android - javax.net.ssl.SSLPeerUnverifiedException : No peer certificate on Android 4. x 和 5.x

Question

我在 Android 4.4.2 上运行我的应用程序并抛出此错误:

07-03 08:43:59.255 21643-21803/com.myapp W/System.err: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at com.myapp.Util.Util$1.run(Util.java:242)
07-03 08:43:59.255 21643-21803/com.myapp W/System.err:     at java.lang.Thread.run(Thread.java:841)
07-03 08:43:59.475 21643-21643/com.myapp E/ViewRootImpl: sendUserActionEvent() mView == null

它在 Android 6.x 及更高版本上正常工作。只有 Android 4.x 和 5.x 失败。我没有尝试过 Android 3.x 及更低版本，但如果我只能针对 Android 4.x 和 5.x 修复它，我会很好。有趣的是，它过去曾经可以工作，突然间它停止工作，而我没有更改应用程序的源代码。当我去 https://www.digicert.com/help/测试我的服务器 SSL 证书，一切都通过了:

DNS resolves <Domain> to <IP address>
HTTP Server Header: Apache

SSL certificate
Common Name =

Subject Alternative Names = <subdomain>.<Domain>, <Domain>, m.<Domain>, www.<Domain>

Issuer = COMODO RSA Extended Validation Secure Server CA

Serial Number = 5A34235B2A2B53B35354232B123B23C5

SHA1 Thumbprint = 98C357AC34A23B232134B2A4C23A2B23AC23A532

Key Length = 2048

Signature algorithm = SHA256 + RSA (excellent)

Secure Renegotiation: Supported

SSL Certificate has not been revoked
OCSP Staple:    Good
OCSP Origin:    Good
CRL Status: Good

SSL Certificate expiration
The certificate expires May 24, 2019 (325 days from today)

Certificate Name matches <Domain>

Subject 
Valid from 11/Jun/2017 to 24/May/2019
Issuer  COMODO RSA Extended Validation Secure Server CA


Subject COMODO RSA Extended Validation Secure Server CA
Valid from 12/Feb/2012 to 11/Feb/2027
Issuer  COMODO RSA Certification Authority


Subject COMODO RSA Certification Authority
Valid from 30/May/2000 to 30/May/2020
Issuer  AddTrust External CA Root
SSL Certificate is correctly installed
Congratulations! This certificate is correctly installed.

我的 SSL 证书看起来不错。我想知道为什么 Android 4.x 和 5.x 会抛出这个 javax.net.ssl.SSLPeerUnverifiedException: No peer certificate错误。

更新 1 :SSL 报告显示我的 SSL 证书一切正常。为什么安卓会提示？这是报告:



我正在使用 https://www.ssllabs.com/ssltest/

更新 2 : 阅读 https://developer.android.com/reference/javax/net/ssl/SSLPeerUnverifiedException.html#SSLPeerUnverifiedException(java.lang.String) ，我的理解是服务器无法识别自己。为什么？我猜是因为理论上服务器缺少所需的对等证书。如果您了解使用 https://www.ssllabs.com/ssltest/ 时的方式，这听起来很矛盾。在更新 1 中，SSL 报告显示我的服务器正确通过了证书测试。

更新 3 :我的证书颁发机构 (CA) 是 COMODO。我的 SSL 报告显示我的 SSL 证书一切正常: https://www.ssllabs.com/ssltest/analyze.html?d=cuponclub.net .当我从 Web 浏览器发出服务器请求时，一切正常: https://cuponclub.net/San-salvador/deals/json_index/ .看看 HTTPS 连接是如何成功的，证书在浏览器中是有效的，一切看起来都很完美。在 Android 6.x 及更高版本上没有错误，但为什么 Android 4.x 和 5.x 一直提示我的 SSL 证书，当我尝试在 Android 4.x 上编译我的应用程序时，在 Android Studio 日志中抛出此错误还是 5.x？:

W/System.err: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
W/System.err:     at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)
W/System.err:     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
W/System.err:     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:388)
W/System.err:     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
W/System.err:     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
W/System.err:     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
W/System.err:     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
W/System.err:     at com.couponclub.Util.Util$1.run(Util.java:242)
W/System.err:     at java.lang.Thread.run(Thread.java:841)

更新 4 : 看答案 Error in android application: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate ，他们认为问题可能与服务器名称指示 (SNI) 有关。当我使用 https://www.ssllabs.com/ssltest/为了分析我的网站，我在结果中看到了红色:

替代名称 [................] MISMATCH
可信 否 不可信
Mozilla Apple Android Java Windows

也许我的问题与此服务器名称指示 (SNI) 或缺少它有关？

更新 5 :我从 https://www.ssllabs.com/ssltest/ 收到红色的“No SNI” .也许这导致了问题？



更新 6 : Certificate #2可以忽略我的问题的影响，因为它适用于不同的域。我只关心 Certificate #1 的结果.

