我想实现证书的固定,但我被困在SSLPeerUnverifiedException。我试图实现功能,默认情况下我会信任所有的证书。
这是我的代码。
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("*.percolate.com", "sha256/gd0jw5Y5beTzcXkn1mrr9b+Dri2kx2IIkML8vU5Xz04=")
.build();
OkHttpClient.Builder client = new OkHttpClient.Builder().certificatePinner(certificatePinner);
try {
final X509TrustManager x509TrustManager = new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[]{};
}
};
final TrustManager[] trustAllCerts = new TrustManager[]{
x509TrustManager
};
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustAllCerts, new SecureRandom());
client.sslSocketFactory(sslContext.getSocketFactory(), x509TrustManager)
.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
} catch (GeneralSecurityException e) {
e.printStackTrace();
}
Request request = new Request.Builder()
.url("https://mobile-versions-api.percolate.com/api/config/")
.build();
final Response execute = client.build().newCall(request).execute();
更新
添加属性后我得到了详细的输出,但我仍然输了。
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1507279555 bytes = { 153, 103, 215, 204, 115, 131, 8, 22, 109, 104, 37, 131, 131, 233, 138, 34, 63, 28, 3, 30, 54, 35, 251, 254, 95, 241, 185, 4 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=mobile-versions-api.percolate.com]
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1.2 Handshake, length = 210
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1507279555 bytes = { 19, 115, 138, 146, 56, 170, 146, 79, 4, 147, 249, 113, 32, 58, 32, 201, 238, 96, 87, 184, 97, 78, 1, 239, 107, 38, 172, 122 }
Session ID: {104, 44, 102, 109, 174, 183, 14, 5, 250, 56, 32, 54, 108, 122, 65, 133, 124, 209, 100, 56, 243, 86, 193, 102, 120, 103, 242, 36, 219, 90, 240, 180}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 1864
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.percolate.com, OU=Ops, O="Percolate Industries, Inc.", L=New York, ST=New York, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 27401232310841133798229367871778264888123281636579263087556493451455060403259520645144584781313630991090105503198253906558563466329078722164170243267435739582081442222282097054777661956394083571911323130008480518688103543574372442709650254253434253066390644674176409954924769117481644772680166177303275929599129288661414733297270603535292347906522589286324172574835433083241554969591753284712463949161543930921995788372612260539349349380608375726629159393031898512729904510137397763415534963786907974673280474817121866827512205197365492992497240546530049440471928541689855437508889763971224310008127580760255679638381
public exponent: 65537
Validity: [From: Wed Feb 28 01:00:00 CET 2018,
To: Fri Jun 26 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 098195a7 788de187 8021110d 87683a26]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 E7 04 82 01 E3 01 E1 00 76 00 A4 B9 09 ...........v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 61 DD A5 C5 64 00 00 04 03 00 47 30 45 02 21 00 a...d.....G0E.!.
0040: EF A8 D2 77 82 20 E8 F1 7E 1D 52 42 CF B9 F0 AA ...w. ....RB....
0050: 22 E7 70 B0 86 91 90 5A 64 A1 03 4A 59 9F 4A 5F ".p....Zd..JY.J_
0060: 02 20 3A 49 C7 56 ED 7A C8 F8 CF C3 A9 0D 3D 54 . :I.V.z......=T
0070: 7E 29 F7 CB 62 7B 5E 9A E2 EB CC 3B 5F 8D FA BA .)..b.^....;_...
0080: 3B FB 00 77 00 87 75 BF E7 59 7C F8 8C 43 99 5F ;..w..u..Y...C._
0090: BD F3 6E FF 56 8D 47 56 36 FF 4A B5 60 C1 B4 EA ..n.V.GV6.J.`...
00A0: FF 5E A0 83 0F 00 00 01 61 DD A5 C6 27 00 00 04 .^......a...'...
