我有一个本地HTTP代理设置用于从我的Android应用程序调试.json请求和响应数据.我使用命令行选项将其部署到运行Android 4.2.2的Nexus One仿真器映像-http-proxy http://localhost:8888.我正在使用股票ADT Build:v21.1.0-569685.我可以通过使用groovy运行的以下代码片段验证HTTP代理是否可以处理HTTPS连接:
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
FileInputStream fis =
new FileInputStream( "./.mitmproxy/mitmproxy-ca-cert.pem" );
BufferedInputStream bis = new BufferedInputStream( fis );
CertificateFactory cf = CertificateFactory.getInstance( "X.509" );
KeyStore ks = KeyStore.getInstance( KeyStore.getDefaultType() );
ks.load( null,"".toCharArray() );
while ( bis.available() > 0 )
{
Certificate cert = cf.generateCertificate( bis );
ks.setCertificateEntry( "mitmproxy", cert );
System.out.println( cert.toString() );
}
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm() );
tmf.init( ks ); …我收到以下异常:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我做了一些研究并改变了我的连接代码:
SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
return true;
}
}).build();
CloseableHttpClient client = HttpClients.custom()
.setRedirectStrategy(new LaxRedirectStrategy())
.setSslcontext(sslContext)
.setConnectionManager(connMgr)
.build();
这解决了到目前为止的问题,我不再获得异常并且连接正常.
当我在Tomcat中运行的Servlet中使用相同的代码时,问题再次出现.
为什么?
当我执行以下行时,
req = urllib2.Request(requestwithtoken)
self.response = urllib2.urlopen(req,self.request).read()
我收到以下异常:
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)
问题是我可以通过使用ping服务来获取令牌curl.在检索令牌的过程中,所有证书都已经过验证.反过来,通过使用生成的令牌,我无法连接到该服务.我在尝试时遇到上述错误.可能是什么原因?
我有这个奇怪的问题,其中改造不断抛弃我
"SSL握手中止:ssl = 0x618d9c18:系统调用期间的I/O错误,同级连接重置"
在kitkat,而相同的代码在棒棒糖设备中工作正常.我使用如下的OkHttpClient客户端
public OkHttpClient getUnsafeOkHttpClient() {
try {
final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] chain,
String authType) {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] chain,
String authType) {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[0];
}
} };
int cacheSize = 10 * 1024 * 1024; // 10 MB
Cache cache = new Cache(getCacheDir(), cacheSize);
final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, trustAllCerts,
new java.security.SecureRandom());
final SSLSocketFactory …android sslhandshakeexception android-4.4-kitkat tls1.2 retrofit2
第一种方法在这里:
<?xml version="1.0" encoding="utf-8"?> <network-security-config>
<base-config> <trust-anchors> <certificates src="system"/>
<certificates src="user"/> </trust-anchors> </base-config>
<domain-config> <domain includeSubdomains="true">xyz.com</domain>
<trust-anchors> <certificates src="@raw/my_ca"/> </trust-anchors>
</domain-config> </network-security-config>
内部清单文件:
android:network Security Config = "@xml/network_security_config"
我已经包含network_security_config在内部res/xml/network_security_config,ca证书在里面res/raw/my_ca.pem
第二种方法是:
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import java.io.IOException; import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate; import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager; …我编写了一个基于Java SSLServerSocket的服务器,它接受连接并通过自定义二进制协议与Android应用程序通信:
ServerSocket serverSocket = SSLServerSocketFactory.getDefault().createServerSocket(1234);
while (true) {
Socket socket = serverSocket.accept();
...
}
我使用以下参数运行服务器:
-Djavax.net.ssl.keyStore=keystore.jks
-Djavax.net.ssl.keyStorePassword=<PASSWORD>
并使用以下教程生成证书,该教程构建公钥和私钥集:http://judebert.com/progress/archives/425-Using-SSL-in-Java,-Part-2.html:
keytool -genkeypair -keystore keystore.jks -alias keyname
keytool -export -alias keyname -file keyname.crt -keystore keystore.jks
keytool -importcert -file keyname.crt -keystore truststore.jks
另外,我通过使用bouncycastle构建一个信任库来使它与android兼容:
keytool -importkeystore -srckeystore truststore.jks -srcstoretype JKS -srcstorepass <PASSWORD> -destkeystore truststore.bks -deststoretype BKS -deststorepass <PASSWORD> -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-ext-jdk15on-1.58.jar
在此下载bouncycastle提供商:https://www.bouncycastle.org/latest_releases.html
并将生成的truststore.bks移动到原始资源文件夹中.
