处理让我们在适用于Android M和更早版本的WebView中加密新证书 [英] Handling Let's encrypt new certificates in WebView for Android M and older

问题描述

在运行Android M或更旧版本的设备上运行WebView来显示Web内容的Android应用可能会在2021年1月开始遭到破坏，因为我们的加密将在2021年开始发布使用其新证书链签名的证书

Android apps, running on devices with Android M or older, that use WebView to display web content may experience breakages from Jan 2021 as Let's Encrypt will start issuing certificates signed with their new certificate chain in 2021

阅读 https://letsencrypt.org/2020/11/06/own-two-feet.html 作为背景.

推荐答案

首先，要知道您的应用程序是否会出现问题，请尝试打开 https://valid-isrgrootx1.letsencrypt.org/在M和更早版本的Android设备上.

First, to know if you app will have an issue, try to open https://valid-isrgrootx1.letsencrypt.org/ on Android devices with M and older.

WebViews解决方案包括两个部分:

The solution for WebViews has two parts:

API> = 24

将Let's 将根证书(X1和X2)添加到 network_security_config.xml 文件.

Add the Let's Encrypt root certificates (X1 and X2) to the network_security_config.xml file.

<network-security-config>
    <base-config cleartextTrafficPermitted="true" >
        <trust-anchors>
            <certificates src="@raw/isrg_root_x1" />
            <certificates src="@raw/isrg_root_x2" />
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

然后将网络安全配置添加到您的Android清单

Then add the network security config to your Android manifest

<manifest...>
  <application
      ...
      android:networkSecurityConfig="@xml/network_security_config"
      ...
  </application>
</manifest>

API<24

对于较旧的设备，Android没有公共API向其信任管理器添加证书，因此验证必须手动完成.

For older devices Android does not have public API to add certificates to its trust manager and so the validation will have to be done manually.

在WebView客户端中
• 覆盖 onReceivedSslError
• 在 SSL_UNTRUSTED 错误时手动执行chan验证

• override onReceivedSslError in your WebView client
• upon SSL_UNTRUSTED error perform a chan validation manually

    override fun onReceivedSslError(view: WebView?, handler: SslErrorHandler, error: SslError) {
        var trusted = false
        when (error.primaryError) {
            SSL_UNTRUSTED -> {
                // manual validation
                trusted = validateSslCertificateChain(error.certificate)
            }
            else -> ...
        }

        if (trusted) handler.proceed() else super.onReceivedSslError(view, handler, error)
    }

函数 validateSslCertificateChain 是将手动执行链验证的函数.它可以通过多种方式完成.可以在此DuckDuckGo浏览器的PR 中找到示例.

The function validateSslCertificateChain is the one that will manually perform the chain validation. It can be done in several ways. An example can be found in this PR for DuckDuckGo browser.

另请参见另一个SO问题，以寻求其他Android网络领域的解决方案.

Also see this other SO question for solutions in other Android networking areas.

这篇关于处理让我们在适用于Android M和更早版本的WebView中加密新证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！