android https CertPathValidatorException：找到TrustAnchor但证书验证失败 [英] android https CertPathValidatorException: TrustAnchor found but certificate validation failed

问题描述

有没有人符合以下例外情况。

Does anyone meet the below exception.

随机发生。发生后，https连接不能再使用了。整个应用程序需要重启。

It occurs random. After it happened, then https connection cannot be used anymore. The whole application needs to restart.

场景：
详细跟踪代码后，我更新了场景：

The scenario : After detailed trace of the code, i updated the scenario:

1. The application has 3 process in the same application.
2. The main ui process invoke https request in another thread.
3. The another 2 processes hold the 2 servcies. one service will also invoke https request in another thread.
4. When user logout, it will stop the 2 services.
3. When user login again, the main ui process invoke https request and then fail.

代码如下：

URL url = new URL(mUri);
urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setRequestMethod(mMethod);
if (mMethod.equals(HttpPost.METHOD_NAME)) {
    urlConnection.setDoOutput(true);
}
else {
    urlConnection.setDoOutput(false);
}
urlConnection.setDoInput(true);
urlConnection.setUseCaches(false);
urlConnection.setChunkedStreamingMode(0);
...
if (!TextUtils.isEmpty(mJsonContent)) {
    OutputStreamWriter wr = new OutputStreamWriter(urlConnection.getOutputStream());
    wr.write(mJsonContent);
    wr.close();
}
//Get Response
InputStream inputStream;
int statusCode;
statusCode = urlConnection.getResponseCode();
...
inputStream = urlConnection.getInputStream();
String bodyContent = convertStreamToString(inputStream);
inputStream.close();

if (urlConnection != null) {
    urlConnection.disconnect();
}

我想知道可能是什么原因。 Currenlty我无法解决这个错误。 https连接在另一个线程中运行。得到回复后，它将回发给主线程。

I would like to know what can be the root cause. Currenlty i have no clue to solve this error. The https connection is run in another thread. After getting response, it will post back to main thread.

W/System.err( 7158): javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed.

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:409)

W/System.err( 7158):    at com.android.okhttp.Connection.upgradeToTls(Connection.java:146)

W/System.err( 7158):    at com.android.okhttp.Connection.connect(Connection.java:107)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:294)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpEngine.sendSocketRequest(HttpEngine.java:255)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:206)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:345)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:89)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:197)

W/System.err( 7158):    at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:254)

W/System.err( 7158):    at com.xxxx.xxx.util.http.AsyncHttpsClient$AsyncRequest.run(AsyncHttpsClient.java:304)

W/System.err( 7158):    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)

W/System.err( 7158):    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)

W/System.err( 7158):    at java.lang.Thread.run(Thread.java:841)

W/System.err( 7158): Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed.

W/System.err( 7158):    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:308)

W/System.err( 7158):    at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:202)

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:611)

W/System.err( 7158):    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)

W/System.err( 7158):    ... 13 more

W/System.err( 7158): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed.

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:122)

W/System.err( 7158):    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:190)

W/System.err( 7158):    at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:295)

W/System.err( 7158):    ... 17 more

W/System.err( 7158): Caused by: com.android.org.bouncycastle.jce.provider.AnnotatedException: TrustAnchor found but certificate validation failed.

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(CertPathValidatorUtilities.java:235)

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:117)

W/System.err( 7158):    ... 19 more

W/System.err( 7158): Caused by: java.security.NoSuchAlgorithmException: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

W/System.err( 7158):    at com.android.org.conscrypt.NativeCrypto.X509_verify(Native Method)

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLX509Certificate.verifyOpenSSL(OpenSSLX509Certificate.java:334)

W/System.err( 7158):    at com.android.org.conscrypt.OpenSSLX509Certificate.verify(OpenSSLX509Certificate.java:367)

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.CertPathValidatorUtilities.verifyX509Certificate(CertPathValidatorUtilities.java:1427)

W/System.err( 7158):    at com.android.org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(CertPathValidatorUtilities.java:222)

W/System.err( 7158):    ... 20 more

推荐答案

根据其他来源，如[ 1 ， 2 ]你可能已经过时了OpenSSL版本。尝试更新您的openSSL版本。最小版本：OpenSSL 0.9.8o

According to other sources like [1,2] you have probably outdated OpenSSL version. Try updating your openSSL version. Minimal version: OpenSSL 0.9.8o

您的BouncyCastle使用OpenSSL com.android.org.conscrypt.OpenSSLX509Certificate.verify 验证证书。

Your BouncyCastle uses OpenSSL com.android.org.conscrypt.OpenSSLX509Certificate.verify to verify the certificate.

异常 java.security.NoSuchAlgorithmException：错误：0D0C50A1：asn1编码例程：ASN1_item_verify：未知消息摘要算法表示证书使用未在OpenSSL中处理的摘要，最有可能是SHA256。

The exception java.security.NoSuchAlgorithmException: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm means the certificate uses digest that is not handled in the OpenSSL, most probably SHA256.

UPDATE 01：
如评论中所述，在Android中你无法更新系统OpenSSL的。
让实验：

UPDATE 01: As noted in comments, in Android you cannot update system OpenSSL. Lets experiment:

• 尝试使用代码（如果可能）访问域使用SHA-256证书（有效）是否在100％的情况下）：
  https://www.fi.muni.cz/

然后，您可以尝试在此处发现有关客户支持的更多详细信息：
https://www.ssllabs.com/ssltest/viewMyClient.html

Then you can try to discover more details about your client support here: https://www.ssllabs.com/ssltest/viewMyClient.html

然后有关您的服务器的更多信息（密码套件，通知摘要）：
https：// www.ssllabs.com/ssltest/index.html

Then more info about your server (ciphersuites, notice digests): https://www.ssllabs.com/ssltest/index.html

您的Android和OKHttp版本是什么？您的系统使用 https://conscrypt.org/ 作为加密提供程序。您可以尝试避免使用系统捆绑的OpenSSL& BouncyCastle版本使用新版本的BouncyCastle - SpongyCastle。

What are your Android and OKHttp versions? Your system uses https://conscrypt.org/ as a crypto provider. You can try to avoid using system bundled OpenSSL & BouncyCastle versions by using a new version of BouncyCastle - SpongyCastle.

按照此处的说明 https：//rtyley.github。 io / spongycastle / 将SpongyCastle安装为新的首选加密提供程序（ core ， prov ， PKIX ）。如果SpongyCastle生效，你的stacktrace将包含spongycastle包。

Follow instructions here https://rtyley.github.io/spongycastle/ to install SpongyCastle as a new and preferred crypto provider (core, prov, pkix). If SpongyCastle is in effect your stacktrace will contain spongycastle packages.

这篇关于android https CertPathValidatorException：找到TrustAnchor但证书验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！