gpt4 book ai didi

Android 2.2 : javax.net.ssl.SSLException : Not trusted server certificate - Android 2. 3 : javax.net.ssl.SSLPeerUnverifiedException:没有对等证书

转载 作者:太空狗 更新时间:2023-10-29 15:09:52 24 4
gpt4 key购买 nike

在对 Android 2.2 进行了一些测试之后,在认为我解决了这个问题之后,不知何故我又收到了这个错误消息,我第一次完成了下面的故事,它工作了一天,但现在我又面临这个问题。有人在我下面使用的解决方案旁边有解决方案吗?或者对返回的问题有解释吗?

在 Android 2.3 上,我从来没有让它工作,我收到以下错误:
07-26 19:48:12.580: W/System.err(1201): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
错误消息 2.2:

07-23 00:12:18.726: W/System.err(22569): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.
07-23 00:12:18.730: W/System.err(22569): at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:149)
07-23 00:12:18.730: W/System.err(22569): at java.security.cert.CertPathValidator.validate(CertPathValidator.java:202)
07-23 00:12:18.730: W/System.err(22569): at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:164)

编辑 :我以为我解决了以下问题:

当我通过我的 Windows Web 浏览器向第三方服务器发布 HTTP 请求时,它返回一个 XML,但是在 Android Activity 中执行相同操作时,我收到以下错误:
W/System.err(9471): javax.net.ssl.SSLException: Not trusted server certificate
.
.
.
W/System.err(7207): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.

我使用以下请求:
https://www.voipinfocenter.com/API/ Request.ashx?command=_&username= _&password=______&customer=__&customerpassword=___ &geocallcli=__&tariffrate=_

忽略这个安全问题似乎并不聪明,有没有办法解决这个问题,特别是因为它不是我自己的服务器?

编辑 : 我找到了 android-trusting-ssl-certificates使用 SSLCertDownloader-Download 发布并设法下载证书
C:\ssl>SSLCertDownloader.exe www.server.com 443 c:\ssl\CAcert.cer
已下载 bcprov-jdk16-145.jar并将其保存在 c:\ssl文件夹

确保 keytool 在 c:\ssl文件夹

进口证书:
keytool -importcert -v -trustcacerts -file "CAcert.cer" -alias In
ermediateCA -keystore "mykeystore.bks" -provider org.bouncycastle.jce.provider.
ouncyCastleProvider -providerpath "bcprov-jdk16-145.jar" -storetype BKS -storep
ss Password

我怎么知道这是否下载了所有必需的证书?
openssl client_s connect -showcerts 给了我以下信息:
Loading 'screen' into random state - done
CONNECTED(000000D4)
depth=0 /C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charles M
rx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-A
surance Secure Server CA
-----BEGIN CERTIFICATE-----
MIIFczCCBFugAwIBAgIQHXnQEnG/Ft0D1oCzycDFbDANBgkqhkiG9w0BAQUFADCB
iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx
MDMzMTAwMDAwMFoXDTE0MDUwMjIzNTk1OVowga4xCzAJBgNVBAYTAkxVMQ0wCwYD
VQQREwQyMTMwMQswCQYDVQQIEwJOQTETMBEGA1UEBxMKTHV4ZW1ib3VyZzEiMCAG
A1UECRMZQm91bGV2YXJkIENoYXJsZXMgTWFyeCAyMzEWMBQGA1UEChMNRGVsbG1v
bnQgU2FybDEaMBgGA1UECxMRQ29tb2RvIEluc3RhbnRTU0wxFjAUBgNVBAMTDTc3
LjcyLjE3My4xMzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo5mTI
oNnf4NsNKq3tXxxszbBOs22UubyUzwExBQ5i220y/qcXF0iA6h+lc+41WIJkT4mI
IltTMdAs9L8BLMIu/bFQRBlL5M1y7GRnGTEr2IqgE83gOWq5Bpz6Mvmhu67HDkHv
0ZBK/IwKn4f1lW+fntGD6++RfQixGAY0Ei+XDxn09mHV++qgFPA+4WpeOwVy3+I+
bk9hf8MR3aUfWDyPwdDF0BpNJ8yyzXwUzL/8RwEIN90wBRQ5O8KjociAXC/uqnXk
f8/woZkhfwqtQ0yWbHDWJlBSIg+xs3HtB6UhagFRWuLLZiJz9AurGRfb0pfOmwjI
XWkU6jVhLRDndzzpAgMBAAGjggGuMIIBqjAfBgNVHSMEGDAWgBQ/1bXQ1kR5UEoX
o5uMSty4sCJkazAdBgNVHQ4EFgQUmIxbnFxciu12ZJ84pSL/aVMLVAcwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYIKwYBBQUHAgEW
HWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRIMEYwRKBCoECG
Pmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJhbmNlU2Vj
dXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYBBQUHMAKGPmh0
dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJhbmNlU2VjdXJl
U2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5j
b20wDwYDVR0RBAgwBocETUitgjANBgkqhkiG9w0BAQUFAAOCAQEAH1jjfuwJxIac
s1uBibTiJyQKRVuyrb3MLo5A0D9mwQ+hew4GktAkJBc73AJ4gQgufADt06eJjzqc
SzpxkATx38W6WuRcis5odJRvkVrNv0yiJfAsQf6mB0laMXCrvt9+drGy8O/Xd4TC
4OU6A+s551SYKAhkAdlZuCCn4A0FgxL3nX/K/cXcvhHt+v2hDy/TraFlC3CQ73tp
SOxVNO9g8DZBu38c0W6SejQti40/xR2245t/U39GznSy9sgeMdQVU1JHpkwR2R9J
lXsRiev1PtTX1MZGLbyLhH1gSMn+n7gdBb7hZpaIZWicmp1NaRtC1oVQL49l7NdU
WcXYaeeuQA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High
Assurance Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1551 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: F724000041ACE5FC6871CF549CAE1BC0F076578433238D6FF8B1DF3F374627D

