我们对自签名证书的 Android N 网络安全配置使用什么? [英] What Do We Use for Android N Network Security Configuration for a Self-Signed Certificate?
问题描述
我正在尝试测试 N Developer Preview 的网络安全配置功能的各个方面.我已经完成了大部分工作,但我被自签名证书方案难住了.
I am trying to test out all aspects of the network security configuration capability of the N Developer Preview. I have most of it working, but I am stumped by the self-signed certificate scenario.
根据文档,Android N 应该是对 PEM 或 DER 文件感到满意,因为它适用于其他证书验证方案.但是,我不太会使用自签名证书,而且我尝试使其正常工作时一直遇到证书路径验证异常.
According to the docs, Android N should be happy with a PEM or DER file, as it is for other certificate validation scenarios. However, I do not work with self-signed certificates much, and my attempts to get this working keep running into certificate path validation exceptions.
为了测试,我使用 thin 作为服务器,在我的开发机器上运行,可通过 N 模拟器访问.自签名证书适用于我的开发机器上的浏览器,如果我切换到运行 thin sans SSL,应用程序可以很好地访问服务器.所以,这不是连接问题.
For testing, I am using thin as the server, running on my development machine, reachable by an N emulator. The self-signed certificate works for browsers on my development machine, and if I switch to running thin sans SSL, apps can reach the server just fine. So, it's not a connectivity issue.
我按照本网站上的说明创建了自签名证书:
I created the self-signed certificate using the instructions on this site:
sudo openssl genrsa -out "/etc/[webserver]/ssl/example.key" 2048
sudo openssl req -new -key "/etc/[webserver]/ssl/example.key"
-out "/etc/[webserver]/ssl/example.csr"
sudo openssl x509 -req -days 365 -in "/etc/[webserver]/ssl/example.csr"
-signkey "/etc/[webserver]/ssl/example.key"
-out "/etc/[webserver]/ssl/example.crt"
根据这个堆栈溢出回答,example.crt 文件是一个 PEM 文件.在其他地方,我看到了创建组合 PEM"文件的说明.但是,我尝试了这两种方法,但都没有运气.
According to this Stack Overflow answer, the example.crt file is a PEM file. Elsewhere, I see instructions for creating a "combined PEM" file. However, I tried both of these, with no luck.
在网络安全配置方面,我尝试了
In terms of the network security configuration stuff, I have tried both <domain-config> and <debug-overrides>. The latter looks like:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="@raw/selfsigned"/>
</trust-anchors>
</debug-overrides>
</network-security-config>
但是,无论哪种情况,我都会收到验证错误.
But, I get the validation error in either case.
我们究竟应该将什么作为 PEM 或 DER 文件作为原始资源放入,才能使这项工作发挥作用?
What exactly should we be putting in as a PEM or DER file, as a raw resource, that makes this work?
推荐答案
这似乎适用于 N Developer Preview 2,使用由 opensslexample.crt> 问题中显示的脚本.目前,我假设 N Developer Preview 2 与 N Developer Preview 1 相比发生了变化.
This appears to be working on N Developer Preview 2, using the example.crt generated by the openssl scripts shown in the question. For the moment, I am going to assume that there was a change in N Developer Preview 2 compared to N Developer Preview 1 that accounts for the change.
这篇关于我们对自签名证书的 Android N 网络安全配置使用什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
