错误:名称不能MACHING在Android自签署的SSL证书 [英] Error: Name not maching for self signed SSL certificates on Android
问题描述
我试图使用从一个Android 2.3.4访问我的受SSL保护的Web应用程序中内置的浏览器。
服务器证书是我创建使用自签名证书的 MAKECERT 的,并安装在服务器上。
当我尝试访问该网页,我收到一条错误消息从浏览器,说明该网站的名称不与证书上的名字相匹配。
我已经验证的服务器地址也正是MACHING我的证书的通用名称(它实际上只是一个IP地址)。
该消息不会弹出,当我尝试访问,在Android设备上,其他网站与担保不自签名的证书。
如果我访问使用IE或Chrome在桌面上的同一页 - 除了为签字权的消息 - 我没有得到任何警告,一旦我已经安装在受信任的根CA证书,该证书被顺利接受由浏览器
我应该把它该消息实际上是排斥的自签名证书搭载Android?
我有点疑惑,在此。
我试图安装在凭证存储的证书,但不改善这种情况。现在我不知道什么我可能会尝试下。
问题是:有没有什么特别的事情,我应该遵循创建接受Android的自签名的证书?有没有人设法通过Android的接受自签名的证书不再显示此警告?
我还能试试?
-update -
布鲁诺的回答把我领到了正确的方向,所以我成功地做到了一步:我重拍的证书添加SAN(不得不放弃 MAKECERT 为 的OpenSSL ,下面还有的从安迪·阿里斯门迪的指令)。
现在消息已经走了,但我在认证autority不被信任封锁已经讨论过的问题,<一个href="http://stackoverflow.com/questions/4461360/how-to-install-trusted-ca-certificate-on-android-device">in这太帖子,所以我仍然在寻找最终解决我的问题 - 没有任何警告的Android浏览器弹出。
我已经验证的服务器地址也正是MACHING通用 我的证书名称(实际上它只是一个IP地址)。
Android的主机名验证更严格符合 RFC 2818 比一些浏览器。根据规范,如果一个IP地址时,它必须是在一个主题备用名称项的 IP地址的类型:不是DNS类型的SAN条目或在CN:
如果类型的dNSName的subjectAltName扩展present,即必须被用作身份。否则,(更具体)普通的 在证书的主题字段名称字段必须使用。 虽然使用的通用名是现行的做法,这是 德precated和认证机构,鼓励使用 的dNSName代替。
[...]
在一些情况下,URI被指定为IP地址,而不是一个主机名。在这种情况下,IPADDRESS的SubjectAltName必须present 在证书和必须完全在URI知识产权匹配
,最简单的办法是使用一个主机名。 (以证书使用的IP地址是从来没有真正实用的。)另外,生成与SAN IP地址项证书。 (您可能感兴趣的这个。)
I am trying to access my web application protected by SSL from an Android 2.3.4 using the built-in browser.
The server certificate is a self-signed certificate I created using MAKECERT and installed on the server.
When I try to access the page, I get an error message from the browser stating The name of the site does not match name on the certificate.
I have verified and the server address is exactly maching the Common Name of my certificate (it is actually just an IP address).
The message does not pop up when I try to access, on the Android device, other websites secured with not self signed certificates.
If I access the same page using IE or Chrome on a desktop - apart for the signing authority message - I get no warnings and, once I have installed the certificate in the Trusted Root CA, the certificate is smoothly accepted by the browser.
Should I take it that the message is actually a rejection of self signed certificate by Android?
I am a bit puzzled at this.
I tried to install the certificate in the Credential Storage but that does not improve the situation. and now I have no clue what I might try next.
Questions are: Is there any particular thing I should follow creating a self-signed certificate acceptable for Android? has anyone managed to get the self-signed certs accepted by Android without this warning?
What else could I try?
-UPDATE-
Bruno's reply steered me in the right direction, so I managed to do one step forward: I remade the certificate adding SAN (had to abandon MAKECERT for OpenSSL, following there instructions from Andy Arismendi).
Now the message has gone but I am blocked in the 'certification autority not trusted' issue already discussed in this SO post, so I am still working to find a final solution to my issue - not having any warning popping up on the Android browser.
I have verified and the server address is exactly maching the Common Name of my certificate (it is actually just an IP address).
Android's host name verifier is more strictly compliant with RFC 2818 than some browsers. According to the specification, if an IP address is used, it must be in a Subject Alternative Name entry of IP address type: not on a SAN entry of DNS type or in the CN:
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
[...]
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
The easiest would be to use a host name. (Using IP addresses in certificates is never really practical.) Alternatively, generate a certificate with a SAN IP address entry. (You may be interested in this.)
这篇关于错误:名称不能MACHING在Android自签署的SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