Session-ID-ctx:
Master-Key: ADB009A0D064383C492EA9FBBDCFA81C5D945C88F168ECC225BCDF2798B063C
814CDA4E1E29AFB91C75290C7C41CB66
Key-Arg : None
Start Time: 1374894544
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

将 mykeystore.bks 保存在我的应用程序的 res/raw 文件夹中并创建了以下类:
public class MyHttpClient extends DefaultHttpClient {

final Context context;

public MyHttpClient(Context context) {
this.context = context;
}

@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
// Register for port 443 our SSLSocketFactory with our keystore
// to the ConnectionManager
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}

private SSLSocketFactory newSslSocketFactory() {
try {
// Get an instance of the Bouncy Castle KeyStore format
KeyStore trusted = KeyStore.getInstance("BKS");
// Get the raw resource, which contains the keystore with
// your trusted certificates (root and any intermediate certs)
InputStream in = context.getResources().openRawResource(R.raw.mykeystore);
try {
// Initialize the keystore with the provided trusted certificates
// Also provide the password of the keystore
trusted.load(in, "Password".toCharArray());
} finally {
in.close();
}
// Pass the keystore to the SSLSocketFactory. The factory is responsible
// for the verification of the server certificate.
SSLSocketFactory sf = new SSLSocketFactory(trusted);
// Hostname verification from certificate
// http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
return sf;
} catch (Exception e) {
throw new AssertionError(e);
}
}
}

在 Activity 中:
// Instantiate the custom HttpClient
DefaultHttpClient client = new MyHttpClient(getApplicationContext());
HttpGet get = new HttpGet("https://www.mydomain.ch/rest/contacts/23");
// Execute the GET call and obtain the response
HttpResponse getResponse = client.execute(get);
HttpEntity responseEntity = getResponse.getEntity();

最佳答案

W/System.err(1201): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate



您使用的是什么密码套件?匿名 Diffie-Hellman (ADH) 将导致服务器不发送证书。

W/System.err(22569): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.



听起来您不信任验证链所需的 CA 根证书。是否已加载?它是正确的信任根吗?
Certificate chain
0 s:/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
High-Asurance Secure Server CA
[Repeated three times]

这在实践中看起来格式不正确。无需发送三四次最终实体证书。

编辑:该证书仅发送一次:

enter image description here

通常在链式验证中使用三个或四个证书:(1) CA 根证书,(2) 一或两个中间证书,以及 (3) 最终实体(或叶,或服务器)证书。在 SSL/TLS Server Hello 中,应发送来自 (2) 和 (3) 的证书。

例如,OpenSSL 的 wiki 上有一个 Server Hello 中使用的所有证书的屏幕截图。它是一个如何编写 OpenSSL 客户端的示例,它基于一个实际使用 COMODO 的站点。这是捕获: http://wiki.openssl.org/index.php/File:Bio-fetch-1.png , 示例如下: http://wiki.openssl.org/index.php/SSL/TLS_Client .

