Android Studio,javax.net.ssl.SSLHandshakeException:不可接受的证书 [英] Android Studio, javax.net.ssl.SSLHandshakeException: Unacceptable certificate
问题描述
我正在尝试从 Android Studio 运行 Android Virtual Device.一切正常,直到我尝试从虚拟设备内部访问任何 Google 服务.我们的网络正在使用公司代理,我们必须安装公司证书才能使应用程序正常工作.我通过 keytool -importcert -trustcacerts ... 将证书安装到 Java(jdk),然后以相同的方式将其安装到 Android\Android Studio\jre\bin.然后使用adb push C:\certs\cert1.cer/sdcard/cert1.cer将证书上传到虚拟机中,并在设置中应用到Android中.但我仍然收到错误
I'm trying to run an Android Virtual Device from Android Studio. Everything works fine, until I try to access any Google's service from inside the virtual device. Our network is using corporate proxy and we have to install corporate certificates in order the applications to work. I installed the certificates to Java(jdk) via keytool -importcert -trustcacerts ..., then installed it to Android\Android Studio\jre\bin the same way. Then uploaded the certs into the virtual machine using adb push C:\certs\cert1.cer /sdcard/cert1.cer, and applied it in the Android in settings. But I'm still getting the error
Caused by: javax.net.ssl.SSLHandshakeException: Unacceptable certificate: CN=CompanyName Root CA, OU=IT Department, O='CompanyName Professional' LLC, L=NY, ST=NY, C=EN
无论如何都可以绕过吗?如果我已经导入了证书,为什么它仍然要求提供证书.在浏览器中,如果在虚拟机中打开它,所有网站都可以正常工作.谢谢.
Is it real to bypass anyhow? And why does it still ask for the certificate if I already have it imported. In browser all websites work fine if open it in the virtual machine. Thanx.
推荐答案
将您的根 CA 证书安装为用户定义的证书"进入模拟器是现代 Android 设备(Android 6+)的错误方式.
Installing your root CA certificate as "User defined certificate" into the emulator is the wrong way for modern Android devices (Android 6+).
用户安装的 CA 证书默认不受应用信任.在有 root 权限的设备上,您可以安装新的 CA 证书作为系统证书,如下所示:
User installed CA certificates are by default not trusted by apps. On a rooted device you can install new CA certificates as system certificates as shown here:
- 中间人代理证书示例:https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/
- https://ivrodriguez.com/installing-self-signed-android 上的证书/
如果您的设备已植根并安装了 Magisk,您还可以使用 Magisk 移动证书 将用户安装的证书移动到系统存储中的模块.
If your device is rooted and has Magisk installed you can also use the Magisk Move Certificates module that moves user installed certificates into the system store.
自从 Google 引入 Android 网络安全配置以来,每个应用都必须明确将用户定义的证书添加到信任列表:
Since Google introduced the Android Network Security Configuration every app has to explicitly add the user defined certificates to the trust list:
res/xml/network_security_config.xml
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system"/>
<certificates src="user"/>
</trust-anchors>
</base-config>
</network-security-config>
未定义 Android 网络安全配置或具有此类配置但不包含 <certificates src="user"/> 条目的每个应用都将忽略您额外安装的证书.
Every app that does not define a Android Network Security Configuration or that have such a configuration but do not include the <certificates src="user"/> entry will ignore your additionally installed certificate.
并确保 AndroidManifest.xml 在 android:networkSecurityConfig 属性:
And make sure the AndroidManifest.xml contains the android:networkSecurityConfig attribute in the <application> tag:
<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
<application android:networkSecurityConfig="@xml/network_security_config"
... >
...
</application>
</manifest>
此外,一些应用(例如 Google 服务和 Play 商店)执行证书/密钥固定,这完全可以防止破坏 HTTPS 流量,除非系统被大量修改:
Additionally some apps (e.g. Google services and Play Store) perform certificate/key pinning which totally prevents breaking the HTTPS traffic unless the system is heavily modified:
您必须根设备并安装 EdXposed/Xposed + 多个模块以允许 SSL/TLS 拦截,例如 TrustMeAlready 和 SSL Unpinning).
You have to root the device and install EdXposed/Xposed + multiple modules to allow SSL/TLS interception like TrustMeAlready and SSL Unpinning).
或者,您可以使用 Frida 和某些脚本来禁用 SSL/TLS 证书检查和一些固定实现.据我所知,基于 Frida 的 Objection 项目包含一些 SSL 取消固定脚本.
Alternatively you can use Frida and certain scripts for disabling SSL/TLS certificate checking and some pinning implementations. As far as I know the Frida based Objection project contains some SSL unpinning script(s).
这篇关于Android Studio,javax.net.ssl.SSLHandshakeException:不可接受的证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
