在Android 2.2上进行了一些测试之后,在认为我解决了这个问题之后,不知怎的,我又得到了这个错误信息,我第一次在下面做了故事并且它工作了一天,但现在我再次面对这个问题。有人在我下面使用的那个旁边有解决方案吗?或者是否有关于问题返回的解释?
在Android 2.3上我从来没有让它工作,我收到以下错误:
07-26 19:48:12.580: W/System.err(1201): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
ERROR MESSAGE 2.2:
07-23 00:12:18.726: W/System.err(22569): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.
07-23 00:12:18.730: W/System.err(22569): at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:149)
07-23 00:12:18.730: W/System.err(22569): at java.security.cert.CertPathValidator.validate(CertPathValidator.java:202)
07-23 00:12:18.730: W/System.err(22569): at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:164)
编辑:我认为我修正了以下问题:
当我通过Windows网络浏览器向第三方服务器发送HTTP请求时,它会返回一个XML,但是当在Android活动中执行相同操作时,我会收到以下错误:
W/System.err(9471): javax.net.ssl.SSLException: Not trusted server certificate
.
.
.
W/System.err(7207): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.
我使用以下请求:
https://www.voipinfocenter.com/API/ Request.ashx?command=_&username= _&password=______&customer=__&customerpassword=___ &geocallcli=__&tariffrate=_
忽略这个安全问题似乎并不聪明,有没有办法解决这个问题,特别是因为它不是我自己的服务器?
编辑:我发送了android-trusting-ssl-certificates帖子并设法下载了SSLCertDownloader-Download
的证书 C:\ssl>SSLCertDownloader.exe www.server.com 443 c:\ssl\CAcert.cer
已下载bcprov-jdk16-145.jar并将其保存在c:\ssl
文件夹
确保keytool位于c:\ssl
文件夹
导入证书:
keytool -importcert -v -trustcacerts -file "CAcert.cer" -alias In
ermediateCA -keystore "mykeystore.bks" -provider org.bouncycastle.jce.provider.
ouncyCastleProvider -providerpath "bcprov-jdk16-145.jar" -storetype BKS -storep
ss Password
我如何知道这是否已下载所有必需的证书? openssl client_s connect -showcerts给了我以下内容:
Loading 'screen' into random state - done
CONNECTED(000000D4)
depth=0 /C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charles M
rx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-A
surance Secure Server CA
-----BEGIN CERTIFICATE-----
MIIFczCCBFugAwIBAgIQHXnQEnG/Ft0D1oCzycDFbDANBgkqhkiG9w0BAQUFADCB
iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx
MDMzMTAwMDAwMFoXDTE0MDUwMjIzNTk1OVowga4xCzAJBgNVBAYTAkxVMQ0wCwYD
VQQREwQyMTMwMQswCQYDVQQIEwJOQTETMBEGA1UEBxMKTHV4ZW1ib3VyZzEiMCAG
A1UECRMZQm91bGV2YXJkIENoYXJsZXMgTWFyeCAyMzEWMBQGA1UEChMNRGVsbG1v
bnQgU2FybDEaMBgGA1UECxMRQ29tb2RvIEluc3RhbnRTU0wxFjAUBgNVBAMTDTc3
LjcyLjE3My4xMzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo5mTI
oNnf4NsNKq3tXxxszbBOs22UubyUzwExBQ5i220y/qcXF0iA6h+lc+41WIJkT4mI
IltTMdAs9L8BLMIu/bFQRBlL5M1y7GRnGTEr2IqgE83gOWq5Bpz6Mvmhu67HDkHv
0ZBK/IwKn4f1lW+fntGD6++RfQixGAY0Ei+XDxn09mHV++qgFPA+4WpeOwVy3+I+
bk9hf8MR3aUfWDyPwdDF0BpNJ8yyzXwUzL/8RwEIN90wBRQ5O8KjociAXC/uqnXk
f8/woZkhfwqtQ0yWbHDWJlBSIg+xs3HtB6UhagFRWuLLZiJz9AurGRfb0pfOmwjI
XWkU6jVhLRDndzzpAgMBAAGjggGuMIIBqjAfBgNVHSMEGDAWgBQ/1bXQ1kR5UEoX
o5uMSty4sCJkazAdBgNVHQ4EFgQUmIxbnFxciu12ZJ84pSL/aVMLVAcwDgYDVR0P
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYIKwYBBQUHAgEW
HWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRIMEYwRKBCoECG
Pmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJhbmNlU2Vj
dXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYBBQUHMAKGPmh0
dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJhbmNlU2VjdXJl
U2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5j
b20wDwYDVR0RBAgwBocETUitgjANBgkqhkiG9w0BAQUFAAOCAQEAH1jjfuwJxIac
s1uBibTiJyQKRVuyrb3MLo5A0D9mwQ+hew4GktAkJBc73AJ4gQgufADt06eJjzqc
SzpxkATx38W6WuRcis5odJRvkVrNv0yiJfAsQf6mB0laMXCrvt9+drGy8O/Xd4TC
4OU6A+s551SYKAhkAdlZuCCn4A0FgxL3nX/K/cXcvhHt+v2hDy/TraFlC3CQ73tp
SOxVNO9g8DZBu38c0W6SejQti40/xR2245t/U39GznSy9sgeMdQVU1JHpkwR2R9J
lXsRiev1PtTX1MZGLbyLhH1gSMn+n7gdBb7hZpaIZWicmp1NaRtC1oVQL49l7NdU
WcXYaeeuQA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High
Assurance Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 1551 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: F724000041ACE5FC6871CF549CAE1BC0F076578433238D6FF8B1DF3F374627D
Session-ID-ctx:
Master-Key: ADB009A0D064383C492EA9FBBDCFA81C5D945C88F168ECC225BCDF2798B063C
814CDA4E1E29AFB91C75290C7C41CB66
Key-Arg : None
Start Time: 1374894544
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
将mykeystore.bks保存在我的应用的res / raw文件夹中,并创建了以下类:
public class MyHttpClient extends DefaultHttpClient {
final Context context;
public MyHttpClient(Context context) {
this.context = context;
}
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
// Register for port 443 our SSLSocketFactory with our keystore
// to the ConnectionManager
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
// Get an instance of the Bouncy Castle KeyStore format
KeyStore trusted = KeyStore.getInstance("BKS");
// Get the raw resource, which contains the keystore with
// your trusted certificates (root and any intermediate certs)
InputStream in = context.getResources().openRawResource(R.raw.mykeystore);
try {
// Initialize the keystore with the provided trusted certificates
// Also provide the password of the keystore
trusted.load(in, "Password".toCharArray());
} finally {
in.close();
}
// Pass the keystore to the SSLSocketFactory. The factory is responsible
// for the verification of the server certificate.
SSLSocketFactory sf = new SSLSocketFactory(trusted);
// Hostname verification from certificate
// http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
return sf;
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
在活动中:
// Instantiate the custom HttpClient
DefaultHttpClient client = new MyHttpClient(getApplicationContext());
HttpGet get = new HttpGet("https://www.mydomain.ch/rest/contacts/23");
// Execute the GET call and obtain the response
HttpResponse getResponse = client.execute(get);
HttpEntity responseEntity = getResponse.getEntity();
答案 0 :(得分:0)
W / System.err(1201):javax.net.ssl.SSLPeerUnverifiedException:无对等证书
您使用的是什么密码套件?匿名Diffie-Hellman(ADH)将导致服务器不发送证书。
W / System.err(22569):引起:java.security.cert.CertPathValidatorException:找不到CertPath的TrustAnchor。
听起来您不相信验证链所需的CA根证书。它被加载了吗?它是正确的信任根吗?
