突然收到“错误:TrustFailure(身份验证或解密失败.)";在我的 Xamarin Android 应用上 [英] Suddenly getting "Error: TrustFailure (The authentication or decryption has failed.)" on my Xamarin Android app
问题描述
突然间,我的应用程序在通过 https 调用 REST API 时开始出现此错误.我正在开发一个添加 Intent 以处理打开某个文件扩展名的文件的 mod,但我怀疑这就是原因.
Just out of the blue, my app started getting this error when making calls to a REST API via https. I was working on a mod that added an Intent to handle opening files of a certain file extension but I doubt that that was the cause.
相反,问题与此类似:从服务器收到的证书无效
我的证书也是由 Comodo 提供的,自今年 4 月以来已安装.禁用COMODO RSA证书颁发机构的解决方案不起作用.
My cert is also by Comodo and has been installed since April of this year. The solution of disabling the COMODO RSA Certification Authority did not work.
服务器是一个 VPS,主机在此错误开始出现期间进行了硬件升级,但我也不确定这是否是原因,因为浏览器显示 SSL 正常并且 iOS 版本的应用也运行良好.
The server is a VPS that the host underwent a hardware upgrade during the time that this error started to appear but I'm also not sure that that would be the reason since the browser shows SSL as fine and the iOS version of the app is also working fine.
应用程序中调用服务器的代码位于实用程序类中,我根本没有更改该代码.我所做的小改动是添加了一个意图,然后我将其删除,但错误仍然存在.
The code in the app that makes the call to the server is in a utility class and I did not change that code at all. The minor change that I did was to add an intent which I then removed and the error is still there.
以下是错误消息,包括内部异常和堆栈跟踪:
Here are the error messages including the inner exceptions and the stack trace:
System.Net.WebExceptionStatus.TrustFailure
ex.InnerException.Message - The authentication or decryption has failed.
ex.InnerException.InnerException.InnerException.Message - Invalid certificate received from server. Error code: 0xffffffff800b010b
ex.InnerException.InnerException.StackTrace
at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (System.IAsyncResult asyncResult) [0x0003a] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:430
at Mono.Security.Protocol.Tls.SslClientStream.SafeEndReceiveRecord (System.IAsyncResult ar, System.Boolean ignoreEmpty) [0x00000] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:256
at Mono.Security.Protocol.Tls.SslClientStream.NegotiateAsyncWorker (System.IAsyncResult result) [0x00071] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:418
ex.InnerException.StackTrace
at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (System.IAsyncResult asyncResult) [0x00051] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:883
at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsClient (System.IAsyncResult asyncResult) [0x00011] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/System/Mono.Net.Security/LegacySslStream.cs:475
at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00000] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/System/Mono.Net.Security/LegacySslStream.cs:445
at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x0004e] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/System/Mono.Net.Security/MonoTlsStream.cs:106
我使用的是标准端口 443.我检查了绑定,没有问题,当我查看证书路径状态时,它说证书正常".
I'm using the standard port 443. I checked the bindings and there are no issues, it says that the cert is 'ok' when I view the certification path status.
我在使用实际设备而不是模拟器时遇到错误.
I am getting the error when using an actual device, not an emulator.
感谢任何帮助.
***** 更新
我致电 Comodo 的支持人员,发现问题在于 Android 的证书存储不是最新的并且使用旧的旧版 SHA.因此,认证路径 2 以额外下载"状态返回给客户端.据推测,我的服务器中有一个名为COMODO RSA Certification Authority"的证书将于 2036 年到期,该证书会干扰 2020 年到期的COMODO RSA Certification Authority"中间证书.以下是该证书的详细信息:
I called Comodo's support and found out the issue is with Android's certificate store not being up to date and using the old legacy SHA. So the certification path 2 was coming back to the client with a 'Extra Download' status. There supposedly is a cert named 'COMODO RSA Certification Authority' in my server expiring in 2036 that interferes with 'COMODO RSA Certification Authority' intermediate certificate expiring in 2020. Here are the details of that cert:
[Root] Comodo RSA 证书颁发机构 (SHA-2)序列号:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d发行人:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA 认证机构
有效期(到期):1 月 18 日 23:59:59 2038 GMT
[Root] Comodo RSA Certification Authority (SHA-2)
Serial Number: 4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Validity (Expires) : Jan 18 23:59:59 2038 GMT
但是,我在本地计算机和当前用户中都找不到.由于这是一个 VPS/虚拟机,问题可能是主机可能会在虚拟网络通信/响应中添加这个返回给客户端.现在的问题是托管公司不想禁用主机中的证书.
However, I couldn't find out in both local computer and current user. Since this is a VPS/virtual machine, the problem may be that the host machine may be adding this in the virtual network communication/response back to the client. The problem now is that the hosting company doesn't want to disable the cert in the host machine.
推荐答案
我搞定了.正如我在上面的更新中提到的,问题在于 Android 的证书存储不是最新的并且使用旧的旧版 SHA.因此,认证路径 2 以额外下载"状态返回给客户端.有一个名为COMODO RSA Certification Authority"的证书将于 2036 年到期,它干扰了 2020 年到期的COMODO RSA Certification Authority"中间证书.我已经删除了它,所以我找不到它了.
I got it working. As I mentioned in my update above, the issue is with Android's certificate store not being up to date and using the old legacy SHA. So the certification path 2 was coming back to the client with a 'Extra Download' status. There is a cert named 'COMODO RSA Certification Authority' in expiring in 2036 that interferes with 'COMODO RSA Certification Authority' intermediate certificate expiring in 2020. I had already deleted it that's why I couldn't find it anymore.
解决方法是找到 &禁用或删除此证书,将其替换为从 Comodo 网站下载的新证书,然后重新启动机器.
The fix is to find & disable or delete this cert, replace it with new certs downloaded from Comodo's website, and rebooting the machine.
以下是要禁用/删除的证书的详细信息:
Here are the details of the cert to disable/delete:
[Root] Comodo RSA 证书颁发机构 (SHA-2)
[Root] Comodo RSA Certification Authority (SHA-2)
序列号:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Serial Number: 4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
颁发者:C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA 认证机构
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
有效期(到期):1 月 18 日 23:59:59 2038 GMT
Validity (Expires) : Jan 18 23:59:59 2038 GMT
新证书是:
comodorsadomainvalidationsecureserverca.crt
comodorsadomainvalidationsecureserverca.crt
comodorsaaddtrustca.crt
comodorsaaddtrustca.crt
addtrustexternalcaroot.crt
addtrustexternalcaroot.crt
我找不到下载所有三个的页面,Comodo 技术支持代表帮助我导航到此页面.
I can't find the page where I downloaded all three from, the Comodo tech support rep helped me navigate to this page.
要禁用证书,请从 MMC 进入认证管理器,右键单击打开,单击详细信息选项卡,单击编辑属性按钮,然后在证书目的区域中,选择出于所有目的禁用"单选选项.
To disable the cert, go into Certification Manager from the MMC, right click to open, click on the Details tab, click on the Edit Properties button and in the Certificate Purposes area, choose the 'Disable for all purposes' radio option.
导入新证书并重启.
我推荐 Qualys SSL Labs 的 SSL 服务器测试,而不是使用 SSLChecker (https://www.ssllabs.com/ssltest/index.html) 因为它更准确 &详细.
And instead of using SSLChecker, I recommend SSL Server Test by Qualys SSL Labs (https://www.ssllabs.com/ssltest/index.html) as it's more accurate & detailed.
这篇关于突然收到“错误:TrustFailure(身份验证或解密失败.)";在我的 Xamarin Android 应用上的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
