SSL证书在android应用中已过期，但在PC /移动浏览器中未过期 [英] SSL certificate expired in android app but not in pc/mobile browsers

问题描述

所以这是一个奇怪的情况。我有一个在https上运行的网站。我在android上也有一个应用程序，可以利用该网站进行其余的API调用。到目前为止，一切都很好。最近，我的房东改变了一些东西，一切都崩溃了。当我从浏览器发出休息请求时，它工作正常。但是，当我使用该应用程序进行操作时，它不起作用，并出现以下异常：

javax.net.ssl.SSLHandshakeException：com .android.org.bouncycastle.jce.exception.ExtCertPathValidatorException：
无法验证证书：证书于2014年8月21日星期四06:03:34过期（与2015年8月22日星期六相比） b $ b在com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake（OpenSSLSocketImpl.java

但是在PC和I上一切正常

所以我走了一步，尝试用浏览器浏览我的网站，但结果很有趣。在300个浏览器中，

http://i.stack.imgur.com/d86tE.png


http://oi60.tinypic.com/30ml1n4.jpg

此外，我现在在安装SSL时在主机中收到此警告。

注意：您没有专用的IP地址。结果，不支持SNI的Web浏览器可能会在用户访问您的任何SSL网站时向您的用户发出错误的安全警告。 Windows XP™上的Microsoft®Internet Explorer™是使用最广泛的Web浏览器，不支持SNI。

我不是100％确定此警告是否早存在，但我只是想将所有内容放在一起。

在我的应用程序上的代码没有错电话已停止工作，而之前已开始工作。

解决方案

服务器名称指示（SNI）表示客户端（浏览器，应用程序）在SSL / TLS握手中发送预期的主机名。这类似于主机HTTP标头和
如果您的客户端不支持SNI，则该服务器将发送回一些默认证书，或者触发SSL / TLS握手错误。 / p>

所有现代浏览器均支持SNI ，但较旧的浏览器或平台（如XP上的IE8）不支持SNI。也是Android SDK随附的Apache HTTP请求库不支持SNI ，这可能是您遇到的问题。

到目前为止一切正常。最近，我的托管服务商更改了某些内容，一切都崩溃了。

我想这是不完整更改的结果。似乎使用SNI的客户端的证书已替换为较新的版本，因为先前的证书已过期。但是该站点的默认证书（即用于非SNI客户端的默认证书）仍然是旧的过期证书。这样，您将获得所有使用SNI的客户端的有效证书，但所有客户端均无法执行SNI的错误将过期。

So here's a weird situation. I have a website running on https. I also have an app on android which leverages this website to make rest API calls. Everything was working fine until now. Recently my hoster changed something and everything is falling apart. When I fire rest request from browser it works fine. But when I do it using the app it doesn't work and I get this exception:

javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Thu Aug 21 06:03:34 EDT 2014 (compared to Sat Aug 22 17:41:59 EDT 2015) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java

But everything working fine on pc and I double checked the certificates are expiring on 2016.

So I went a step further and tried to browsershot my website and I got some funny results. Out of 300 browsers I got the same issue in a couple of them.

http://i.stack.imgur.com/d86tE.png
http://oi60.tinypic.com/30ml1n4.jpg

Also I'm now getting this warning in my host while installing SSL.

"Note: You do not have a dedicated IP address. As a result, web browsers that do not support SNI will probably give false security warnings to your users when they access any of your SSL websites. Microsoft® Internet Explorer™ on Windows XP™ is the most widely used web browser that does not support SNI."

I'm not 100% sure whether this warning was there earlier or not but I'm just trying to put the pieces together.

There is nothing wrong with the code as my apps on the phone have stopped working which was working earlier.

解决方案

Server Name Indication (SNI) means that the client (browser, app) sends the expected host name inside the SSL/TLS handshake. This is similar to the Host HTTP header and makes it possible to have multiple virtual servers with different hostnames share the same IP address. If your client does not support SNI the server will either send some default certificate back or will trigger an error in the SSL/TLS handshake.

SNI is supported by all modern browsers, but older browsers or platforms like IE8 on XP do not support SNI. Also the Apache HTTP Request Library as shipped with the Android SDK does not support SNI which might be the issue in your case.

Everything was working fine until now. Recently my hoster changed something and everything is falling apart.

I guess this is the result of an incomplete change. It looks like the certificate for clients using SNI was replaced with a newer version because the previous one expired. But the default certificate of the site, i.e. the one used for non-SNI clients, is still the old expired certificate. Thus you get a valid certificate with all clients using SNI but an expired error with all clients not capable of doing SNI.

这篇关于SSL证书在android应用中已过期，但在PC /移动浏览器中未过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！