为什么安卓得到错误的SSL证书? (两个域,一个服务器) [英] Why does android get the wrong ssl certificate? (two domains, one server)
问题描述
我有两个域: foo.net 和 bar.com 。他们都有SSL证书,他们在所有的台式机和移动浏览器工作良好。他们举办配置nginx的同一台服务器上。
I have two domains: foo.net and bar.com. They both have SSL certificates, and they work well in all desktop and mobile browsers. They are hosted on the same server configured with nginx.
然而,当我提出一个请求,从一个原生的Android应用程序域,它在某种程度上会从错误的域的证书!这导致IO异常:
However, when I make a request to a domain from within a native android app, it somehow gets the certificate from the wrong domain! This results in an IO Exception:
request = new HttpPost("https://foo.net/api/v1/baz");
request.setHeader("Authorization", "user:pass");
response = httpClient.execute(request);
...
javax.net.ssl.SSLException:主机名的证书不匹配:< foo.net> !=< bar.com>或LT; bar.com>或LT; www.bar.com>
什么会导致Android的/ Java中尝试使用从 bar.com 证书时,所有其他措施似乎表明,服务器的配置是否正确?没有出现在nginx的访问或错误日志。没有提及 bar.com 在我的Android项目的任何地方。
What would cause android/java to try using the certificate from bar.com when every other measure seems to indicate that the server is correctly configured? Nothing appears in the nginx access or error log. There is no mention of bar.com anywhere in my android project.
编辑:我不知道为什么,但现在看来,该服务器使用的证书 bar.com 服务器IP HTTPS ://198.245.xx.xxx
I'm not sure why, but it appears that the server is using the certificate for bar.com for the server IP https://198.245.xx.xxx
推荐答案
有关此问题的最可能的原因是服务器使用服务器名称指示选择要发送的证书。如果客户端不支持SNI,服务器不能选择SSL / TLS握手期间发送的证书(所有的HTTP流量被发送之前)。当你想使用多个证书上相同的IP地址和端口SNI是必需的,但不是所有的客户端(在任何版本的Windows XP,以及一些移动浏览器出了名的,IE浏览器)都支持它。
The most likely cause for this problem is that the server uses Server Name Indication to choose which certificate to send. If the client doesn't support SNI, the server cannot choose which certificate to send during the SSL/TLS handshake (before any HTTP traffic is sent). SNI is required when you want to use multiple certificates on the same IP address and port, but not all clients support it (notoriously, IE on any version of Windows XP, and a number of mobile browsers).
你也为之使用Apache HTTP客户端库(不是 HttpsURLConnection ,为此的可以有SNI支持,一些Android的版本的。
在Apache HTTP客户端库为SNI支持是相当近期的,当然也没有把它做成了Android软件开发包。
You're also visibly using the Apache HTTP Client library (not HttpsURLConnection, for which there can be SNI support with some Android versions.
Support for SNI in the Apache HTTP Client library is quite recent, and certainly hasn't made it into the Android stack.
您可能会发现在这篇文章介绍的解决办法有用(虽然它似乎只工作为Android 4.2 +)。
You may find the workaround described in this article useful (although it seems only to work for Android 4.2+).
另外两个选项是:
- 要使用不同的IP地址为每台主机(以免需要SNI),如果你在服务器的控制权,或
- 要使用另一个HTTP客户端库(如
HttpsURLConnection)。
这篇关于为什么安卓得到错误的SSL证书? (两个域,一个服务器)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
