如何信任具有交叉签名根的 SSL 证书在 android <= 5 上过期 [英] How to trust SSL certificates with cross-signed root expired on android <= 5
问题描述
我在一家使用 Comodo/Sectigo SSL 证书的公司工作.但是突然间我们的应用程序开始在向服务器发送 POST 时抛出这个错误,在 android 4 和 5 版本中,使用 Okhttp 客户端.
I work for a company that uses a Comodo/Sectigo SSL certificate. But suddenly our app started throwing this error when sending POST to the server, in versions with android 4 and 5, with Okhttp client.
HTTP FAILED: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Sat May 30 05:48:38 CDT 2020 (compared to Mon Jun 08 23:13:02 CDT 2020)
我尝试了许多 StackOverflow 解决方案,但都没有成功.然后我在 Comodo 博客上找到了这个交叉签名证书 警告
I tried many StackOverflow solutions, without success. Then I found on the Comodo blog this cross-sign certificates warning
Sectigo 目前提供了交叉签名证书的能力AddTrust 遗留根以增加对非常旧系统的支持和设备.此根将于 2020 年 5 月下旬到期.依赖此交叉签名根的应用程序或安装必须在 2020 年 5 月之前更新,否则将面临中断或显示的风险错误信息.
Sectigo at present offers the ability to cross-sign certificates with the AddTrust legacy root to increase support among very old systems and devices. This root is due to expire at the end of May, 2020. Any applications or installations that depend on this cross-signed root must be updated by May, 2020 or run the risk of outage or displayed error message.
我尝试了更多方法来让我的 okhttp 客户端信任证书(在 Socket 上启用 TLS,在 okhttp 构建器中将现代 TLS、TLS 版本和密码套件添加到连接规范,将证书添加到原始资源中,我也是将自定义 SslSocketFactory 放到客户端),但这些都不起作用,总是向我抛出与证书有效性或握手异常相关的错误.
I tried a few more things to get my okhttp client to trust the certificate (enabled TLS on Socket, added Modern TLS, TLS Versions and cipher Suites to connection Specs in okhttp builder, adding the cert to the raw resources, also I put a custom SslSocketFactory to the client) but none of this works, always throws me an error related to certificate validity or a handshake exception.
唯一对我有用的是制作一个不安全的 okhttp,但显然不推荐在生产中使用它.
The only thing that has worked for me is to make an unsafe okhttp, but obviously its use in production is not recommended.
该应用程序在 android > 5 中运行良好,但我们仍然有一些 android 5 甚至 4 的用户由于此问题而无法使用该应用程序.还有什么办法可以让android <= 5 信任这个过期的root?
The app works fine in android > 5, but we still have some users on android 5 and even 4 who cannot use the app due to this problem. Is there still any way to achieve android <= 5 trust this expired root?
感谢您的帮助
推荐答案
如果证书在其他方面有效,这有望解决问题.
This should hopefully fix the issue if the the certificates are otherwise valid.
在你的构建文件中
implementation 'org.conscrypt:conscrypt-android:2.5.1'
并在您提出要求之前激活 Conscrypt
And activate Conscrypt before your request
import org.conscrypt.Conscrypt
Security.insertProviderAt(Conscrypt.newProvider(), 1)
val client = OkHttpClient.Builder().build()
val request = Request.Builder().url("https://status.datadoghq.com/").build()
client.newCall(request).execute().use { response ->
println(response.code())
}
如果在此之后它仍然失败,那么您可能还需要注册一个自定义证书,但请先在没有这个的情况下进行测试.
If it's still failing after this then you might need to register a custom certificate as well, but test without this first.
这篇关于如何信任具有交叉签名根的 SSL 证书在 android &lt;= 5 上过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
