javax.net.ssl.SSLPeerUnverifiedException:主机名未验证: [英] javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:
问题描述
我正在尝试使用带有自签名证书的 HTTPS 连接.
我已按照此处所述创建自签名证书的步骤 - 创建自签名证书.
即使在浏览器中一切正常,它只向我显示一条消息,表明我的证书是由未知 CA 签署的.
但是我的证书中的 FQDN(服务器名称不匹配)名称有问题,因为我在生成证书时设置了错误的名称.
我已经重新生成它,现在没有这样的错误.
I am trying to use HTTPS connection with self-signed certificate.
I have followed steps of creating self-signed certificate as mentioned here - Creating Self-signed certificate.
Everything works fine even in browser, it only shows me a message that my certificate is signed by unknown CA.
But I have problem with my FQDN(server name doesn't match) name in certificate because I have set incorrect name while generating certificate.
I have regenerated it and now no such error.
我需要使用来自移动 Android 客户端的服务器证书,我找到了关于这个问题的好文章 - 在 Android 中使用带有自签名或未知 SSL 证书的 Retrofit.我已按照所有步骤进行操作,但不幸的是出现错误(异常).
I need to use my server sertificate from mobile Android Client, I have found great article about this problem - Use Retrofit with a self-signed or unknown SSL certificate in Android. I have followed all steps, but unfortunately get an error (exception).
javax.net.ssl.SSLPeerUnverifiedException: Hostname 195.xx.xx.xx not verified:
certificate: sha1/qvH7lFeijE/ZXxNHI0B/M+AU/aA=
DN: 1.2.840.113549.1.9.1=#160e63726f73704078616b65702e7275,CN=195.xx.xx.xx,OU=Departament of Development,O=CROSP Solutions,L=Chernihiv,ST=Chernihiv,C=UA
subjectAltNames: []
at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:124)
如您所见,主机名相同,但错误仍然存在.
请帮助解决这个问题,我将不胜感激.
谢谢.
As you can see hostname are the same, but error is still present.
Please help to deal with this problem, I will be grateful for any help.
Thank you.
伪解决方案
当然我之前搜索过并找到了主机名验证器解决方案.
我试过了,它有效.但是可以使用此解决方法吗,我将证书添加到我的应用程序中,以便像前面的示例一样动态读取它,在这种情况下它是否仍在使用.
Of course I searched before and found HostName Verifier Solution.
I have tried it, it works. But is it OK to use this workaround, I added certificate into my app in order to read it dynamicly as in the prior example, is it still being used in this case.
使用 OkHttp 的解决方案是一行.(如果您遵循教程中的所有步骤).
Solution with OkHttp is one line. (If you followed all steps in tutorial).
okHttpClient.setHostnameVerifier(new NullHostNameVerifier());
但我还是觉得这不是最好的解决方案,请问有什么想法吗?
But I still feel that it is not the best solution, please any thoughts ?
推荐答案
有趣的是,如果请求主机是 IP,CN"不是用来匹配的;相反,
Interestingly, if the request host is an IP, "CN" is not used to match it; instead,
https://www.rfc-editor.org/rfc/rfc2818#section-3.1
证书中必须存在 iPAddress subjectAltName,并且必须与 URI 中的 IP 完全匹配"
the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI"
如果你使用java的keytool,可以通过
If you use java's keytool, it can be done by
keytool -genkeypair -ext SAN=IP:195.xx.xx.xx ........
NullHostNameVerifier 也适用于您的用例.您的客户只信任一个证书;只要连接使用该证书,您就是安全的;主机名在这里无关紧要.
NullHostNameVerifier is also ok for you use case. You client is trusting only one certificate; as long as the connection uses that certificate, you are secure; host name doesn't matter here.
这篇关于javax.net.ssl.SSLPeerUnverifiedException:主机名未验证:的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