所以我相信链条缺少根:
  • AddTrust 外部 CA 根

  • 和两个中间体:
  • COMODO 认证机构
  • COMODO 扩展验证安全服务器 CA

  • 相关证书可在 COMODO 的网站上找到: Root and Intermediate Certificates .或者,您可以从下面的修复 2 中提供的链中复制并粘贴它。

    修复 1

    为了解决这个问题,有问题的服务器应该发送三个证书的串联。第一个是Server's Certificate,第二个是“COMODO Extended Validation Secure Server CA”(中级)证书,第三个是“COMODO Certification Authority”(中级)证书。您还需要信任“AddTrust External CA Root”(根)证书。

    以下是使用 Google 网站和“Equifax Secure Certificate Authority”在实践中的样子。请注意,除了服务器的最终实体证书之外,还会发送中间证书:
    $ echo "GET / HTTP\1.0" | openssl s_client -connect www.google.com:443 -showcerts
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    ---
    Certificate chain
    0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    i:/C=US/O=Google Inc/CN=Google Internet Authority G2
    -----BEGIN CERTIFICATE-----
    MIIEdjCCA16gAwIBAgIIRYUpUVjSfHQwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
    BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
    cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMxMTIwMTUxMDQ3WhcNMTQwMzIwMDAwMDAw
    WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
    TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
    Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW8ZNM
    PeVQTl+gbie7LVVCUrZ/Y3pM7EhWD9L9ZDeL39IeGeyKIfTIWLBpQRnM2xk3ITuR
    2cIEH7WuhGfXi2bKwp27N2H9j5vPfsl04b50pus8XaJXUvwq+TgT1852QQy+sGQl
    QE9UN0HIK8qleDV5VycpK6KnhSl7QH6283WX2xtiW1oxVETspRPv5gLIFXm9po9X
    fTzQZm/Wnkvyl3SAXa4msAMABqrrczWM6ySC6UoWUEttYTAEy2OPsqEBhTBSseP5
    W4w5X6kM7nU7u2R05NtxaVb/vO7RxIngU73+i7PF3ZDg6TxfQYGdAs0h03WoZCrI
    JjsvdRU9QEhnZXVjAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
    KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
    XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
    MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
    A1UdDgQWBBSloFBACjHuLBs7YbSkN82IHLBklzAMBgNVHRMBAf8EAjAAMB8GA1Ud
    IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
    eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
    RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCQSyYioqaFpkdSfBReEEFHffMcXzE9
    VL5L/ysdFAqCk9bmMyHsYKZ8FET1mh2BqzwXY7VWulaeOg+SPv8D4kwKRtCGuDgp
    /6Jo7+TzkU5GSQxnrrSuA4DW+nKwrkoS+bLEMV67MrSAMSQ3/TVwIHpxWmU16aGO
    08ICQCzXyWevTaCxbC49n1iBloZPNYFk74QfUTllKYbzhKrUPqJvCjlkaHPAVzv0
    OtGjXuOdSfB4nURA7INNYvx8ULMECg5Sj8Gan8kIOfeW3jt9vdxsZrbn0Cu/bcTm
    OEK3nH1sBk2Hy5ZBcyludHyUzqTHsXSjnIjwZNPpihVmFrs5I1Ma7iEj
    -----END CERTIFICATE-----
    1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    -----BEGIN CERTIFICATE-----
    MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
    EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
    bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
    VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
    h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
    ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
    EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
    DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
    qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
    VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
    K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
    KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
    ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
    BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
    /iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
    zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
    HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
    WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
    yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
    -----END CERTIFICATE-----
    2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    -----BEGIN CERTIFICATE-----
    MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
    MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
    aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
    WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
    AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
    OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
    T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
    JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
    Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
    PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
    aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
    TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
    LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
    BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
    dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
    AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
    NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
    b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 3728 bytes and written 448 bytes
    ...

    服务器必须发送链验证所需的证书以避免“哪个目录”问题。它在 PKI 中广为人知,它本质上意味着客户端不知道去哪里找到丢失的证书。例如,客户端如何知道从哪里获取“COMODO High-Assurance Secure Server CA”?

    修复 2:

    在此修复中,您加载根 中间证书,因为服务器或站点设置不正确(通常您只加载您信任的根)。要了解如何在实践中使用 OpenSSL,请参阅位于 http://wiki.openssl.org/index.php/SSL/TLS_Client 的 OpenSSL 客户端示例。 .在文件 openssl-bio-fetch.c (第 115 行),您将看到以下调用来设置链验证期间使用的可信根(和中间体):
    res = SSL_CTX_load_verify_locations(ctx, "random-org-chain.pem", NULL);
    ASSERT(res == 1)
    ...

