javax.net.ssl.SSLPeerUnverifiedException:在Android 4.x和5.x上没有对等证书 [英] javax.net.ssl.SSLPeerUnverifiedException: No peer certificate on Android 4.x and 5.x

问题描述

我正在Android 4.4.2上运行我的应用程序，它引发了此错误:

I am running my app on Android 4.4.2 and it throws this error:

07-03 08:43:59.255 21643-21803/com.myapp W/System.err: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at com.myapp.Util.Util$1.run(Util.java:242)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at java.lang.Thread.run(Thread.java:841)
07-03 08:43:59.475 21643-21643/com.myapp E/ViewRootImpl: sendUserActionEvent() mView == null

它可以在Android 6.x及更高版本上正常工作.仅Android 4.x和5.x失败.我没有尝试过Android 3.x及以下版本，但是如果我只能为Android 4.x和5.x修复它，那就可以了.有趣的是，它过去曾经可以工作，而突然间，在我不更改应用程序源代码的情况下，它停止了工作.当我转到 https://www.digicert.com/help/来测试服务器SSL证书，一切都通过了:

It works correctly on Android 6.x and above. Only Android 4.x and 5.x fail. I have not tried Android 3.x and below but I would be fine if I could only fix it for Android 4.x and 5.x. The interesting thing is that it used to work in the past and all of a sudden it stopped working without me changing the source code of the app. When I go to https://www.digicert.com/help/ to test my server SSL Certificate, everything passes:

DNS resolves <Domain> to <IP address>
HTTP Server Header: Apache

SSL certificate
Common Name =

Subject Alternative Names = <subdomain>.<Domain>, <Domain>, m.<Domain>, www.<Domain>

Issuer = COMODO RSA Extended Validation Secure Server CA

Serial Number = 5A34235B2A2B53B35354232B123B23C5

SHA1 Thumbprint = 98C357AC34A23B232134B2A4C23A2B23AC23A532

Key Length = 2048

Signature algorithm = SHA256 + RSA (excellent)

Secure Renegotiation: Supported

SSL Certificate has not been revoked
OCSP Staple:    Good
OCSP Origin:    Good
CRL Status: Good

SSL Certificate expiration
The certificate expires May 24, 2019 (325 days from today)

Certificate Name matches <Domain>

Subject 
Valid from 11/Jun/2017 to 24/May/2019
Issuer  COMODO RSA Extended Validation Secure Server CA


Subject COMODO RSA Extended Validation Secure Server CA
Valid from 12/Feb/2012 to 11/Feb/2027
Issuer  COMODO RSA Certification Authority


Subject COMODO RSA Certification Authority
Valid from 30/May/2000 to 30/May/2020
Issuer  AddTrust External CA Root
SSL Certificate is correctly installed
Congratulations! This certificate is correctly installed.

我的SSL证书看起来不错.我不知道为什么Android 4.x和5.x会引发此javax.net.ssl.SSLPeerUnverifiedException: No peer certificate错误.

My SSL Certificate looks fine. I wonder why Android 4.x and 5.x are throwing this javax.net.ssl.SSLPeerUnverifiedException: No peer certificate error.

更新1 :SSL报告显示我的SSL证书一切正常. Android为什么会抱怨?这是报告:

UPDATE 1: The SSL report shows that everything is fine with my SSL certificate. Why is Android complaining? This is the report:

我正在使用 https://www.ssllabs.com/ssltest/

更新2 :阅读 https://developer.android.com/reference/javax/net/ssl/SSLPeerUnverifiedException.html#SSLPeerUnverifiedException(java.lang.String)，据我了解，该服务器是无法识别自己.为什么?我猜是因为理论上服务器缺少必需的对等证书.如果您看到如何使用 https://www.ssllabs.com/ssltest/在UPDATE 1中，SSL报告显示我的服务器正确通过了证书测试.

UPDATE 2: Reading https://developer.android.com/reference/javax/net/ssl/SSLPeerUnverifiedException.html#SSLPeerUnverifiedException(java.lang.String), what I understand is that the server was not able to identify itself. Why? I guess because in theory the server is missing the required peer certificate. It sounds like a contradiction if you see how when using https://www.ssllabs.com/ssltest/ in UPDATE 1, the SSL Report shows that my server passes certificate tests correctly.

更新3 :我的证书颁发机构(CA)是COMODO.我的SSL报告显示我的SSL证书一切正常: https://www.ssllabs.com/ssltest/analyze.html?d=cuponclub.net .当我从Web浏览器发出服务器请求时，一切都很好: https://cuponclub. net/San-salvador/deals/json_index/.查看HTTPS连接如何成功，证书在浏览器中是否有效，一切看起来都很完美.在Android 6.x及更高版本上没有错误，但是为什么当我尝试在Android 4.x上编译我的应用程序时，Android 4.x和5.x一直抱怨我的SSL证书，并在Android Studio日志上抛出此错误还是5.x?:

