我的Android应用程序应该能够与任何启用SSL的服务器进行通信。由于我的应用程序是演示应用程序,我的客户在登录时在应用程序中添加了自己的SSL服务器详细信息,所以我不知道需要验证哪个SSL证书。
以下是我之前的代码。
NSString *Finalstr = [NSString stringWithFormat: @"UserName=%@&Password=%@&grant_type=%@", usernameString,passwordString,Grant_type]
当我更新我的Playstore时,它被拒绝了,原因如下
要正确处理SSL证书验证,请在自定义X509TrustManager接口的checkServerTrusted方法中更改代码,以便在服务器提供的证书不符合您的期望时引发CertificateException或IllegalArgumentException。对于技术问题,您可以发布到Stack Overflow并使用标签“android-security”和“TrustManager。”
我想更新与此相似的代码
public SSLSocketFactory getSSLSocketFactory(String hostname) {
try {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new X509TrustManager[] { new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
} }, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
return HttpsURLConnection.getDefaultSSLSocketFactory();
}
}
Playstore接受这个吗?有没有更好的方法来处理这个?
先谢谢。
答案 0 :(得分:3)
import java.io.InputStreamReader;
import java.io.Reader;
import java.net.URL;
import java.net.URLConnection;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;
public class Example {
public static void main(String[] args) throws Exception {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
URL url = new URL("https_url_here");
URLConnection con = url.openConnection();
Reader reader = new InputStreamReader(con.getInputStream());
while (true) {
int ch = reader.read();
if (ch==-1) {
break;
}
System.out.print((char)ch);
}
}
}
使用此黑客时要小心!跳过证书验证很危险,只能在测试环境中完成。
答案 1 :(得分:2)
引用以下解决方案: https://gist.github.com/aembleton/889392
以下代码对HttpsUrlConnection的任何新实例禁用SSL证书检查:
/**
* Disables the SSL certificate checking for new instances of {@link HttpsURLConnection} This has been created to
* aid testing on a local box, not for use on production.
*/
public static void disableSSLCertificateChecking() {
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
// Not implemented
}
@Override
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
// Not implemented
}
} };
try {
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { return true; } });
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
答案 2 :(得分:0)
如果有人希望在 NativeScript Android 应用程序中禁用 SSL 证书检查,以下是将 Elad's answer's 代码转换为 JavaScript 的方法:
const disableSSLCertificateCheckin = function () {
const trustAllCerts = [new javax.net.ssl.X509TrustManager({
getAcceptedIssuers: function () {
return null
},
checkClientTrusted: function (arg0, arg1) {
// Not implemented
},
checkServerTrusted: function (arg0, arg1) {
// Not implemented
},
})]
try {
const sc = javax.net.ssl.SSLContext.getInstance('TLS')
sc.init(null, trustAllCerts, new java.security.SecureRandom())
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory())
javax.net.ssl.HttpsURLConnection.HttpsURLConnection.setDefaultHostnameVerifier(
new javax.net.ssl.HostnameVerifier({
verify: function (hostname, session) {
return true
}
})
)
} catch (e) {
console.log('e :>> ', e);
}
}
disableSSLCertificateCheckin()
谢谢@Elad!