当我的 Android 23 项目尝试通过 HTTPS 连接到我的服务器时,一切正常。
如果我将目标 SDK 切换为 24,则会出现以下错误:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:198)
at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:443)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:394)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:170)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:366)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:560)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:492)
at com.worklight.wlclient.WLRequestSender.run(WLRequestSender.java:47)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
at java.lang.Thread.run(Thread.java:761)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:563)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:444)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:401)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:375)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:304)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:178)
at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
... 13 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
切换回 23,它再次工作。
24 关于证书的最低要求有什么变化吗?
最佳答案
如果您的 targetSdkVersion
用户通过设置应用程序安装的证书默认情况下不会合并到 Android 7.0 中是 24 岁以上:
By default secure (e.g. TLS, HTTPS) connections from all apps trust the pre-installed system CAs, and apps targeting API level 23 (Android M) and below also trust the user-added CA store by default.
(来自 the network security configuration docs)
要解决这个问题,您需要定义一个 network security configuration XML 资源:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system"/>
<certificates src="user"/>
</trust-anchors>
</base-config>
</network-security-config>
然后,从您的 android:networkSecurityConfig
指向该 XML 资源<application>
中的属性 list 中的元素。
一般来说,Android 7.0 通过网络安全配置子系统(android.security.net.config.RootTrustManager
和堆栈跟踪中的 kin)路由 HTTPS。此处介绍的其他兼容性问题可能与 targetSdkVersion
有关。 .因此,如果缺少用户证书不是您的问题,您可以创建一个重现该问题的示例项目,file an issue .因为我维护 a backport of that stuff ,我有兴趣了解任何错误。 :-)
关于android - Android 是否更改了 API 24 中的 SSL 配置?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38770126/