Certificate chain
0 s:/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
High-Asurance Secure Server CA
[Repeated three times]
这在实践中看起来很不正确。没有必要发送三到四次最终实体证书。
编辑:该证书只发送一次:
通常在链验证中使用三个或四个证书:(1)CA根证书,(2)一个或两个中间证书,以及(3)最终实体(或叶子或服务器)证书。在SSL / TLS服务器Hello中,应发送来自(2)和(3)的证书。
作为示例,在OpenSSL的wiki上有一个服务器Hello中使用的所有证书的屏幕截图。它是一个如何编写OpenSSL客户端的示例,它基于实际使用COMODO的站点。这是捕获:http://wiki.openssl.org/index.php/File:Bio-fetch-1.png,这是示例:http://wiki.openssl.org/index.php/SSL/TLS_Client。
所以我相信连锁店缺少Root:
两位中间人:
有问题的证书可以在COMODO的网站上找到:Root and Intermediate Certificates。或者,您可以从下面的修复程序2中提供的链中复制并粘贴它。
要解决此问题,相关服务器应发送三个证书的串联。第一个是服务器证书,第二个是“COMODO扩展验证安全服务器CA”(中间)证书,第三个是“COMODO证书颁发机构”(中间)证书。您还需要信任“AddTrust External CA Root”(root)证书。
以下是使用Google网站和“Equifax安全证书颁发机构”的实际情况。请注意,除了服务器的最终实体证书之外,还会发送中间证书:
$ echo "GET / HTTP\1.0" | openssl s_client -connect www.google.com:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgIIRYUpUVjSfHQwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMxMTIwMTUxMDQ3WhcNMTQwMzIwMDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW8ZNM
PeVQTl+gbie7LVVCUrZ/Y3pM7EhWD9L9ZDeL39IeGeyKIfTIWLBpQRnM2xk3ITuR
2cIEH7WuhGfXi2bKwp27N2H9j5vPfsl04b50pus8XaJXUvwq+TgT1852QQy+sGQl
QE9UN0HIK8qleDV5VycpK6KnhSl7QH6283WX2xtiW1oxVETspRPv5gLIFXm9po9X
fTzQZm/Wnkvyl3SAXa4msAMABqrrczWM6ySC6UoWUEttYTAEy2OPsqEBhTBSseP5
W4w5X6kM7nU7u2R05NtxaVb/vO7RxIngU73+i7PF3ZDg6TxfQYGdAs0h03WoZCrI
JjsvdRU9QEhnZXVjAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSloFBACjHuLBs7YbSkN82IHLBklzAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCQSyYioqaFpkdSfBReEEFHffMcXzE9
VL5L/ysdFAqCk9bmMyHsYKZ8FET1mh2BqzwXY7VWulaeOg+SPv8D4kwKRtCGuDgp
/6Jo7+TzkU5GSQxnrrSuA4DW+nKwrkoS+bLEMV67MrSAMSQ3/TVwIHpxWmU16aGO
08ICQCzXyWevTaCxbC49n1iBloZPNYFk74QfUTllKYbzhKrUPqJvCjlkaHPAVzv0
OtGjXuOdSfB4nURA7INNYvx8ULMECg5Sj8Gan8kIOfeW3jt9vdxsZrbn0Cu/bcTm
OEK3nH1sBk2Hy5ZBcyludHyUzqTHsXSjnIjwZNPpihVmFrs5I1Ma7iEj
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3728 bytes and written 448 bytes
...
服务器必须发送链验证所需的证书,以避免出现“哪个目录”问题。它在PKI中是众所周知的,它实质上意味着客户端不知道去哪里找到丢失的证书。例如,客户如何知道从哪里获取“COMODO High-Assurance Secure Server CA”?
