在服务器证书中使用IP地址作为通用名称在Android中不起作用? [英] Using ip address for common name in server certificate does not work in Android?
问题描述
我一直在研究这个问题,发现了一些有趣的东西。
如果我使用服务器密钥库存储服务器证书和通信名称为真实域来建立与服务器的连接,它可以正常工作,但是如果我使用 IP地址而不是通用名称,它不起作用,但只是在Android设备自制应用程序(不是Android设备中的桌面浏览器或浏览器应用程序).noted我使用openssl创建这两个证书/密钥库。
I've been investigating this issue and found something interesting. If I use a server keystore which stores server certificate with commomn name as real domain to establish a connection with server, it works fine, however if I use ip address instead for the common name it does not work, but just in android device self made app(not desktop browser or browser app in android device).noted i used openssl to create these two certificate/keystore.
和事实证明这个例外是主机名未经验证
and it turns out this exception is host name not verified
但奇怪的是桌面或Android设备的浏览器都很好
but the strange thing is in browser for desktop or android device both are fine
调查后我发现了我们可以构建我们自己的主机名验证器,它可以为主机名添加异常,但是android的默认验证器是如何工作的?它必须是一些代码,跳过 ip address 作为通用名称并返回false。
After investigation I found actually we can build our own host name verifier which can add exception to host name, but how does android's default verifier work? it must be some code that skip ip address as common name and return false.
我检查了okhttp的源代码,发现这行代码就是抛出异常
I checked the okhttp's source code found this line of code it's throwing the exception
但是我找不到自定义主机名验证码的代码。
but I can not find the code customized the host name verifier.
任何人都可以给我一些提示吗?
Anyone can offer me some hints about this?
谢谢〜
更新::
我在android studio中调试后,运行时其实际上是OkHostnameVerifier
它会检查主机名是否为IP地址,如果是,则会检查证书中的所有主题备用名称,如果找到匹配则返回true反之亦然。
private boolean verifyIpAddress(String ipAddress, X509Certificate certificate) {
for (String altName : getSubjectAltNames(certificate, ALT_IPA_NAME)) {
if (ipAddress.equalsIgnoreCase(altName)) {
return true;
}
}
return false;
}
推荐答案
如果我使用存储服务器证书的服务器密钥库,其中commomn名称是真实域,用于与服务器建立连接,它可以正常工作,但是如果我使用ip地址而不是通用名称它不起作用,
If I use a server keystore which stores server certificate with commomn name is real domain for establishing a connection with server it works fine, however if I use ip address instead for the common name it does not work,
这是它应该如何工作的。 IP地址必须作为IP类型的主题替代名称给出。不幸的是,不同的浏览器以不同的方式处理这种情况并且经常违反标准。有些人接受普通名称的IP,有些则不接受。有些人希望地址作为主题备选部分中的DNS条目而不是IP条目。为了安全起见,您应该使用IP和DNS两种类型的主题替代名称。
That's how it should work. IP addresses have to be given as a subject alternative name of type IP. Unfortunately different browsers handle this in a different way and often contrary to the standard. Some accept IP in common name, others don't. Some expect the address as DNS entry in the subject alternative section instead of an IP entry. To be on the safe side you should therefore use subject alternative names of both types IP and DNS.
我们可以构建我们自己的主机名验证程序可以为主机名添加例外
we can build our own host name verifier which can add exception to host name
不要这样做。如果忽略主机名,则验证将简化为仅检查信任链,这意味着由可信CA签名的任何证书都可用于针对任何其他主机的透明中间人攻击。即使您仅对IP地址禁用名称检查,一旦用户通过IP访问站点,仍可以使用任何有效证书。
Don't do this. If you ignore the host name then the validation is reduced to just the check of the trust chain, which means any certificate signed by a trusted CA can be used for a transparent man-in-the-middle attack against any other host. Even if you disable the name check only for IP addresses it is still possible to use any valid certificate once the user accesses a site by IP.
这篇关于在服务器证书中使用IP地址作为通用名称在Android中不起作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
