覆盖 onReceivedSslError 不适用于 Android KitKat Web 视图 [英] Override onReceivedSslError does not work with Android KitKat Web view
问题描述
当使用低于 KitKat 版本的 WebView 访问具有不受信任证书的 https URL 时,我可以绕过 SSL 错误
I can bypass the SSL errors when accessing a https URL which has untrusted certificate with following code with the WebView below version KitKat
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed();
}
但它不适用于 KitKat 浏览器.有什么解决办法吗?
but it does not work for KitKat browser. Any ideas to solve it?
推荐答案
我最近也遇到了这个问题,这个问题没有记录,但似乎在 Android 4.4 KitKat 上调用方法 onReceivedSslError 取决于 SSL 错误的类型.我检查了这两种情况:
I recently came up to this problem too, this is not documented but it seems that calling method onReceivedSslError on Android 4.4 KitKat depends on the type of SSL error. I checked these two cases:
如果 SSL 错误是由自签名服务器证书引起的,它会调用 Android KitKat 4.4 中的 onReceivedSslError 方法,就像在旧版本中一样.
If the SSL error is due to a self signed server certificate, it does invoke onReceivedSslError method in Android KitKat 4.4, as it did in older versions.
但是,如果 SSL 错误原因是错误的证书链(LogCat 显示消息:无法验证证书链,错误:java.security.cert.CertPathValidatorException:找不到证书路径的信任锚.",然后在 KitKat 中不调用 onReceivedSslError,因为它在旧的 Android 版本中被调用,因此在 4.4 中不能忽略或绕过该错误.这是我的情况,我不知道这是一个错误还是故意这样做以防止 MITM 攻击,但我没有找到解决此问题的编程方法.
However, if the SSL error cause is a bad certificate chain (LogCat showing the message: "Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.", then onReceivedSslError is not called in KitKat, as it was called in older Android versions, and thus the error cannot be ignored or bypassed in 4.4. This was my case, and I do not know whether this is a bug or done on purpose to prevent MITM attacks, but I did not find a programmatic way to work around this.
对我来说,根本问题是 Web 服务器没有公开完整的证书链,而只公开了最后一个证书,让设备负责验证完整的链,前提是它具有存储在设备证书存储中的所有证书,而 Android 设备并非如此.您可以通过以下方式确定这是否也是您的问题:
The underlying problem for me was that the web server did not expose the full certificate chain but only the last certificate, leaving to the device the responsibility to validate the full chain, provided it has all the certificates stored in the device cert store, which was not the case for Android devices. You could make sure if this was also your problem either by:
a) 使用在线证书检查器检查证书链,例如:http://www.digicert.com/help/
a) Checking the certificate chain with an online certificate checker, such as: http://www.digicert.com/help/
b) 使用 openssl 验证收到的证书链:openssl s_client -showcerts -connect :443您可以在那里看到证书链,它应该包含两个或多个证书,如果结果以类似以下内容结尾:验证返回码:21(无法验证第一个证书),你可能会遇到和我类似的问题.
b) Using openssl to verify the received certificate chain: openssl s_client -showcerts -connect :443 You can there see the certificate chain, which should contain two or more certificates, and if the result ends with something like: Verify return code: 21 (unable to verify the first certificate), you are likely to have a similar problem as I had.
解决方案是修复 Web 服务器配置,以便服务器向主机公开完整的证书链.
The solution was to fix the web server configuration so the server exposes the full certificate chain to the hosts.
这篇关于覆盖 onReceivedSslError 不适用于 Android KitKat Web 视图的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
