有没有人遇到以下异常。
它随机发生。发生后,https连接不能再使用了。整个应用程序需要重启。
场景: 详细跟踪代码后,我更新了方案:
1. The application has 3 process in the same application.
2. The main ui process invoke https request in another thread.
3. The another 2 processes hold the 2 servcies. one service will also invoke https request in another thread.
4. When user logout, it will stop the 2 services.
3. When user login again, the main ui process invoke https request and then fail.
代码如下:
URL url = new URL(mUri);
urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setRequestMethod(mMethod);
if (mMethod.equals(HttpPost.METHOD_NAME)) {
urlConnection.setDoOutput(true);
}
else {
urlConnection.setDoOutput(false);
}
urlConnection.setDoInput(true);
urlConnection.setUseCaches(false);
urlConnection.setChunkedStreamingMode(0);
...
if (!TextUtils.isEmpty(mJsonContent)) {
OutputStreamWriter wr = new OutputStreamWriter(urlConnection.getOutputStream());
wr.write(mJsonContent);
wr.close();
}
//Get Response
InputStream inputStream;
int statusCode;
statusCode = urlConnection.getResponseCode();
...
inputStream = urlConnection.getInputStream();
String bodyContent = convertStreamToString(inputStream);
inputStream.close();
if (urlConnection != null) {
urlConnection.disconnect();
}
我想知道可能是什么根本原因。 Currenlty我无法解决这个错误。 https连接在另一个线程中运行。得到回复后,它将回发给主线程。
W/System.err( 7158): javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed.
W/System.err( 7158): at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:409)
W/System.err( 7158): at com.android.okhttp.Connection.upgradeToTls(Connection.java:146)
W/System.err( 7158): at com.android.okhttp.Connection.connect(Connection.java:107)
W/System.err( 7158): at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:294)
W/System.err( 7158): at com.android.okhttp.internal.http.HttpEngine.sendSocketRequest(HttpEngine.java:255)
W/System.err( 7158): at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:206)
W/System.err( 7158): at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:345)
W/System.err( 7158): at com.android.okhttp.internal.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:89)
W/System.err( 7158): at com.android.okhttp.internal.http.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:197)
W/System.err( 7158): at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:254)
W/System.err( 7158): at com.xxxx.xxx.util.http.AsyncHttpsClient$AsyncRequest.run(AsyncHttpsClient.java:304)
W/System.err( 7158): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err( 7158): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
W/System.err( 7158): at java.lang.Thread.run(Thread.java:841)
W/System.err( 7158): Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed.
W/System.err( 7158): at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:308)
W/System.err( 7158): at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:202)
W/System.err( 7158): at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:611)
W/System.err( 7158): at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W/System.err( 7158): at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)
W/System.err( 7158): ... 13 more
W/System.err( 7158): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor found but certificate validation failed.
W/System.err( 7158): at com.android.org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:122)
W/System.err( 7158): at java.security.cert.CertPathValidator.validate(CertPathValidator.java:190)
W/System.err( 7158): at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:295)
W/System.err( 7158): ... 17 more
W/System.err( 7158): Caused by: com.android.org.bouncycastle.jce.provider.AnnotatedException: TrustAnchor found but certificate validation failed.
W/System.err( 7158): at com.android.org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(CertPathValidatorUtilities.java:235)
W/System.err( 7158): at com.android.org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:117)
W/System.err( 7158): ... 19 more
W/System.err( 7158): Caused by: java.security.NoSuchAlgorithmException: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
W/System.err( 7158): at com.android.org.conscrypt.NativeCrypto.X509_verify(Native Method)
W/System.err( 7158): at com.android.org.conscrypt.OpenSSLX509Certificate.verifyOpenSSL(OpenSSLX509Certificate.java:334)
W/System.err( 7158): at com.android.org.conscrypt.OpenSSLX509Certificate.verify(OpenSSLX509Certificate.java:367)
W/System.err( 7158): at com.android.org.bouncycastle.jce.provider.CertPathValidatorUtilities.verifyX509Certificate(CertPathValidatorUtilities.java:1427)
W/System.err( 7158): at com.android.org.bouncycastle.jce.provider.CertPathValidatorUtilities.findTrustAnchor(CertPathValidatorUtilities.java:222)
W/System.err( 7158): ... 20 more
答案 0 :(得分:0)
根据[1,2等其他来源,您可能已经过时了OpenSSL版本。尝试更新您的openSSL版本。最小版本:OpenSSL 0.9.8o
您的BouncyCastle使用OpenSSL com.android.org.conscrypt.OpenSSLX509Certificate.verify来验证证书。
异常java.security.NoSuchAlgorithmException: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm表示证书使用的是未在OpenSSL中处理的摘要,最有可能是SHA256。
更新01: 如评论中所述,在Android中您无法更新系统OpenSSL。 让实验:
尝试使用您的代码(如果可能)访问域使用SHA-256证书(在100%或不同情况下工作): https://www.fi.muni.cz/
然后,您可以尝试在此处发现有关客户支持的更多详细信息: https://www.ssllabs.com/ssltest/viewMyClient.html
然后有关您的服务器的更多信息(密码套件,通知摘要): https://www.ssllabs.com/ssltest/index.html
您的Android和OKHttp版本是什么?您的系统使用https://conscrypt.org/作为加密提供程序。您可以尝试避免使用系统捆绑的OpenSSL& BouncyCastle版本使用新版本的BouncyCastle - SpongyCastle。
按照此处https://rtyley.github.io/spongycastle/的说明将SpongyCastle安装为新的首选加密提供程序(core,prov,pkix)。如果SpongyCastle生效,你的stacktrace将包含spongycastle包。