谷歌播放时收到警告。
如何处理WebViewClient.onReceivedSslError处理程序的不安全实现的“SSL错误处理程序漏洞”。
“请尽快解决此漏洞并增加已升级APK的版本号。要正确处理SSL证书验证,只要服务器提供的证书符合您的期望,就更改您的代码以调用SslErrorHandler.proceed(),并调用SslErrorHandler.cancel()。“
答案 0 :(得分:9)
我今天收到了同样的警告,它告诉我这个问题 来自我的一个广告网络的SDK(InMobi,我真的考虑放弃它们,因为它们有很多欺诈性,自动重定向横幅,现在这个......):
com.inmobi.commons.analytics.iat.impl.net.AdTrackerWebViewLoader$MyWebViewClient
您案件中受影响的班级是什么?如果它是您自己的课程之一,您必须阅读技术documentation并修复您的实施。
如果像我一样,您只是您的某个外部库的受害者,请与开发人员联系,要求他们提供固定库(或删除库)。
答案 1 :(得分:2)
您应首先检查您是否正确使用了WebViewClient.onReceivedSslError处理程序。
如果您没有使用WebViewClient库,或者您已经正确使用它,则问题可能来自第三方库。您可以先在项目的根目录中使用此linux命令来确定哪些库可能导致该问题:
find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;
这将列出所有具有“OnReceivedSslError”字符串的jar文件中的文件。
之后,您可以检查每个匹配文件中是否遵守处理此漏洞的Google建议。
答案 2 :(得分:1)
如果您不需要处理onReceivedSslErr(WebView,SslErrorHandler,SslError)中的内容,只需删除此方法以避免谷歌播放warning.Otherwise,您也不应该直接进行操作。
以下是@sakiM的一个例子,Webview avoid security alert from google play upon implementation of onReceivedSslError
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
final AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setMessage(R.string.notification_error_ssl_cert_invalid);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
如果第三个库已调用方法onReceivedSslErr,请联系提供商。
答案 3 :(得分:0)
您好,这是解决您问题的最新解决方案。希望它会帮助某人:
//复制粘贴此代码并删除onReceivedError()方法。
/**
* Notify the host application that an SSL error occurred while loading a
* resource. The host application must call either handler.cancel() or
* handler.proceed(). Note that the decision may be retained for use in
* response to future SSL errors. The default behavior is to cancel the
* load.
*
* @param view The WebView that is initiating the callback.
* @param handler An SslErrorHandler object that will handle the user's
* response.
* @param error The SSL error object.
*/
@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
//final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
String msg="";
if(error.getPrimaryError()==SslError.SSL_DATE_INVALID
|| error.getPrimaryError()== SslError.SSL_EXPIRED
|| error.getPrimaryError()== SslError.SSL_IDMISMATCH
|| error.getPrimaryError()== SslError.SSL_INVALID
|| error.getPrimaryError()== SslError.SSL_NOTYETVALID
|| error.getPrimaryError()==SslError.SSL_UNTRUSTED) {
if(error.getPrimaryError()==SslError.SSL_DATE_INVALID){
msg="The date of the certificate is invalid";
}else if(error.getPrimaryError()==SslError.SSL_INVALID){
msg="A generic error occurred";
}
else if(error.getPrimaryError()== SslError.SSL_EXPIRED){
msg="The certificate has expired";
}else if(error.getPrimaryError()== SslError.SSL_IDMISMATCH){
msg="Hostname mismatch";
}
else if(error.getPrimaryError()== SslError.SSL_NOTYETVALID){
msg="The certificate is not yet valid";
}
else if(error.getPrimaryError()==SslError.SSL_UNTRUSTED){
msg="The certificate authority is not trusted";
}
}
final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
builder.setMessage(msg);
builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.proceed();
}
});
builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialog, int which) {
handler.cancel();
}
});
final AlertDialog dialog = builder.create();
dialog.show();
}
答案 4 :(得分:-5)
这可能是由于您的应用程序中使用的第三方库(包括open ssl)引起的。它发生在我的情况下。谷歌播放提醒中提到了该库。我在包含该库的
中使用了以下grep命令$ unzip -p YourApp.apk | strings | grep "OpenSSL"
如果因为该库存在打开的ssl问题,此命令将显示冗长的日志。
+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
CAMELLIA part of OpenSSL 1.0.1h 5 Jun 2014
EDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
RC4 part of OpenSSL 1.0.1h 5 Jun 2014
:Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
%s(%d): OpenSSL internal error, assertion failed: %s
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
OpenSSL default
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
DSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014
对于另一个没有该库的apk,请尝试相同的命令。它将只显示两行,如下面的
+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl