Android是否更改了API 24中的SSL配置? [英] Has Android changed SSL configuration in API 24?
问题描述
当我的Android 23项目尝试通过HTTPS连接到我的服务器时,一切都很好.
如果将目标SDK切换为24,则会出现以下错误:
javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:找不到证书路径的信任锚.在com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)在android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:198)在android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:443)在org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:394)在org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:170)在org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)在org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)在org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:366)在org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:560)在org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:492)在com.worklight.wlclient.WLRequestSender.run(WLRequestSender.java:47)在java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)在java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:607)在java.lang.Thread.run(Thread.java:761)原因:java.security.cert.CertificateException:java.security.cert.CertPathValidatorException:找不到证书路径的信任锚.在com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:563)在com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:444)在com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508)在com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508)在com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:401)在com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:375)在com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:304)在android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)在android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)在com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:178)在com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596)在com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(本机方法)在com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)...另外13个原因:java.security.cert.CertPathValidatorException:找不到证书路径的信任锚. 切换回23,它又可以正常工作.
关于证书的最低要求,24个方面有变化吗?
默认情况下,如果您的 targetSdkVersion 为24+,则不会通过Android 7.0结合用户通过设置"应用安装的证书:
默认情况下,所有应用程序的默认安全(例如TLS,HTTPS)连接都信任预安装的系统CA,并且默认情况下,面向API级别23(Android M)及更低版本的应用程序也信任用户添加的CA存储.
(来自网络安全配置文档)
要解决此问题,您将需要定义网络安全配置 XML资源:
<?xml version ="1.0" encoding ="utf-8"?>< network-security-config>< base-config><信任锚>< certificates src ="system"/>< certificates src ="user"/></trust-anchors></base-config></network-security-config> 然后,从清单的< application> 元素中的 android:networkSecurityConfig 属性指向该XML资源.
通常,Android 7.0通过网络安全配置子系统( android.security.net.config.RootTrustManager 和您的堆栈跟踪的同类)路由HTTPS.这里可能引入了与 targetSdkVersion 相关的其他兼容性问题.因此,如果缺少用户证书不是您的问题,并且您可以创建一个重现该问题的示例项目,请提出问题.由于我维护了这些东西的反向移植,因此我很想知道任何错误.:-)
When my Android 23 project attempts to connect to my server via HTTPS, all is fine.
If I switch the target SDK to 24, I get the following error:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:198)
at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:443)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:394)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:170)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:366)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:560)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:492)
at com.worklight.wlclient.WLRequestSender.run(WLRequestSender.java:47)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:563)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:444)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:401)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:375)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:304)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:178)
at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
... 13 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Switching back to 23 and it works again.
Has something changed in 24 regarding the minimum requirements for certificates?
User-installed certificates, via the Settings app, are not incorporated by default on Android 7.0 if your targetSdkVersion is 24+:
By default secure (e.g. TLS, HTTPS) connections from all apps trust the pre-installed system CAs, and apps targeting API level 23 (Android M) and below also trust the user-added CA store by default.
(from the network security configuration docs)
To work around that, you will need to define a network security configuration XML resource:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system"/>
<certificates src="user"/>
</trust-anchors>
</base-config>
</network-security-config>
Then, point to that XML resource from your android:networkSecurityConfig attribute in your <application> element in your manifest.
In general, Android 7.0 routes HTTPS through the network security configuration subsystem (android.security.net.config.RootTrustManager and kin from your stack trace). It's possible that there are other compatibility issues introduced here that are tied to targetSdkVersion. So, if the lack of user certificates is not your issue, and you can create a sample project that reproduces the problem, file an issue. Since I maintain a backport of that stuff, I would be interested in knowing about any bugs. :-)
这篇关于Android是否更改了API 24中的SSL配置?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
