Android 9 Google Pixel One上的SSL问题 [英] SSL issue on Android 9 Google Pixel One
问题描述
我正在尝试从没有网络连接的网络中具有10.10.10.2的Android主机向主机10.10.10.1执行HTTPS请求-仅WiFi 2对等AP和Android 9 Google Pixel One设备.
I am trying to perform HTTPS requests to a host 10.10.10.1 from Android host with 10.10.10.2 in network without Internet connection - only WiFi 2 peers AP and Android 9 Google Pixel One device.
我已经使用自己签名的证书创建了network_security_config.xml,证书具有CN = 10.10.10.1和SAN = DNS:10.10.10.1 PI:10.10.10.1.
I've created network_security_config.xml with my cert that is self-signed and has CN=10.10.10.1 and SAN= DNS: 10.10.10.1 PI: 10.10.10.1.
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
<certificates src="@raw/zone"/>
</trust-anchors>
</base-config>
</network-security-config>
我没有收到验证错误,也没有观察到成功发送到服务器的请求-数据是HTTP请求,已解密并显示在服务器日志中.但是服务器无法发送回数据!它会发送,但是由于某些原因,Android手机无法接受这些数据-会被忽略.
I don't receive verification error and observe successful requests incoming to server - data are HTTP request, decrypted and shown on the server log. But the server can't send data back! It sends, but for some reason these data are not being accepted by the Android phone - just ignored.
我看到数据包从服务器发送到电话,并且服务器反复重试以关闭SSL套接字,直到错误或成功(我在调查期间故意做出这种行为)-这是Wireshark从WiFi空中的转储:
I see packets are going from the server to the phone and the server repeatedly retries to shutdown SSL socket until error or success (I made such behavior intentionally during surveying) - here is Wireshark dump from WiFi air:
这是我从AsyncTask发出的请求
Here is my request from AsyncTask
protected String doInBackground(String... params) {
StringBuilder result = new StringBuilder();
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(MainActivity.this.getResources().openRawResource(R.raw.zone));
Certificate ca = cf.generateCertificate(caInput);
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);
URL url = new URL("https://10.10.10.1/connect");
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(ctx.getSocketFactory());
conn.setRequestProperty("param1", params[0]);
conn.setRequestProperty("param2", params[1]);
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setDoInput(true);
mInputStream = conn.getInputStream();
byte[] buffer = new byte[1024];
ByteArrayOutputStream _buf = new ByteArrayOutputStream();
int l;
BufferedInputStream bufin = new BufferedInputStream(mInputStream);
while ((l = bufin.read(buffer,0,1024)) != -1) {
_buf.write(buffer, 0, l);
String rec = _buf.toString("UTF-8");
Log.d("MAIN", "Read: " + rec);
result.append(rec);
}
Log.d("MAIN", "Read finished: " + result.toString());
} catch (Exception e) {
e.printStackTrace();
}
return result.toString();
}
我怀疑Android 9 Network Security确实以某种方式阻止了流量.我试图使用SSLSockets,将端口从443更改为例如1234-没运气.
I suspect that Android 9 Network Security does block traffic somehow. I tried to use SSLSockets, change port from 443 to e.g. 1234 - no luck.
实际上,我的应用是使用Qt创建的,首先我使用了Qt的东西,但是没有运气-我在MainActivity中回退到Android Java代码,我通过Qt的JNI调用了该代码.结果是一样的,我没有更多的想法...
In fact my app is being created with Qt and firstly I used Qt stuff, but having no luck - I made fallback to Android Java code within my MainActivity, that I call via JNI from Qt code. Result is the same and I have no ideas more...
在哪里挖?
UPD1
使用仅包含DNS:10.10.10.1的SAN生成自签名证书时(不带IP:10.10.10.1),SSL失败并显示警告:
When the self-signed certificate is generated with SAN containing DNS:10.10.10.1 only (without IP:10.10.10.1) SSL fails with warnings:
W System.err: javax.net.ssl.SSLPeerUnverifiedException: Hostname 10.10.10.1 not verified:
W System.err: certificate: sha1/gyr2GOhy5lA+ZAHEzh0E2SBEgx0=
W System.err: DN: CN=10.10.10.1,O=Some ltd.,L=Knoxville,ST=TN,C=US
W System.err: subjectAltNames: [10.10.10.1]
W System.err: at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:201)
W System.err: at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)
W ...
相反,在SAN IP:10.10.10.1(无DNS:10.10.10.1)的情况下-可以像以前一样工作-建立会话,将数据传输到服务器并解密,但是从服务器到客户端的响应只会被客户端忽略.
And conversely, with SAN IP:10.10.10.1 (without DNS: 10.10.10.1) - works as before - session established, data transferred to server and decrypted, but responses from server to client just ignored by client.
UPD2
我还尝试将域名some.device用于10.10.10.1设备,并使用CN和SAN DNS = some.device颁发证书.该问题已由Android 9客户端解决,数据已成功发送,但响应仍未被接受.
I've also tried to use domain name some.device for the 10.10.10.1 device and issued certificate with CN and SAN DNS = some.device. It's resolved by Android 9 client, data is being sent successfully but response is still not being accepting.
看起来像Android的错误.
Looks like Android bug.
推荐答案
进行其他测量后: 1.某些Android设备(内部版本)(包括Pixel 1)不接受尚未通过相互[FIN,ACK]完成的TCP会话,并且接收到的数据未传递到堆栈的更高层.如果TCP流不是可靠的,并且有许多重传和Seq更改,则数据也可能不被接受. 2.在使用Qt的情况下-Android网络安全配置不会影响通信. 3.这不是与TLS相关的问题.
After making additional surveying: 1. Some set of Android devices (builds), including Pixel 1, does not accept TCP session that was not finalized by mutual [FIN,ACK] and received data is not delivered to upper level of stack. Also data may not be accepted if TCP stream was not solid, with many retransmissions and Seq changing. 2. In case of using Qt - Android Network Security Configuration does not affect on communications. 3. This is not TLS related issue.
这篇关于Android 9 Google Pixel One上的SSL问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
