Android SSL HostName未经过validation
我有一个自签名服务器硬编码端口52428.即使我覆盖HostNameVerifier始终返回true,我的客户端应用仍然会收到“主机名未经validation”。 当我将主机名从IP地址更改为DNS时,会弹出另一个错误,指出“无法解析主机:没有与主机名关联的地址”
这是我的代码:
private class SSLConnect extends AsyncTask { @Override protected String doInBackground(Void... values) { //String https_url = "https://www.google.com/"; //String https_url = "https://192.168.0.106:52428/webserveradmin/preferences"; String https_url = "https://home-pc:52428/webserveradmin/preferences/"; String response; try { TrustManager[] tm = new TrustManager[]{ new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public X509Certificate[] getAcceptedIssuers() { //return new X509Certificate[0]; return null; } } }; URL url; try { url = new URL(https_url); } catch (MalformedURLException e) { return "Error URL: " + e.getMessage(); } HttpsURLConnection conn = (HttpsURLConnection) url.openConnection(); try { conn.setDefaultHostnameVerifier(new NullHostNameVerifier()); SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, tm, new SecureRandom()); conn.setSSLSocketFactory(sc.getSocketFactory()); conn.setRequestMethod("GET"); conn.setRequestProperty("Authorization", "Basic " + Base64.encode("sa:sa".getBytes(), Base64.DEFAULT)); conn.connect(); InputStream in = conn.getInputStream(); BufferedReader r = new BufferedReader(new InputStreamReader(in)); StringBuilder sb = new StringBuilder(); String line; while ((line = r.readLine()) != null) { sb.append(line); } response = sb.toString(); } catch (GeneralSecurityException e) { return "Error Security: " + e.getMessage(); } } catch(Exception e){ return "Error SSL: " + e.getMessage(); } return response; } @Override protected void onProgressUpdate(Void... values) { } @Override protected void onPostExecute(String result) { Toast.makeText(ctxt, result, Toast.LENGTH_LONG).show(); } } public class NullHostNameVerifier implements HostnameVerifier{ @Override public boolean verify(String hostname, SSLSession session) { return true; } } 主机名validation程序仅关注validation主机名,而不关心validation信任链。 但是,对于自签名证书,您没有信任链,从而导致本地信任的证书。
除此之外,只是禁用证书检查是一个非常糟糕的主意 ,因为这样您不仅会接受自签名证书,而且会接受任何证书,因此您将接受中间人攻击。 另请参阅******** VU#582497中的SSL漏洞 。 要正确使用证书/公钥锁定。 有关更详细的说明以及示例代码,请参阅OWSAP 。