更新 7 :网络托管公司支持团队和 SSL 证书颁发者支持团队确认 SSL 证书及其安装一切正常，他们认为这可能是关于 Android 4.x 和 5.x 的 Android SDK 的问题，而不是 SSL 证书的实际问题。使用 SSL 证书一切正常。

更新 8 :我在服务器上禁用了 TLS 1.1 及更早版本以符合 SSL 标准，我开始怀疑该错误的原因是 Android 4.x 和 5.x 可能希望看到支持 TLS 1.1 及更早版本的库当它不存在时，即使我有 TLS 1.2，它也会自动抛出 SSL 错误。这是我的一个假设。例如，我正在阅读 https://help.salesforce.com/articleView?id=000231452&type=1有关“为 TLS 1.0 弃用准备移动应用程序”的信息，他们说:

Android. Unfortunately, some work might be required to ensure that your Android applications don’t break when TLS 1.0 is disabled on a Salesforce instance. We have a fix that enforces TLS 1.1 and 1.2 on Mobile SDK Android applications.

因此，他们意识到禁用 TLS 1.0 可能会使某些 Android 应用程序因 Salesforce 实例而中断，并且他们知道在禁用 TLS 1.0 后必须做一些工作来解决这个问题。同样，我开始怀疑，就我而言，问题可能是我的服务器缺乏对 TLS 1.0 及更早版本的支持。

更新 9 : 在我向 COMODO CA 解释了我在 中提到的内容之后更新 8 ，这是他们的回复:

Thank you for contacting Comodo CA support. Android versions 4.3 and earlier do not support TLS 1.2. As you have enabled only TLS 1.2 on the server, no connections will be established to your server from those legacy devices. Certificate check happens only after establishing the connection.

更新 10 :一切似乎都表明发生在我身上的事情是在 https://blog.dev-area.net/2015/08/13/android-4-1-enable-tls-1-1-and-tls-1-2/ 中解释的。 :

I recently had to work on an Android application that consumed an API which removed support for TLS 1.0 connections for security reasons. The Android documentation for SSLSocket says that TLS 1.1 and TLS 1.2 is supported within android starting API level 16+ (Android 4.1, Jelly Bean). But it is by default disabled but starting with API level 20+ (Android 4.4 for watch, Kitkat Watch and Android 5.0 for phone, Lollipop) they are enabled. But it is very hard to find any documentation about how to enable it for phones running 4.1 for example.

更新 11 : 看着 https://github.com/wireapp/wire-android/issues/1450 ，例如如何 wire.com ，一个流行的协作平台，证明缺乏对 Android 4.x 的支持:

Hi, thank you for your feedback. Unfortunately, upgrading to TLSv1.2 was a necessary step to increase the security of the communications between our servers and the clients, and it is not really something we are open to reconsider. As with all decisions that involve dropping support for older versions of something, there will be people whose devices will be left behind. However, given the gains in terms of security and given the very small number of people that will lose support, we made the decision to upgrade. Know that we're not alone in dropping support for TLS pre-1.2, as Github itself has done the same. On top of all these reasons, Android 4.x phones are quite old devices that most likely are not receiving any security updates from their manufacturers, so if you are a "privacy-aware" user I would recommend getting something more recent (Android 5 came out in 2014). We're sorry if you felt like you were left behind, but please understand that this decision was taken with security in mind as the most important factor.

更新 12 :关于问题是什么以及如何修复它的有趣链接: https://medium.com/tech-quizlet/working-with-tls-1-2-on-android-4-4-and-lower-f4f5205629a .正如您在我对自己问题的回答中所看到的那样，我已经继续前进，但也许此链接对其他人有用。

Answer 1

从你的描述来看，应该是安卓的问题。可能已在较新版本中修复。如果我不得不猜测，我会说您的证书解析在 Android 端的某处默默地失败了，片刻后当 Android 尝试 getPeerCertificates() 时，它会抛出异常，因为它们未初始化(由于我推测的无提示失败)。可能如果失败不是静默的，您可以尝试在问题发生之前找到一些堆栈跟踪。

您也可以尝试通过调整您的网站以适应旧的 Android 操作系统来解决这个问题。我没有好的建议或解决方案，但我会首先将您的证书与从旧的 Android 操作系统角度来看很好的站点的证书进行比较。