如何信任具有交叉签名根的SSL证书已在android< = 5上过期 [英] How to trust SSL certificates with cross-signed root expired on android <= 5
问题描述
我为使用Comodo/Sectigo SSL证书的公司工作.但是突然之间,在使用ok 4客户端的android 4和5版本中,将POST发送到服务器时,我们的应用程序开始引发此错误.
I work for a company that uses a Comodo/Sectigo SSL certificate. But suddenly our app started throwing this error when sending POST to the server, in versions with android 4 and 5, with Okhttp client.
HTTP FAILED: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Sat May 30 05:48:38 CDT 2020 (compared to Mon Jun 08 23:13:02 CDT 2020)
我尝试了许多StackOverflow解决方案,但均未成功.然后我在Comodo博客上发现了这种交叉签名证书
I tried many StackOverflow solutions, without success. Then I found on the Comodo blog this cross-sign certificates warning
Sectigo目前提供了与证书交叉签名的功能AddTrust旧版根目录可增加非常旧系统的支持和设备.该根目录将于2020年5月结束.依赖此交叉签名的根的应用程序或安装必须在2020年5月之前更新,否则可能会出现断电或显示故障的风险错误消息.
Sectigo at present offers the ability to cross-sign certificates with the AddTrust legacy root to increase support among very old systems and devices. This root is due to expire at the end of May, 2020. Any applications or installations that depend on this cross-signed root must be updated by May, 2020 or run the risk of outage or displayed error message.
我尝试了一些其他操作,以使okhttp客户端信任证书(在Socket上启用了TLS,在okhttp构建器中的连接规范中添加了现代TLS,TLS版本和密码套件,将证书添加到了原始资源中,我也将自定义SslSocketFactory放到客户端),但是这些都不起作用,总是向我抛出一个与证书有效性或握手异常有关的错误.
I tried a few more things to get my okhttp client to trust the certificate (enabled TLS on Socket, added Modern TLS, TLS Versions and cipher Suites to connection Specs in okhttp builder, adding the cert to the raw resources, also I put a custom SslSocketFactory to the client) but none of this works, always throws me an error related to certificate validity or a handshake exception.
对我唯一起作用的是创建一个不安全的okhttp,但是显然不建议在生产环境中使用它.
The only thing that has worked for me is to make an unsafe okhttp, but obviously its use in production is not recommended.
该应用程序在android> 5上运行良好,但是由于此问题,我们仍然在android 5甚至4上仍有一些用户无法使用该应用程序.仍然有任何方法可以让android< = 5信任这个过期的根吗?
The app works fine in android > 5, but we still have some users on android 5 and even 4 who cannot use the app due to this problem. Is there still any way to achieve android <= 5 trust this expired root?
感谢您的帮助
推荐答案
如果证书有效,则有望解决此问题.
This should hopefully fix the issue if the the certificates are otherwise valid.
在您的构建文件中
implementation 'org.conscrypt:conscrypt-android:2.5.1'
并在您的请求前激活Conscrypt
And activate Conscrypt before your request
import org.conscrypt.Conscrypt
Security.insertProviderAt(Conscrypt.newProvider(), 1)
val client = OkHttpClient.Builder().build()
val request = Request.Builder().url("https://status.datadoghq.com/").build()
client.newCall(request).execute().use { response ->
println(response.code())
}
如果在此之后仍然失败,那么您可能还需要注册一个自定义证书,但是请先进行测试,然后再进行此操作.
If it's still failing after this then you might need to register a custom certificate as well, but test without this first.