00B0: 03 00 48 30 46 02 21 00 B3 E6 9F 85 4F AA 24 4F ..H0F.!.....O.$O
00C0: A1 45 34 56 6C 90 D8 A7 29 04 4F 85 C3 B4 17 55 .E4Vl...).O....U
00D0: 1C B0 D8 AB E7 58 4F 7F 02 21 00 C8 07 C9 1C A0 .....XO..!......
00E0: 3C C4 77 21 2F E3 F0 A6 5F 95 A3 CA 85 BD D3 94 <.w!/..._.......
00F0: FF C0 B1 ED 0C 5C 8D C5 BD AF AB 00 76 00 EE 4B .....\......v..K
0100: BD B7 75 CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F ..u.`..Bi....f..
0110: 7E 5F B0 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 ._.r......z.....
0120: 01 61 DD A5 C7 B8 00 00 04 03 00 47 30 45 02 21 .a.........G0E.!
0130: 00 9A 4A CE FD 4B 77 3A 36 BD 2E 67 5F 14 82 47 ..J..Kw:6..g_..G
0140: 11 30 C8 CB 68 E4 84 B5 01 D4 77 2F 67 5A 39 81 .0..h.....w/gZ9.
0150: 1A 02 20 78 57 38 5C F6 DF 92 36 B4 96 2F C6 CB .. xW8\...6../..
0160: 83 1E 96 9D 87 C0 B9 DE 08 E2 B1 97 3A AF FF 19 ............:...
0170: 69 DD AC 00 76 00 BB D9 DF BC 1F 8A 71 B5 93 94 i...v.......q...
0180: 23 97 AA 92 7B 47 38 57 95 0A AB 52 E8 1A 90 96 #....G8W...R....
0190: 64 36 8E 1E D1 85 00 00 01 61 DD A5 C6 4E 00 00 d6.......a...N..
01A0: 04 03 00 47 30 45 02 20 50 32 03 EB 43 F7 C2 E6 ...G0E. P2..C...
01B0: 73 08 4B 40 C3 1E 92 C2 77 8F 0D F9 CB EF 39 FA s.K@....w.....9.
01C0: 93 D0 92 DA DE 30 7E 49 02 21 00 8C B5 02 C6 BF .....0.I.!......
01D0: F4 86 00 27 4C 94 87 3D 4B 9A 5A 9E 9D B2 FE B7 ...'L..=K.Z.....
01E0: AC 6B FC 9B A9 D6 36 41 19 14 BE .k....6A...
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.percolate.com
DNSName: percolate.com
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 64 49 16 AF 41 B0 38 A9 15 FF 3F A3 74 EA 6C .dI..A.8...?.t.l
0010: E0 09 51 A0 ..Q.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 3D B8 D5 01 DB A2 56 90 DA F0 09 69 74 9C 4D 8A =.....V....it.M.
0010: 26 06 AE F0 90 F9 5E DD 8F DE 47 DD B0 A4 07 A4 &.....^...G.....
0020: 12 2B 42 CA 0B 76 16 FC D5 2F 3C 0B 97 BE DC 65 .+B..v.../<....e
0030: 77 F3 D1 77 F8 69 43 56 1E 25 E5 A3 8C CA 0C 0D w..w.iCV.%......
0040: CA E3 34 78 AB 2C 18 21 51 59 DD 9D 05 B1 1A 2B ..4x.,.!QY.....+
0050: 1E 42 68 C2 31 FC 05 EC 27 FD F1 8B B0 C6 72 82 .Bh.1...'.....r.
0060: 98 49 1D C5 09 2B DB A3 AF EB 0F 6A 96 28 54 45 .I...+.....j.(TE
0070: 15 C5 AC 7F 43 4F AC F5 66 AE 04 12 FE 52 D1 0A ....CO..f....R..
0080: E9 F8 82 3A AF 03 EF F1 36 9A 3F 33 23 A0 7B 79 ...:....6.?3#..y
0090: DD A7 0F 24 F5 0E 9B B0 C0 13 80 65 D2 F2 1E 7C ...$.......e....
