javax.net.ssl.SSLPeerUnverifiedException：未验证主机名： [英] javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:

问题描述

我正在尝试使用 HTTPS 与自签名证书的连接。

我已按照此处所述创建自签名证书的步骤 - 创建自签名证书。

即使在浏览器中一切正常，它只向我显示我的证书由未知CA签名的消息。

但我有问题我的FQDN（服务器名称不匹配）证书中的名称，因为我在生成证书时设置了错误的名称。

我重新生成它，现在没有这样的错误。

I am trying to use HTTPS connection with self-signed certificate.
I have followed steps of creating self-signed certificate as mentioned here - Creating Self-signed certificate.
Everything works fine even in browser, it only shows me a message that my certificate is signed by unknown CA.
But I have problem with my FQDN(server name doesn't match) name in certificate because I have set incorrect name while generating certificate.
I have regenerated it and now no such error.

我需要从移动Android客户端使用我的服务器sertificate，我找到了关于这个问题的精彩文章 - 在Android中使用带有自签名或未知SSL证书的Retrofit 。
我已按照所有步骤操作，但遗憾的是出错（例外）。

I need to use my server sertificate from mobile Android Client, I have found great article about this problem - Use Retrofit with a self-signed or unknown SSL certificate in Android. I have followed all steps, but unfortunately get an error (exception).

javax.net.ssl.SSLPeerUnverifiedException: Hostname 195.xx.xx.xx not verified:
    certificate: sha1/qvH7lFeijE/ZXxNHI0B/M+AU/aA=
    DN: 1.2.840.113549.1.9.1=#160e63726f73704078616b65702e7275,CN=195.xx.xx.xx,OU=Departament of Development,O=CROSP Solutions,L=Chernihiv,ST=Chernihiv,C=UA
    subjectAltNames: []
            at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:124)

正如您所看到的主机名相同，但仍然存在错误。

请帮助处理此问题问题，我将不胜感激任何帮助。

谢谢。

As you can see hostname are the same, but error is still present.
Please help to deal with this problem, I will be grateful for any help.
Thank you.

PSEUDO-SOLUTION

当然我之前搜索过并找到了 HostName验证解决方案。

我已经尝试过，它可以工作。但是可以使用这种解决方法，我将证书添加到我的应用程序中，以便像在前面的示例中一样动态地读取它，它是否仍然在这种情况下使用。

Of course I searched before and found HostName Verifier Solution.
I have tried it, it works. But is it OK to use this workaround, I added certificate into my app in order to read it dynamicly as in the prior example, is it still being used in this case.

OkHttp解决方案是一行。 （如果您按照教程中的所有步骤操作）。

Solution with OkHttp is one line. (If you followed all steps in tutorial).

 okHttpClient.setHostnameVerifier(new NullHostNameVerifier());

但我仍觉得这不是最好的解决方案，请有什么想法吗？

But I still feel that it is not the best solution, please any thoughts ?

推荐答案

有趣的是，如果请求主机是IP，则不使用CN来匹配它;相反，

Interestingly, if the request host is an IP, "CN" is not used to match it; instead,

http://tools.ietf.org /html/rfc2818#section-3.1

iPAddress subjectAltName必须出现在证书中，并且必须与IP中的IP完全匹配URI

the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI"

如果您使用java的keytool，可以通过

If you use java's keytool, it can be done by

keytool -genkeypair  -ext SAN=IP:195.xx.xx.xx    ........

---

NullHostNameVerifier也适用于您的用例。您的客户端只信任一个证书;只要连接使用该证书，你是安全的;主机名在这里无关紧要。

---

NullHostNameVerifier is also ok for you use case. You client is trusting only one certificate; as long as the connection uses that certificate, you are secure; host name doesn't matter here.

这篇关于javax.net.ssl.SSLPeerUnverifiedException：未验证主机名：的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！