覆盖onReceivedSslError不适用于Android KitKat Web视图 [英] Override onReceivedSslError does not work with Android KitKat Web view

问题描述

当使用WebView下载版本KitKat访问具有不受信任证书的https网址时，我可以绕过SSL错误

I can bypass the SSL errors when accessing a https URL which has untrusted certificate with following code with the WebView below version KitKat

public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {

                    handler.proceed();
}

但它不适用于KitKat浏览器。任何想法来解决它？

but it does not work for KitKat browser. Any ideas to solve it?

推荐答案

我最近也出现了这个问题，这没有记录，但似乎调用方法on Android 4.4 KitKat上的onReceivedSslError取决于SSL错误的类型。我检查了这两种情况：

I recently came up to this problem too, this is not documented but it seems that calling method onReceivedSslError on Android 4.4 KitKat depends on the type of SSL error. I checked these two cases:

• 如果SSL错误是由于自签名服务器证书，它会调用onReceivedSslError方法Android KitKat 4.4，因为它在旧版本。

• If the SSL error is due to a self signed server certificate, it does invoke onReceivedSslError method in Android KitKat 4.4, as it did in older versions.

但是，如果SSL错误原因是错误的证书链（LogCat显示以下消息：无法验证证书链，错误：java.security。 cert.CertPathValidatorException：信任锚的认证路径未找到，则onReceivedSslError不是在KitKat中调用，因为它是在旧的Android版本中调用，因此，错误不能忽略或绕过4.4。这是我的情况，我不知道这是一个错误还是为了防止MITM攻击，但我没有找到一个编程的方法来解决这个问题。

However, if the SSL error cause is a bad certificate chain (LogCat showing the message: "Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.", then onReceivedSslError is not called in KitKat, as it was called in older Android versions, and thus the error cannot be ignored or bypassed in 4.4. This was my case, and I do not know whether this is a bug or done on purpose to prevent MITM attacks, but I did not find a programmatic way to work around this.

我的基本问题是，Web服务器没有暴露完整的证书链，但只暴露最后一个证书，让设备负责验证完整的链，只要它存储所有的证书
您可以通过以下方式确认是否也是您的问题：

The underlying problem for me was that the web server did not expose the full certificate chain but only the last certificate, leaving to the device the responsibility to validate the full chain, provided it has all the certificates stored in the device cert store, which was not the case for Android devices. You could make sure if this was also your problem either by:

a）检查证书链和在线证书检查器，例如： http://www.digicert.com/help/

a) Checking the certificate chain with an online certificate checker, such as: http://www.digicert.com/help/

b）使用openssl验证接收的证书链：
openssl s_client -showcerts -connect：443
您可以看到证书链，它应该包含两个或更多的证书，如果结果以类似的方式结束：
验证返回码：21（无法验证第一个证书），
您可能有类似的问题，

b) Using openssl to verify the received certificate chain: openssl s_client -showcerts -connect :443 You can there see the certificate chain, which should contain two or more certificates, and if the result ends with something like: Verify return code: 21 (unable to verify the first certificate), you are likely to have a similar problem as I had.

解决方案是修复Web服务器配置，以便服务器向主机公开完整的证书链。

The solution was to fix the web server configuration so the server exposes the full certificate chain to the hosts.

这篇关于覆盖onReceivedSslError不适用于Android KitKat Web视图的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！