00A0: 94 75 9D 87 44 F1 D5 0A 7C 7C 8D C5 ED 66 2A CE .u..D........f*.
00B0: 67 5E 0B F3 C5 C7 3D E7 B7 3E 45 C0 27 81 07 A0 g^....=..>E.'...
00C0: 23 76 FE 99 22 E6 E7 18 3F 6A 76 BC 96 BA B0 67 #v.."...?jv....g
00D0: 79 B4 2D 18 76 26 10 D5 26 B4 BF F8 55 75 4D 97 y.-.v&..&...UuM.
00E0: 6A 48 C9 22 08 27 27 A8 B9 3E AA DA A9 16 8C A8 jH.".''..>......
00F0: 04 6B 0E 79 C5 10 EF CB EA F7 CE 0D A9 61 3E 9A .k.y.........a>.
]
***
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 81286215691392024658297626500297003509559688137291949974573125267328187893559
public y coord: 55957327417096262980937642227003113979964272470252997235257545314551630655731
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value: { 4, 4, 89, 122, 32, 60, 110, 18, 176, 255, 160, 167, 60, 155, 112, 111, 52, 3, 74, 175, 208, 231, 82, 101, 50, 141, 93, 92, 183, 11, 6, 79, 64, 220, 247, 148, 253, 83, 153, 17, 129, 230, 23, 6, 135, 189, 39, 137, 177, 31, 124, 83, 214, 219, 71, 198, 68, 75, 160, 37, 154, 122, 236, 242, 13 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 1C 25 8A 21 86 10 8A A8 62 35 71 D7 A7 19 28 14 .%.!....b5q...(.
0010: 6E FE 19 6A CB F5 14 D3 45 D5 D6 DC E6 83 A4 E3 n..j....E.......
CONNECTION KEYGEN:
Client Nonce:
0000: 5A D7 43 C3 99 67 D7 CC 73 83 08 16 6D 68 25 83 Z.C..g..s...mh%.
0010: 83 E9 8A 22 3F 1C 03 1E 36 23 FB FE 5F F1 B9 04 ..."?...6#.._...
Server Nonce:
0000: 5A D7 43 C3 13 73 8A 92 38 AA 92 4F 04 93 F9 71 Z.C..s..8..O...q
0010: 20 3A 20 C9 EE 60 57 B8 61 4E 01 EF 6B 26 AC 7A : ..`W.aN..k&.z
Master Secret:
0000: 7C 56 5C D8 4D 51 65 AA 6C 27 91 3C 47 B0 0F B2 .V\.MQe.l'.<G...
0010: 8A 56 CB 20 3C C9 F3 17 4D 4B DE 34 14 7F F5 13 .V. <...MK.4....
0020: C6 35 E3 E8 DC 2D DC B0 92 6A F7 AD 81 62 17 7A .5...-...j...b.z
... no MAC keys used for this cipher
Client write key:
0000: 27 BA 3B 19 78 1C FA 94 D2 D6 93 59 02 FF 23 96 '.;.x......Y..#.
Server write key:
0000: 10 DD 0C FB 4C F2 7D 4C F5 4C E7 99 AD C6 50 6D ....L..L.L....Pm
Client write IV:
0000: 01 E8 75 75 ..uu
Server write IV:
0000: C7 A8 87 AD ....
