HTTPS和SSL的安全性:-javax.net.ssl.SSLHandshakeException:证书已过期 [英] Security with HTTPS and SSL :-javax.net.ssl.SSLHandshakeException: Certificate expired
问题描述
我已尝试使用此命令检查命令缺少中间证书颁发机构
$ openssl s_client -connect mail.google.com:443
对于我的网站,应该显示证书链,但只显示一个已过期的证书. 但是当我在 https://www.digicert.com/help/ 上检查服务器证书配置时>
它显示SSL证书已正确安装并显示正确的中间证书链,当我尝试在我的android应用程序中访问Web api时,它显示以下错误:-
javax.net.ssl.SSLHandshakeException: Certificate expired at Thu Jun 11 21:58:21 GMT+05:30 2015 (compared to Wed May 18 10:48:45 GMT+05:30 2016)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:327)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:638)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:600)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:75)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:93)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:187)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:123)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:134)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:196)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:365)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:602)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:522)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:500)
我正在使用以下链接检查android应用中的服务器证书:- http://blog.fordemobile.com/2012/04/https -requests-on-android.html
是在服务器上正确配置了证书,还是我使用了错误的代码来检查证书.
您已经遇到了问题. 实际上您的证书已过期. 您的网络服务的应用服务器需要更新其证书.
要完整了解如何创建和检查证书,您可以按照该教程进行操作:
要更改证书,您可以按照以下教程进行操作:
完整教程:
出于测试目的,我将使用由Go Daddy颁发的mail.google.com:443 SSL证书.
第1步:获取证书
创建用于存储证书的目录:
$ mkdir -p ~/.cert/mail.google.com/
$ cd ~/.cert/mail.google.com/
检索由Google邮件服务器提供的mail.google.com证书:
$ openssl s_client -showcerts -connect mail.google.com:443
从"--- BEGIN证书---"复制到"--- END证书---", 并将其另存为
~/.cert/mail.google.com/目录mail.google.com.pem.
步骤2:获取发行人的证书
如果此证书是由Go Daddy颁发的,那么您需要获取证书颁发机构根证书"(访问您的CA网站以获取根证书):
$ wget https://certs.godaddy.com/repository/gd_bundle.crt -O ~/.cert/mail.google.com/gd.pem
第3步:对证书进行哈希处理
使用c_rehash创建到由哈希值命名的文件的符号链接,输入:
$ c_rehash ~/.cert/mail.google.com/
示例输出:
Doing ~/.cert/mail.google.com/
mail.google.com.pem => 1d97af50.0
gd.pem => 219d9499.0
测试
要确认您拥有正确且有效的证书,请输入:
$ openssl s_client -CApath ~/.cert/mail.google.com/ -connect mail.google.com:443
示例输出:
CONNECTED(00000003)
......
....
Verify return code: 0 (ok)
---
应该有很多数据,但是要注意的重要一点是最后一行Verify return code: 0 (ok).我对dovecot IMAP邮件服务器使用了相同的证书,请键入以下内容来验证邮件服务器SSL证书:
$ openssl s_client -CApath ~/.cert/mail.google.com/ -connect mail.google.com:993
示例输出:
CONNECTED(00000003)
.....
.....
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST-EXTENDED I18NLEVEL=1 QUOTA AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
与0 return code indicates that everything is working fine一起重新显示"Dovecot ready"最后一行.
资源链接:
I have tried command for check Missing intermediate certificate authority using this command
$ openssl s_client -connect mail.google.com:443
For my website which should be shown certificate chain but it only shows one certificate which is already expired. but when i checked server certificate configuration on https://www.digicert.com/help/
it shows SSL Certificate is correctly installed and showing proper intermediate certificate chain and when i try to access web api in my android app it shows following error :-
javax.net.ssl.SSLHandshakeException: Certificate expired at Thu Jun 11 21:58:21 GMT+05:30 2015 (compared to Wed May 18 10:48:45 GMT+05:30 2016)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:327)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:638)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:600)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:75)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:93)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:187)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:123)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:134)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:196)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:365)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:602)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:522)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err: at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:500)
i am using the following link for checking server certificate in android app :- http://blog.fordemobile.com/2012/04/https-requests-on-android.html
Is the certificate is properly configured on server or i am using the wrong code for checking the certificate.
You have already got your issue. Actually your certificate is expired. Your webservice's appserver needs to update its certificate.
For a full tutorial to create and check certificate you can follow the tutorial:
To change certificate, you can follow the tutorial:
http://www.albeesonline.com/blog/2009/06/24/javax-net-ssl-sslhandshakeexception-certificate-expired/
Full Tutorial:
For testing purpose I will use mail.google.com:443 SSL certificate which is issued by Go Daddy.
Step # 1: Getting The Certificate
Create directory to store certificate:
$ mkdir -p ~/.cert/mail.google.com/
$ cd ~/.cert/mail.google.com/
Retrieve the mail.google.com certificate provided by the google mail server:
$ openssl s_client -showcerts -connect mail.google.com:443
Copy from the "—–BEGIN CERTIFICATE—–" to the "—–END CERTIFICATE—–" , and save it in your
~/.cert/mail.google.com/directory asmail.google.com.pem.
Step # 2: Getting The Certificate Of The Issuer
If this certificate was issued by Go Daddy, so you need to get "Certification Authority Root Certificate" (visit your CA’s website to get root certificate):
$ wget https://certs.godaddy.com/repository/gd_bundle.crt -O ~/.cert/mail.google.com/gd.pem
Step # 3: Rehashing The Certificates
Create symbolic links to files named by the hash values using c_rehash, enter:
$ c_rehash ~/.cert/mail.google.com/
Sample output:
Doing ~/.cert/mail.google.com/
mail.google.com.pem => 1d97af50.0
gd.pem => 219d9499.0
Test It
To confirm you have the correct and working certificates, enter:
$ openssl s_client -CApath ~/.cert/mail.google.com/ -connect mail.google.com:443
Sample output:
CONNECTED(00000003)
......
....
Verify return code: 0 (ok)
---
There should be lots of data, however the important thing to note down is that the final line "Verify return code: 0 (ok)". I’m using the same certificate for dovecot IMAP mail server, type the following to verify mail server SSL certificate:
$ openssl s_client -CApath ~/.cert/mail.google.com/ -connect mail.google.com:993
Sample output:
CONNECTED(00000003)
.....
.....
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST-EXTENDED I18NLEVEL=1 QUOTA AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Again the final "Dovecot ready" line along with 0 return code indicates that everything is working fine.
Resource Link:
Verifying that a Private Key Matches a Certificate
这篇关于HTTPS和SSL的安全性:-javax.net.ssl.SSLHandshakeException:证书已过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
