iOS允许无效证书，而android则没有 [英] iOS allowed invalid certificate while android did not

问题描述

在我们的某个应用部署期间遇到了异常情况。 iOS版本运行良好，但Android版本的应用程序不起作用。经过一些故障排除后，我们发现app会调用api。 Api Web服务器缺少证书链。我们尝试使用safari在iOS8 iphone上进行api调用，它在没有任何警告的情况下工作，而在android上，它提供了证书警告。我理解这个问题，但想知道为什么它在iOS上运行？ iOS在操作系统级别的SSL验证中是否有任何错误？

had a unusual situation during one of our app deployment. iOS version worked well but android version of app did not work. After some troubleshooting, we found that app makes call to api. Api web server was missing certificate chain. we tried api call on iOS8 iphone with safari and it works without any warning while on android, it gave certificate warning. I understand the problem but would like to know why it worked on iOS? Does iOS has any bug in SSL verification at OS level?

推荐答案

您看到的行为是由于AIA追逐的功能由一些浏览器和用户代理（包括iOS上的Safari）实现。证书可以具有可供浏览器使用的授权信息访问扩展的值如果服务器不提供中间件，则通过获取中间体来构建完整的证书链的底层框架。

The behavior you saw is due to a functionality called AIA chasing that is implemented by some browsers and user agents (including Safari on iOS). A certificate can have a value for the Authority Information Access extension that can be used by browsers or underlying frameworks to build the complete certificate chain by fetching intermediates if they are not supplied by the server.

Android不执行AIA追逐这就是为什么你在调用时看到错误的原因来自Android应用的API。我无法找到为什么它没有内置到Android中。

Android does not do AIA chasing which is why you saw the error when calling the API from the Android app. I haven't been able to find out why this isn't built into Android.

解决这个问题的正确方法是确保Web服务器提供必要的中间体证书连接客户。

The correct way to address this is to make sure the web server provides the necessary intermediate certificates to connecting clients.

这篇关于iOS允许无效证书，而android则没有的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！