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 247, 75, 23, 155, 57, 223, 125, 250, 51, 193, 142, 238 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data: { 248, 22, 39, 116, 98, 207, 124, 72, 147, 152, 215, 71 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: Failed to find a trusted cert that signed [
[
Version: V3
Subject: CN=*.percolate.com, OU=Ops, O="Percolate Industries, Inc.", L=New York, ST=New York, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 27401232310841133798229367871778264888123281636579263087556493451455060403259520645144584781313630991090105503198253906558563466329078722164170243267435739582081442222282097054777661956394083571911323130008480518688103543574372442709650254253434253066390644674176409954924769117481644772680166177303275929599129288661414733297270603535292347906522589286324172574835433083241554969591753284712463949161543930921995788372612260539349349380608375726629159393031898512729904510137397763415534963786907974673280474817121866827512205197365492992497240546530049440471928541689855437508889763971224310008127580760255679638381
public exponent: 65537
Validity: [From: Wed Feb 28 01:00:00 CET 2018,
To: Fri Jun 26 14:00:00 CEST 2020]
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
SerialNumber: [ 098195a7 788de187 8021110d 87683a26]
Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 E7 04 82 01 E3 01 E1 00 76 00 A4 B9 09 ...........v....
0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........
0030: 61 DD A5 C5 64 00 00 04 03 00 47 30 45 02 21 00 a...d.....G0E.!.
0040: EF A8 D2 77 82 20 E8 F1 7E 1D 52 42 CF B9 F0 AA ...w. ....RB....
0050: 22 E7 70 B0 86 91 90 5A 64 A1 03 4A 59 9F 4A 5F ".p....Zd..JY.J_
0060: 02 20 3A 49 C7 56 ED 7A C8 F8 CF C3 A9 0D 3D 54 . :I.V.z......=T
0070: 7E 29 F7 CB 62 7B 5E 9A E2 EB CC 3B 5F 8D FA BA .)..b.^....;_...
0080: 3B FB 00 77 00 87 75 BF E7 59 7C F8 8C 43 99 5F ;..w..u..Y...C._
0090: BD F3 6E FF 56 8D 47 56 36 FF 4A B5 60 C1 B4 EA ..n.V.GV6.J.`...
00A0: FF 5E A0 83 0F 00 00 01 61 DD A5 C6 27 00 00 04 .^......a...'...
00B0: 03 00 48 30 46 02 21 00 B3 E6 9F 85 4F AA 24 4F ..H0F.!.....O.$O
00C0: A1 45 34 56 6C 90 D8 A7 29 04 4F 85 C3 B4 17 55 .E4Vl...).O....U
00D0: 1C B0 D8 AB E7 58 4F 7F 02 21 00 C8 07 C9 1C A0 .....XO..!......
00E0: 3C C4 77 21 2F E3 F0 A6 5F 95 A3 CA 85 BD D3 94 <.w!/..._.......
00F0: FF C0 B1 ED 0C 5C 8D C5 BD AF AB 00 76 00 EE 4B .....\......v..K
0100: BD B7 75 CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F ..u.`..Bi....f..
0110: 7E 5F B0 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 ._.r......z.....
0120: 01 61 DD A5 C7 B8 00 00 04 03 00 47 30 45 02 21 .a.........G0E.!
0130: 00 9A 4A CE FD 4B 77 3A 36 BD 2E 67 5F 14 82 47 ..J..Kw:6..g_..G
0140: 11 30 C8 CB 68 E4 84 B5 01 D4 77 2F 67 5A 39 81 .0..h.....w/gZ9.
0150: 1A 02 20 78 57 38 5C F6 DF 92 36 B4 96 2F C6 CB .. xW8\...6../..
0160: 83 1E 96 9D 87 C0 B9 DE 08 E2 B1 97 3A AF FF 19 ............:...
0170: 69 DD AC 00 76 00 BB D9 DF BC 1F 8A 71 B5 93 94 i...v.......q...
0180: 23 97 AA 92 7B 47 38 57 95 0A AB 52 E8 1A 90 96 #....G8W...R....
0190: 64 36 8E 1E D1 85 00 00 01 61 DD A5 C6 4E 00 00 d6.......a...N..
01A0: 04 03 00 47 30 45 02 20 50 32 03 EB 43 F7 C2 E6 ...G0E. P2..C...