在此修复程序中,您加载了根和中间证书,因为服务器或站点设置不正确(通常只加载您信任的根)。要了解它在OpenSSL实践中的完成情况,请参阅http://wiki.openssl.org/index.php/SSL/TLS_Client处的OpenSSL客户端示例。在文件openssl-bio-fetch.c
(第115行)中,您将看到以下调用以设置链验证期间使用的受信任根(和中间体):
res = SSL_CTX_load_verify_locations(ctx, "random-org-chain.pem", NULL);
ASSERT(res == 1)
...
文件random-org-chain.pem
包含以下PEM编码级联。串联包括根证书和验证www.random.org
服务器证书所需的两个中间证书。
$ cat random-org-chain.pem
#
# AddTrust External CA Root
#
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
#
# COMODO Certification Authority
#
-----BEGIN CERTIFICATE-----
MIIE8TCCA9mgAwIBAgIQbyXcFa/fXqMIVgw7ek/H+DANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMScwJQYD
VQQDEx5DT01PRE8gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDQQIuLcuORG/dRwRtUBJjTqb/B5opdO4f7u4jO
DeMvPwaW8KIpUJmu2zuhV7B0UXHN7UKRTUH+qcjYaoZ3RLtZZpdQXrTULHBEz9o3
lUJpPDDEcbNS8CFNodi6OXwcnqMknfKDFpiqFnxDmxVbt640kf7UYiYYRpo/68H5
8ZBX66x6DYvbcjBqZtXgRqNw3GjZ/wRIiXfeten7Z21B6bw5vTLZYgLxsag9bjec
4i/i06Imi8a4VUOI4SM+pdIkOWpHqwDUobOpJf4NP6cdutNRwQuk2qw471VQJAVl
RpM0Ty2NrcbUIRnSjsoFYXEHc0flihkSvQRNzk6cpUisuyb3AgMBAAGjggF0MIIB
cDAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUC1jl
i8ZMFTekQKkwqSG+RzZaVv8wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
Af8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9j
cmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYI
KwYBBQUHAQEEgaYwgaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0
LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0
cDovL2NydC51c2VydHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsG
AQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUA
A4IBAQAHYJOZqs7Q00fQNzPeP2S35S6jJQzVMx0Njav2fkZ7WQaS44LE5/X289kF
z0k0LTdf9CXH8PtrI3fx8UDXTLtJRTHdAChntylMdagfeTHJNjcPyjVPjPF+3vxG
q79om3AjMC63xVx7ivsYE3lLkkKM3CyrbCK3KFOzGkrOG/soDrc6pNoN90AyT99v
uwFQ/IfTdtn8+7aEA8rJNhj33Wzbu7qBHKat/ij5z7micV0ZBepKRtxzQe+JlEKx
Q4hvNRevHmCDrHqMEHufyfaDbZ76iO4+3e6esL/garnQnweyCROa9aTlyFt5p0c1
M2jlVZ6qW8swC53HD79oRIGXi1FK
-----END CERTIFICATE-----
#
# COMODO Extended Validation Secure Server CA
#
-----BEGIN CERTIFICATE-----
MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB
gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw
MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp
b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMxKljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi
7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK
HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy
hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS
b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f
BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY
5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq
fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1
MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv
bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v
Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm
MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU
cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv
Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9
P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40
TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj
hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs
tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl
9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf6
-----END CERTIFICATE-----
对C / C ++代码感到抱歉。我没有方便的Java示例,但它是OpenSSL代码并且适用相同的概念。
0 s:/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130
当IP用于公共名称(CN)时,我认为IP也必须列在主题备用名称(SAN)中。最终实体证书是否形成良好并不明显,而Bouncy Castle可能在其验证方面具有攻击性。证书要求由CA / Browser论坛发布,可在以下位置找到:
您使用的某些方法已标记为已弃用。例如,X509HostnameVerifier
的{{1}}已被弃用。
最后,您可以在Startcom获得Eddy Nigg的大多数桌面和移动浏览器所信任的免费证书。如果需要撤销,Startcom将向您收取费用,因为这是成本所在。 CA会提前向您收取撤销费用,并将未使用的收益包装好;)