UPDATE 3: My certificate authority (CA) is COMODO. My SSL report shows that everything is good with my SSL certificate: https://www.ssllabs.com/ssltest/analyze.html?d=cuponclub.net. When I make a server request from a web browser, everything is good: https://cuponclub.net/San-salvador/deals/json_index/. See how the HTTPS connection is successful, the certificate is valid from the browser and everything looks perfect. No errors on Android 6.x and above, but why is it that Android 4.x and 5.x keep complaining about my SSL certificate, throwing this error on the Android Studio logs when I try to compile my app on Android 4.x or 5.x?:

W/System.err: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
W/System.err:     at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)
W/System.err:     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
W/System.err:     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)
W/System.err:     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
W/System.err:     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
W/System.err:     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
W/System.err:     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
W/System.err:     at com.couponclub.Util.Util$1.run(Util.java:242)
W/System.err:     at java.lang.Thread.run(Thread.java:841)

更新4 :在 https://www.ssllabs.com/ssltest/分析我的网站时，我在结果中看到红色:

UPDATE 4: Looking at the answers at Error in android application: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate, they suggest that the problem could be related to the Server Name Indication (SNI). When I use https://www.ssllabs.com/ssltest/ to analyze my site, I see this in the results in red:

替代名称[.......] MISMATCH 信任否不信任 Mozilla苹果Android Java Windows

Alternative names [................] MISMATCH Trusted No NOT TRUSTED Mozilla Apple Android Java Windows

也许我的问题与该服务器名称指示(SNI)有关还是缺少它?

Maybe my problem is related to this Server Name Indication (SNI) or the lack of it?

更新5 :我从 https收到红色的"No SNI" ://www.ssllabs.com/ssltest/.也许是造成问题的原因?

UPDATE 5: I am getting this "No SNI" in red from https://www.ssllabs.com/ssltest/. Maybe that is causing the problem?

更新6 :由于我的问题的影响，可以忽略Certificate #2，因为它适用于其他域.我只关心Certificate #1的结果.

UPDATE 6: Certificate #2 can be ignored for the effects of my question because it applies to a different domain. I only care about the results for Certificate #1.

更新7 :网络托管公司的支持团队和SSL证书发行者支持团队确认SSL证书及其安装一切正常，并且他们建议这可能是关于Android的问题适用于Android 4.x和5.x的SDK会引起混淆，而不是SSL证书的实际问题.使用SSL证书，一切看起来都很好.

UPDATE 7: The web hosting company support team and the SSL certificate issuer support team confirm that everything is fine with the SSL certificate and its installation, and they suggest this might be an issue about the Android SDK for Android 4.x and 5.x getting confused, and NOT an actual problem with the SSL certificate. Everything looks good with the SSL certificate.

更新8 :我在服务器上禁用了TLS 1.1及更早版本以符合SSL标准，并且我开始怀疑该错误的原因是Android 4.x和5.x.可能希望看到支持TLS 1.1及更早版本的库，如果该库不存在，则即使我确实拥有TLS 1.2，它也会自动引发SSL错误.那是我的一个假设.例如，我正在阅读 https://help.salesforce.com/articleView关于准备针对TLS 1.0弃用的移动应用程序"的?id = 000231452& type = 1 信息，他们说:

UPDATE 8: I disabled TLS 1.1 and earlier on the server to comply with SSL standards and I am starting to suspect more that the cause of the bug is that Android 4.x and 5.x may expect to see libraries for support for TLS 1.1 and earlier and when it is not present, then it automatically throws an SSL error even though I do have TLS 1.2. That is one hypothesis that I have. For example, I was reading at https://help.salesforce.com/articleView?id=000231452&type=1 information about "Preparing mobile apps for TLS 1.0 deprecation" and they say this:

Android.不幸的是，可能需要做一些工作来确保 当您在TLS上禁用TLS 1.0时，您的Android应用程序不会中断 Salesforce实例.我们有一个强制实施TLS 1.1和1.2的修复程序 Mobile SDK Android应用程序.

Android. Unfortunately, some work might be required to ensure that your Android applications don’t break when TLS 1.0 is disabled on a Salesforce instance. We have a fix that enforces TLS 1.1 and 1.2 on Mobile SDK Android applications.

因此，他们意识到禁用TLS 1.0可能会使某些Android应用程序因Salesforce实例而中断，并且他们知道在禁用TLS 1.0之后必须做一些工作来解决该问题.同样，我开始怀疑在我的情况下，问题可能出在服务器中缺少对TLS 1.0及更早版本的支持.

So they were aware of the fact that disabling TLS 1.0 might make some Android apps to break for Salesforce instances, and they knew some work had to be done to fix that after disabling TLS 1.0. Similarly, I am starting to suspect that in my case, the problem could be the lack of support in my server for TLS 1.0 and earlier.

UPDATE 9 :在我向COMODO CA支持解释了我在 UPDATE 8 中提到的内容之后，这是他们的答复:

UPDATE 9: After I explained to COMODO CA support what I mentioned in UPDATE 8, this was their reply:

感谢您与Comodo CA支持联系. Android版本4.3和 早期版本不支持TLS 1.2.由于您仅启用了TLS 1.2 服务器，将不会从以下位置建立到您服务器的连接 这些旧设备.证书检查仅在 建立连接.