01B0: 73 08 4B 40 C3 1E 92 C2 77 8F 0D F9 CB EF 39 FA s.K@....w.....9.
01C0: 93 D0 92 DA DE 30 7E 49 02 21 00 8C B5 02 C6 BF .....0.I.!......
01D0: F4 86 00 27 4C 94 87 3D 4B 9A 5A 9E 9D B2 FE B7 ...'L..=K.Z.....
01E0: AC 6B FC 9B A9 D6 36 41 19 14 BE .k....6A...
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.digicert.com
,
accessMethod: caIssuers
accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5 2F 28 E7 8D 46 38 B4 2C ..a..1a./(..F8.,
0010: E1 C6 D9 E2 ....
]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
[URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS
]] ]
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: *.percolate.com
DNSName: percolate.com
]
[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 64 49 16 AF 41 B0 38 A9 15 FF 3F A3 74 EA 6C .dI..A.8...?.t.l
0010: E0 09 51 A0 ..Q.
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 3D B8 D5 01 DB A2 56 90 DA F0 09 69 74 9C 4D 8A =.....V....it.M.
0010: 26 06 AE F0 90 F9 5E DD 8F DE 47 DD B0 A4 07 A4 &.....^...G.....
0020: 12 2B 42 CA 0B 76 16 FC D5 2F 3C 0B 97 BE DC 65 .+B..v.../<....e
0030: 77 F3 D1 77 F8 69 43 56 1E 25 E5 A3 8C CA 0C 0D w..w.iCV.%......
0040: CA E3 34 78 AB 2C 18 21 51 59 DD 9D 05 B1 1A 2B ..4x.,.!QY.....+
0050: 1E 42 68 C2 31 FC 05 EC 27 FD F1 8B B0 C6 72 82 .Bh.1...'.....r.
0060: 98 49 1D C5 09 2B DB A3 AF EB 0F 6A 96 28 54 45 .I...+.....j.(TE
0070: 15 C5 AC 7F 43 4F AC F5 66 AE 04 12 FE 52 D1 0A ....CO..f....R..
0080: E9 F8 82 3A AF 03 EF F1 36 9A 3F 33 23 A0 7B 79 ...:....6.?3#..y
0090: DD A7 0F 24 F5 0E 9B B0 C0 13 80 65 D2 F2 1E 7C ...$.......e....
00A0: 94 75 9D 87 44 F1 D5 0A 7C 7C 8D C5 ED 66 2A CE .u..D........f*.
00B0: 67 5E 0B F3 C5 C7 3D E7 B7 3E 45 C0 27 81 07 A0 g^....=..>E.'...
00C0: 23 76 FE 99 22 E6 E7 18 3F 6A 76 BC 96 BA B0 67 #v.."...?jv....g
00D0: 79 B4 2D 18 76 26 10 D5 26 B4 BF F8 55 75 4D 97 y.-.v&..&...UuM.
00E0: 6A 48 C9 22 08 27 27 A8 B9 3E AA DA A9 16 8C A8 jH.".''..>......
00F0: 04 6B 0E 79 C5 10 EF CB EA F7 CE 0D A9 61 3E 9A .k.y.........a>.
]
at okhttp3.internal.tls.CertificateChainCleaner$BasicCertificateChainCleaner.clean(CertificateChainCleaner.java:132)
at okhttp3.CertificatePinner.check(CertificatePinner.java:149)
at okhttp3.internal.io.RealConnection.connectTls(RealConnection.java:252)
at okhttp3.internal.io.RealConnection.establishProtocol(RealConnection.java:196)
at okhttp3.internal.io.RealConnection.buildConnection(RealConnection.java:171)
at okhttp3.internal.io.RealConnection.connect(RealConnection.java:111)
at okhttp3.internal.http.StreamAllocation.findConnection(StreamAllocation.java:187)
at okhttp3.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:123)
at okhttp3.internal.http.StreamAllocation.newStream(StreamAllocation.java:93)
at okhttp3.internal.http.HttpEngine.connect(HttpEngine.java:296)
at okhttp3.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)
at okhttp3.RealCall.getResponse(RealCall.java:243)
at okhttp3.RealCall$ApplicationInterceptorChain.proceed(RealCall.java:201)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:163)
at okhttp3.RealCall.execute(RealCall.java:57)
at com.percoalte.sdk.python.bridge.PercolateSdkPythonBridge.main(PercolateSdkPythonBridge.java:96)
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT: warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 26
main, called closeSocket(true)
不确定为什么会显示此异常。 知道为什么会这样吗?