    文件 random-org-chain.pem包含以下 PEM 编码连接。连接由验证 www.random.org 所需的根证书和两个中间证书组成。的服务器证书。
    $ cat random-org-chain.pem
    #
    # AddTrust External CA Root
    #
    -----BEGIN CERTIFICATE-----
    MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
    MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
    IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
    MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
    FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
    bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
    dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
    H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
    uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
    mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
    a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
    E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
    WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
    VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
    Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
    cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
    IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
    AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
    YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
    6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
    Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
    c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
    mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
    -----END CERTIFICATE-----

    #
    # COMODO Certification Authority
    #
    -----BEGIN CERTIFICATE-----
    MIIE8TCCA9mgAwIBAgIQbyXcFa/fXqMIVgw7ek/H+DANBgkqhkiG9w0BAQUFADBv
    MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
    ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
    eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
    gYExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
    BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMScwJQYD
    VQQDEx5DT01PRE8gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3
    DQEBAQUAA4IBDwAwggEKAoIBAQDQQIuLcuORG/dRwRtUBJjTqb/B5opdO4f7u4jO
    DeMvPwaW8KIpUJmu2zuhV7B0UXHN7UKRTUH+qcjYaoZ3RLtZZpdQXrTULHBEz9o3
    lUJpPDDEcbNS8CFNodi6OXwcnqMknfKDFpiqFnxDmxVbt640kf7UYiYYRpo/68H5
    8ZBX66x6DYvbcjBqZtXgRqNw3GjZ/wRIiXfeten7Z21B6bw5vTLZYgLxsag9bjec
    4i/i06Imi8a4VUOI4SM+pdIkOWpHqwDUobOpJf4NP6cdutNRwQuk2qw471VQJAVl
    RpM0Ty2NrcbUIRnSjsoFYXEHc0flihkSvQRNzk6cpUisuyb3AgMBAAGjggF0MIIB
    cDAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUC1jl
    i8ZMFTekQKkwqSG+RzZaVv8wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
    Af8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9j
    cmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYI
    KwYBBQUHAQEEgaYwgaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0
    LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0
    cDovL2NydC51c2VydHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsG
    AQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUA
    A4IBAQAHYJOZqs7Q00fQNzPeP2S35S6jJQzVMx0Njav2fkZ7WQaS44LE5/X289kF
    z0k0LTdf9CXH8PtrI3fx8UDXTLtJRTHdAChntylMdagfeTHJNjcPyjVPjPF+3vxG
    q79om3AjMC63xVx7ivsYE3lLkkKM3CyrbCK3KFOzGkrOG/soDrc6pNoN90AyT99v
    uwFQ/IfTdtn8+7aEA8rJNhj33Wzbu7qBHKat/ij5z7micV0ZBepKRtxzQe+JlEKx
    Q4hvNRevHmCDrHqMEHufyfaDbZ76iO4+3e6esL/garnQnweyCROa9aTlyFt5p0c1
    M2jlVZ6qW8swC53HD79oRIGXi1FK
    -----END CERTIFICATE-----

    #
    # COMODO Extended Validation Secure Server CA
    #
    -----BEGIN CERTIFICATE-----
    MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB
    gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
    A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
    BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw
    MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
    YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
    RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp
    b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
    ggEBAMxKljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi
    7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK
    HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy
    hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS
    b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f
    BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY
    5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq
    fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1
    MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv
    bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v
    Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm
    MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU
    cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv
    Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9
    P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40
    TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj
    hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs
    tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl
    9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf6
    -----END CERTIFICATE-----

    对不起 C/C++ 代码。我没有方便的 Java 示例,但它是 OpenSSL 代码,并且适用相同的概念。
     0 s:/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
    Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130

    当 IP 用于 Common Name (CN) 时,我相信 IP 也必须列在 Subject Alternate Name (SAN) 中。最终实体证书的格式是否正确尚不清楚,并且 Bouncy CaSTLe 可能会积极地对其进行验证。证书要求由 CA/浏览器论坛发布,可在以下位置找到:
  • Baseline Certificate Requirements
  • Extended Validation Certificate Requirements


  • 您正在使用的某些方法被标记为已弃用。例如, X509HostnameVerifierSTRICT_HOSTNAME_VERIFIER已弃用。

    最后,您可以通过 Startcom 从 Eddy Nigg 获得大多数桌面和移动浏览器信任的免费证书。 .如果需要撤销,Startcom 将向您收费,因为这就是成本所在。 CA 将预先向您收取撤销费用并将未使用的 yield 收入囊中;)

    关于Android 2.2 : javax.net.ssl.SSLException : Not trusted server certificate - Android 2. 3 : javax.net.ssl.SSLPeerUnverifiedException:没有对等证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17769284/

    24 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com