimeUnit.SECONDS);
builder.connectTimeout(10, TimeUnit.SECONDS);
builder.writeTimeout(10, TimeUnit.SECONDS);

// apply TLSSocketFactory

        try {
            TLSSocketFactory socketFactory = new TLSSocketFactory();
            builder.sslSocketFactory(socketFactory, socketFactory.systemDefaultTrustManager());
        } catch (KeyManagementException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }

OkHttpClient client = builder.build();

Retrofit然后,使用上面创建一个实例OkHttpClient

Retrofit retrofit = new Retrofit.Builder().baseUrl(myUrl)
                .addConverterFactory(ScalarsConverterFactory.create())
                .addConverterFactory(GsonConverterFactory.create(gson))
                .client(client) // my OkHttpClient
                .build();

但是,当我现在在与后端通信的 Android 4.x 上运行我的应用程序时,我仍然收到错误消息

OkHttp: <-- HTTP FAILED: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

为什么?我错过了什么?

(在TLSSocketFactory的构造函数中,我也尝试过sslContext.init(null, null, null);,但没有帮助,同样的错误。)

新证书很好,它适用于Android 5.0+,但新证书和旧证书来自不同的颁发者

4

2 回答 2

0

尝试在 okHttp 库的 Github 上发布的命题- 这是众所周知的问题

于 2018-08-29T16:32:40.037 回答
0

我不明白为什么需要调用这个方法systemDefaultTrustManager

要使用系统默认值,请尝试替换

sslContext.init(null, new TrustManager[] { systemDefaultTrustManager() }, null);

经过

sslContext.init(null, null, null);
于 2018-03-20T21:55:57.797 回答