答案 0 :(得分:0)
不是一个明确的答案,但对评论来说太多了。
砰的一声,我认为不是SNI。
您的跟踪显示TLS握手(在JSSE中)成功完成(以及使用SNI)。收到的证书链不是真正有效,因为它只有DigiCert SHA2 Secure Server CA
颁发的服务器证书,它是一个中间CA而不是root,并且没有提供中间的aka链证书,但是你使用了接受 - 任何TrustManager都会导致JSSE不注意这一点。
然后SSLPeerUnverifiedException
出现在CertificatePinner
。我可以找到的唯一来源是https://github.com/square/okhttp/tree/master/okhttp/src/main/java/okhttp3,虽然它在.internal.tls.BasicCertificateChainCleaner.clean
中有异常消息,但是该类没有嵌套在CertificateChainCleaner
中。此外,它只能从CertificatePinner.check
在与您不同的行中调用,并且使用不应由您使用的Builder调用设置的实例变量 - 尽管有一种方法可以实际设置该实例变量在稍后的未知时间具有一些未知值。
注释 - 如果它们对于您实际使用的任何版本没有显着差异 - 建议应使用有效或可验证的链调用此方法,并且代码似乎需要它。关于抽象类CertificateChainCleaner
的javadoc注释说
/**
* Computes the effective certificate chain from the raw array returned by Java's built in TLS APIs.
* Cleaning a chain returns a list of certificates where the first element is {@code chain[0]}, each
* certificate is signed by the certificate that follows, and the last certificate is a trusted CA
* certificate.
*
* <p>Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
* the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
* pinning.
*/
和实现类BasicChainCertificateCleaner
说
/**
* A certificate chain cleaner that uses a set of trusted root certificates to build the trusted
* chain. This class duplicates the clean chain building performed during the TLS handshake. We
* prefer other mechanisms where they exist, such as with
* {@code okhttp3.internal.platform.AndroidPlatform.AndroidCertificateChainCleaner}.
*
* <p>This class includes code from <a href="https://conscrypt.org/">Conscrypt's</a> {@code
* TrustManagerImpl} and {@code TrustedCertificateIndex}.
*/
及其clean
方法说
* <p>This method throws if the complete chain to a trusted CA certificate cannot be constructed.
* This is unexpected unless the trust root index in this class has a different trust manager than
* what was used to establish {@code chain}.
一起强烈建议我这是为了使用普通TrustManager完成的正常(PKIX链)验证。这里完成的链“完成”类似于Java的普通PKIX或X.509验证器完成的,但是简化了。 toplevel CertificatePinner
类的javadoc注释的一部分进一步支持了这一点:
* <h4>Note about self-signed certificates</h4>
*
* <p>{@link CertificatePinner} can not be used to pin self-signed certificate if such certificate
* is not accepted by {@link javax.net.ssl.TrustManager}.
因此我建议您重新使用正常的TrustManager,但由于它不接受此服务器当前发送的'链',您需要:
修复服务器以遵守RFC5246并发送相应的Digicert中间证书,或
获取中间件(来自http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt的AIA,但不是使用符合MIMEtype的浏览器 - 尝试curl wget或类似的东西)并将其添加到JSSE使用的信任库中,如果是与CertificatePinner
使用的信任库不同,您可能还需要将其添加到那里。