接受带有自签名证书的 HTTPS 连接 [英] accepting HTTPS connections with self-signed certificates

问题描述

我正在尝试使用 HttpClient 库建立 HTTPS 连接，但问题是，因为证书不是由像 Verisign,GlobalSIgn 等，列在 Android Trusted Certificates 集上，我不断收到 javax.net.ssl.SSLException: Not trusted server certificate.

I'm trying to make HTTPS connections, using HttpClient lib, but the problem is that, since the certificate isn't signed by a recognized Certificate Authority (CA) like Verisign,GlobalSIgn, etc., listed on the set of Android Trusted Certificates, I keep getting javax.net.ssl.SSLException: Not trusted server certificate.

我见过您只接受所有证书的解决方案，但如果我想询问用户怎么办?

I've seen solutions where you simply accept all certificates, but what if I want to ask the user?

我想得到一个类似于浏览器的对话框，让用户决定是否继续.最好我想使用与浏览器相同的证书库.有什么想法吗?

I want to get a dialog similar to that of the browser, letting the user decide to continue or not. Preferably I'd like to use the same certificatestore as the browser. Any ideas?

推荐答案

您需要做的第一件事是设置验证级别.这样的水平并没有那么多:

The first thing you need to do is to set the level of verification. Such levels is not so much:

• ALLOW_ALL_HOSTNAME_VERIFIER
• BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
• STRICT_HOSTNAME_VERIFIER

虽然 setHostnameVerifier() 方法对于新的库 apache 已经过时了，但是对于 Android SDK 中的版本来说是正常的.所以我们取 ALLOW_ALL_HOSTNAME_VERIFIER 并将其设置在方法工厂 SSLSocketFactory.setHostnameVerifier() 中.

Although the method setHostnameVerifier() is obsolete for new library apache, but for version in Android SDK is normal. And so we take ALLOW_ALL_HOSTNAME_VERIFIER and set it in the method factory SSLSocketFactory.setHostnameVerifier().

接下来，您需要将我们的协议工厂设置为 https.为此，只需调用 SchemeRegistry.register() 方法.

Next, You need set our factory for the protocol to https. To do this, simply call the SchemeRegistry.register() method.

然后您需要使用 SingleClientConnManager 创建一个 DefaultHttpClient.同样在下面的代码中，您可以看到默认情况下也将通过方法 HttpsURLConnection.setDefaultHostnameVerifier()

Then you need to create a DefaultHttpClient with SingleClientConnManager. Also in the code below you can see that on default will also use our flag (ALLOW_ALL_HOSTNAME_VERIFIER) by the method HttpsURLConnection.setDefaultHostnameVerifier()

以下代码对我有用:

HostnameVerifier hostnameVerifier = org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;

DefaultHttpClient client = new DefaultHttpClient();

SchemeRegistry registry = new SchemeRegistry();
SSLSocketFactory socketFactory = SSLSocketFactory.getSocketFactory();
socketFactory.setHostnameVerifier((X509HostnameVerifier) hostnameVerifier);
registry.register(new Scheme("https", socketFactory, 443));
SingleClientConnManager mgr = new SingleClientConnManager(client.getParams(), registry);
DefaultHttpClient httpClient = new DefaultHttpClient(mgr, client.getParams());

// Set verifier     
HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);

// Example send http request
final String url = "https://encrypted.google.com/";
HttpPost httpPost = new HttpPost(url);
HttpResponse response = httpClient.execute(httpPost);

这篇关于接受带有自签名证书的 HTTPS 连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！