在Android上我使用以下代码构建一个SSLSocketFactory允许我导入生成的bouncycastle证书,该证书对我的服务器进行身份验证:
KeyStore trustStore = KeyStore.getInstance("BKS");
InputStream trustStoreStream = context.getResources().openRawResource(R.raw.truststore);
trustStore.load(trustStoreStream, "<PASSWORD>".toCharArray()); …在 Java 12 中开发基于 SSL(非 HTTP)的服务器时,我遇到了让服务器和客户端一起通信的意外困难。连接总是因 handshake_failure 错误而中断。经过大量努力(最初我是在证明我的证书),由于套接字级别的 HelloWorld SSL 客户端/服务器对,我能够隔离问题:握手失败是由启用的协议中存在 TLSv1.3 引起的默认情况下在 JDK 中。
到目前为止,我避免握手错误的解决方案是完全禁用 TLSv1.3(服务器端),但我对这个解决方案并不满意。我想了解发生了什么(假设它不是 JDK 或系统中的错误,而是我的应用程序或我的环境中的错误)。
我在下面提供了一些代码。谁能检查并告诉我我做错了什么?谢谢和最好的问候。
这是我的配置:OSX 10.14 (Mojave) 我已经使用以下 Java 版本进行了测试:
编辑:我在我的测试中添加了 Java 11,这个版本也出现了问题
// HelloSSLServer.java
import java.net.*;
import javax.net.*;
import javax.net.ssl.*;
import java.io.*;
public class HelloSSLServer {
public static void main(String args[]) throws Exception {
int port = 1234;
boolean needClientAuth = false;
ServerSocketFactory factory …我正在尝试连接到使用SSL的Web服务.我正在使用QNX IDE Momentics在C++中使用Blackberry 10.我正在尝试的连接如下:
网址:"https:// movilapi ...."
码:
networkAccessManager = new QNetworkAccessManager(this);
bool res = connect(networkAccessManager, SIGNAL(finished(QNetworkReply*)),
this, SLOT(requestFinished(QNetworkReply*)));
Q_ASSERT(res);
Q_UNUSED(res);
QNetworkRequest request = QNetworkRequest(QUrl(url));
request.setRawHeader("User-Agent", "bb-phone/20120910");
request.setRawHeader("Content-Type", "application/json");
request.setRawHeader("Content-Length", postDataSize);
QSslConfiguration sslConfig = request.sslConfiguration();
sslConfig.setPeerVerifyMode(QSslSocket::VerifyNone);
sslConfig.setProtocol(QSsl::TlsV1);
request.setSslConfiguration(sslConfig);
networkAccessManager->post(request, outData);
无论我试图达到哪种服务,我总是得到同样的错误.响应是: SSL握手失败
Wireshark信息:
Protocol Length Info
SSLv2 157 Client Hello
TLSv1 1202 Server Hello, Certificate, Server Hello Done
TLSv1 449 Client Key Exchange
TLSv1 60 Change Cipher Spec
TLSv1 91 Encrypted Handshake Message
TLSv1 97 Change Cipher Spec, Encrypted Handshake …我有一个嵌入Jetty的应用程序.我想在SSL中使用客户端证书身份验证,当我启用它时; 我在请求开始时收到以下异常.但之后请求正在得到妥善处理.只有从IE或Chrome访问时才会出现此异常.从Firefox访问时不会出现这种情况.我们有自定义SSLConnector扩展SslSocketConnector.我正在尝试调试它; 但是想知道我是否有任何特定的地方/代码可以开始检查.
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:631)
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
更新:
我启用了SSL调试选项,并在ServerHelloDone消息之后立即读取此异常.这是服务器发送其证书以及我相信的客户端证书请求的消息.我不确定在第一次阅读时会发生什么.非常感谢任何帮助.
*** ClientHello, TLSv1
****
%% Created: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
*** Certificate chain
***
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
*** ServerHelloDone
WRITE: TLSv1 Handshake, length = 703
received EOFException: error
handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
更新:将 …
我正在尝试使用HttpClient对象连接到网站.它适用于我们通常使用的网站(如谷歌).但是有一个网站,当我尝试连接时,我的程序给出了这个错误..
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1369)
....................
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
...............
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 27 more
当我尝试从浏览器转到此URL时,我必须单击继续.否则浏览器将无法加载页面.它给出了一个 …