Thank you for contacting Comodo CA support. Android versions 4.3 and earlier do not support TLS 1.2. As you have enabled only TLS 1.2 on the server, no connections will be established to your server from those legacy devices. Certificate check happens only after establishing the connection.

更新10 :一切似乎都表明我正在发生的事情是

UPDATE 10: Everything seems to indicate that what is happening to me is what is explained at https://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/:

我最近不得不在一个Android应用程序上工作，该应用程序使用了一个API，出于安全原因，该API删除了对TLS 1.0连接的支持.用于SSLSocket的Android文档说，在Android起始API级别16+(Android 4.1，Jelly Bean)中，支持TLS 1.1和TLS 1.2.但默认情况下它是禁用的，但从API级别20+开始(用于手表的Android 4.4，用于手机的Kitkat Watch和用于电话，Lollipop的Android 5.0)，它们已启用.但是，很难找到任何有关如何例如在运行4.1的手机上启用它的文档.

I recently had to work on an Android application that consumed an API which removed support for TLS 1.0 connections for security reasons. The Android documentation for SSLSocket says that TLS 1.1 and TLS 1.2 is supported within android starting API level 16+ (Android 4.1, Jelly Bean). But it is by default disabled but starting with API level 20+ (Android 4.4 for watch, Kitkat Watch and Android 5.0 for phone, Lollipop) they are enabled. But it is very hard to find any documentation about how to enable it for phones running 4.1 for example.

更新11 :查看 https://github .com/wireapp/wire-android/issues/1450 ，例如， wire.com 一个流行的协作平台，证明缺乏对Android 4.x的支持:

UPDATE 11: Looking at https://github.com/wireapp/wire-android/issues/1450, this is for example how wire.com, a popular collaboration platform, justifies the lack of support for Android 4.x:

您好，谢谢您的反馈.不幸的是，升级到TLSv1.2 是提高通信安全性的必要步骤 在我们的服务器和客户端之间，而这并不是我们真正需要的东西 愿意重新考虑.与所有涉及删除的决定一样 支持某些旧版本，有些人的 设备将被丢弃.但是，鉴于以下方面的收益 安全性，因为只有极少数的人会丧生 支持，我们决定升级.知道我们并不孤单 放弃对TLS 1.2之前的版本的支持，就像Github本身所做的一样. 除了上述所有原因之外，Android 4.x手机还是比较老的设备 最有可能未从其接收到任何安全更新 制造商，因此，如果您是具有隐私意识"的用户，我建议您 更新了一些内容(2014年推出了Android 5).是 抱歉，如果您觉得自己被抛在了后面，但请理解 做出此决定时最先考虑安全性 重要因素.

Hi, thank you for your feedback. Unfortunately, upgrading to TLSv1.2 was a necessary step to increase the security of the communications between our servers and the clients, and it is not really something we are open to reconsider. As with all decisions that involve dropping support for older versions of something, there will be people whose devices will be left behind. However, given the gains in terms of security and given the very small number of people that will lose support, we made the decision to upgrade. Know that we're not alone in dropping support for TLS pre-1.2, as Github itself has done the same. On top of all these reasons, Android 4.x phones are quite old devices that most likely are not receiving any security updates from their manufacturers, so if you are a "privacy-aware" user I would recommend getting something more recent (Android 5 came out in 2014). We're sorry if you felt like you were left behind, but please understand that this decision was taken with security in mind as the most important factor.

更新12 :有关问题所在和解决方法的有趣链接:

UPDATE 12: Interesting link about what the problem is and what to try to fix it: https://medium.com/tech-quizlet/working-with-tls-1-2-on-android-4-4-and-lower-f4f5205629a. I already moved on as you can see in my answer to my own question, but maybe this link could be useful to somebody else.

推荐答案

从您的描述来看，这似乎是Android问题.可能已在较新版本中修复.如果我不得不猜测，我会说您的证书解析在Android端的某个地方默默失败，并且片刻之后，当Android尝试获取PeerCertificates()时，它会抛出异常，因为它们未初始化(由于我正在猜测的无声失败).如果失败不是无法解决的，则可能会尝试在问题发生之前找到一些堆栈跟踪.

From your description it looks like it's Android issue. Probably fixed in newer versions. If I would have to guess I would say that parsing of your certificate fails silently somewhere on Android side and after a moment when Android tries to getPeerCertificates() it throws exception because they were not initialized (due to the silent fail which I'm speculating about). Potentially if the fail is not silent you could try to find some stacktraces before your issue happens.

您还可以尝试通过将网站调整为旧版Android操作系统可接受的方法来解决此问题.我没有好的建议或解决方案，但首先要比较您的证书和来自旧Android OS观点很好的网站的证书.

You could also try to workaround it by adjusting your site to be acceptable for old Android OS. I don't have good advice or solution but I would start with comparing your certificate with certificates from sites which are fine from old Android OS perspective.

这篇关于javax.net.ssl.SSLPeerUnverifiedException:在Android 4.x和5.x上没有对等证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！