Android SSL与Tomcat的连接(自签名证书)SSLPeerUnverifiedException

时间:2015-11-13 18:16:18

标签: android ssl https tomcat7

我目前正在尝试在一个简单的testapp中实现一个ssl连接。

设定: 带有Tomcat 7的Ubuntu Server 14.04.3 内部网络IP:192.168.189.42 Tomcat SSL:

https://192.168.177.42:8443/

通过以下方式创建SSL证书:Tomcat Tutorial 设备:API23平板电脑VM(Hyper-V,Visual Studio) IDE:Android Studio

首先,我通过AsyncTask测试了与Google的ssl连接:

URL url = new URL("https://google.de");
URLConnection urlConnection = url.openConnection();
InputStream in = urlConnection.getInputStream();
in.close();

哪种方法正常。

所以我用这个命令从密钥库中提取证书:

keytool -export -alias tomcat -file server.cer -keystore .keystore

我将该文件放入:myproject / res / raw / server.cer

在另一个AsyncTask中,我使用了谷歌开发人员的sample code来创建连接:

        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        InputStream caInput = new BufferedInputStream(context.getResources().openRawResource(R.raw.server));
        Certificate ca;

        ca = cf.generateCertificate(caInput);

        Log.d("CERT: ", "ca=" + ((X509Certificate) ca).getSubjectDN());

        caInput.close();

        String keyStoreType = KeyStore.getDefaultType();
        KeyStore keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca", ca);

        String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(keyStore);

        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, tmf.getTrustManagers(), null);

        URL url = new URL("https://192.168.177.42:8443/");
        HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
        urlConnection.setSSLSocketFactory(context.getSocketFactory());
        InputStream in = urlConnection.getInputStream();
        in.close();

如果我尝试执行此代码,则会出现以下异常:

11-13 18:39:02.508  12135-12280/moe.testapp W/System.err﹕ javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.177.42 not verified:
11-13 18:39:02.508  12135-12280/moe.testapp W/System.err﹕ certificate: sha1/wFJI0CzwVvJ2MuGvpoJaFO8y4z8=
11-13 18:39:02.508  12135-12280/moe.testapp W/System.err﹕ DN: CN=Alcardis,OU=AL,O=AL,L=test,ST=state,C=XX
11-13 18:39:02.508  12135-12280/moe.testapp W/System.err﹕ subjectAltNames: []
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:120)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.Connection.connect(Connection.java:143)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:185)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:341)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:433)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:384)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:231)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getInputStream(DelegatingHttpsURLConnection.java:210)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at moe.testapp.TomcatWebservice.doInBackground(TomcatWebservice.java:64)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at moe.testapp.TomcatWebservice.doInBackground(TomcatWebservice.java:28)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at android.os.AsyncTask$2.call(AsyncTask.java:295)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at java.util.concurrent.FutureTask.run(FutureTask.java:237)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:234)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
11-13 18:39:02.509  12135-12280/moe.testapp W/System.err﹕ at java.lang.Thread.run(Thread.java:818)

我不明白主机是如何验证的。正确读取证书(我至少可以在调试器中使用正确的值访问它),Android应用程序也可以通过标准Web浏览器中的https访问tomcat。

从答案中得到答案,我得到了一些见解并尝试了另一种方法。 服务器没有FQDN,CN应该等于FQND,这就是为什么它在上面的代码中不起作用。

因为服务器没有FQDN,所以我搜索了另一种使用ip地址的方法。我发现这个howto并创建了一个没有CN的证书,但是有了替换名称并将ip放在那里我还必须将行keystoreType="PKCS12"添加到tomcat的server.xml中,因为我从默认的密钥库更改了到PKCS12。

1 个答案:

答案 0 :(得分:2)

SSL证书的默认行为是客户端验证服务器名称是否与证书中的名称相匹配。这有助于防止中间人攻击和服务器欺骗。如果您的服务器没有名称(192.168.x.x),则无法进行验证。对于初始应用程序,您可以关闭此验证。

您应该为任何实际应用程序保留服务器名称验证。