项目中使用的是okhttp,https请求报异常:
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:230)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:320)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:284)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:169)
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:258)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:127)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
是由于Https使用的证书的问题,Https是安全的http请求,请求时需要验证SSL证书。
上述报错的原因有几种情况:
1.https服务器还没有配置SSL证书。
2.https服务器配置的不是正规的CA机构签发的证书,可能是二级代理商等签发的证书,验证不通过造成的。
SSL/TLS证书是需要去专门的CA机构购买的,一般是买一年期的。当然CA机构也提供免费的CA证书,但是有效期一般比较短,比如只有三个月,且安全性不高。
SSL/TLS证书提供商的常见品牌:Symantec、Comodo、GeoTrust、GlobalSign、RapidSSL、DigiCert、GlobalSign等
延伸的思考:
- https请求时在握手阶段请求下来的ssl证书存储在哪里?还是说不缓存,只存储在内存中?
- 客户端验证证书过程?是将证书发给CA机构进行验证,还是根据证书里的CA机构的签名以及CA机构的公钥进行验证?
- 数字证书提供商靠谱吗?
- 没有域名只有ip可以使用https请求吗?
在CA机构申请CA证书时填写的是域名,所以,证书里的信息绑定的是域名,跟ip无关,因此ip+端口的形式无法使用https请求,因为证书不能绑定到ip,请求时无法获取到证书?初步理解,有待考证…
AWS也是个CA机构,证书费用每个月3千多美刀,一年3-4万美刀。
阿里云的ssl服务是以代理商的方式,本身不是CA机构,证书费用一年两千多。
解决方案:
解决方案1:
向后台获取最新的ca证书,从后台服务器下载或者存储在app本地都可。
解决方案2:忽略https的证书校验
有时候为了测试需要,可以忽略证书验证。
public class SSLSocketClient {
//获取这个SSLSocketFactory
public static SSLSocketFactory getSSLSocketFactory() {
try {
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, getTrustManager(), new SecureRandom());
return sslContext.getSocketFactory();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
//获取TrustManager
private static TrustManager[] getTrustManager() {
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[]{};
}
}
};
return trustAllCerts;
}
//获取HostnameVerifier
public static HostnameVerifier getHostnameVerifier() {
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
@Override
public boolean verify(String s, SSLSession sslSession) {
return true;
}
};
return hostnameVerifier;
}
}
使用:
String url = "https://wwww.baidu.com";
OkHttpClient okHttpClient = new OkHttpClient()
.newBuilder()
.sslSocketFactory(SSLSocketClient.getSSLSocketFactory())//配置
.hostnameVerifier(SSLSocketClient.getHostnameVerifier())//配置
.build();
final Request request = new Request.Builder()
.url(url)
.get()
.build();
Call call = okHttpClient.newCall(request);
call.enqueue(new Callback() {[添加链接描述](https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSocketFactory.html)
@Override
public void onFailure(Call call, IOException e) {
Log.d(TAG, "onFailure: ");
}
@Override
public void onResponse(Call call, Response response) throws IOException {
Log.d(TAG, "onResponse: " + response.body().string());
}
});
OkHttpClient.Builder的sslSocketFactory方法
该方法的官方介绍:
//OkHttpClient.java
...
/**
* Sets the socket factory and trust manager used to secure HTTPS connections. If unset, the
* system defaults will be used.
*
* <p>Most applications should not call this method, and instead use the system defaults. Those
* classes include special optimizations that can be lost if the implementations are decorated.
*
* <p>If necessary, you can create and configure the defaults yourself with the following code:
*
* <pre> {@code
*
* TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
* TrustManagerFactory.getDefaultAlgorithm());
* trustManagerFactory.init((KeyStore) null);
* TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
* if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
* throw new IllegalStateException("Unexpected default trust managers:"
* + Arrays.toString(trustManagers));
* }
* X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
*
* SSLContext sslContext = SSLContext.getInstance("TLS");
* sslContext.init(null, new TrustManager[] { trustManager }, null);
* SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
*
* OkHttpClient client = new OkHttpClient.Builder()
* .sslSocketFactory(sslSocketFactory, trustManager)
* .build();
* }</pre>
*/
public Builder sslSocketFactory(SSLSocketFactory sslSocketFactory, X509TrustManager trustManager) {
if (sslSocketFactory == null) throw new NullPointerException("sslSocketFactory == null");
if (trustManager == null) throw new NullPointerException("trustManager == null");
this.sslSocketFactory = sslSocketFactory;
this.certificateChainCleaner = CertificateChainCleaner.get(trustManager);
return this;
}
...
该方法有两个参数:sslSocketFactory和trustManager。
sslSocketFactory是用于创建SSLSocket的。
trustManager是用于传递给CertificateChainCleaner.get(trustManager);
的,是用于构造证书链清洁器CertificateChainCleaner
并用于清理证书列表的:
//CertificateChainCleaner.java
/**
* Computes the effective certificate chain from the raw array returned by Java's built in TLS APIs.
* Cleaning a chain returns a list of certificates where the first element is {@code chain[0]}, each
* certificate is signed by the certificate that follows, and the last certificate is a trusted CA
* certificate.
*
* <p>Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
* the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
* pinning.
*/
public abstract class CertificateChainCleaner {
public abstract List<Certificate> clean(List<Certificate> chain, String hostname)
throws SSLPeerUnverifiedException;
public static CertificateChainCleaner get(X509TrustManager trustManager) {
return Platform.get().buildCertificateChainCleaner(trustManager);
}
public static CertificateChainCleaner get(X509Certificate... caCerts) {
return new BasicCertificateChainCleaner(new BasicTrustRootIndex(caCerts));
}
}
根据Java的内置的TLS APIS返回的原始数组,计算有效的证书链(即返回的List<Certificate>
)。清理一个证书链会返回一个证书列表,其中第一个元素是chain[0]
,每个证书都由其后面的那个证书签名,最后一个证书是受信任的CA证书。
为了省略与TLS握手无关的意外证书,以及为了证书固定的好处从而提取可信CA证书,因此必须使用证书链清洁器。
OkHttpClient.Builder的hostnameVerifier方法
该方法的官方介绍:
Sets the verifier used to confirm that response certificates apply to requested hostnames for HTTPS connections.
If unset, a default hostname verifier will be used.
翻译:
设置用于确认响应证书应用于HTTPS连接的请求主机名的验证器。如果未设置,将使用默认的主机名验证程序。
设置域名验证器,用于在https连接中,确认响应返回的证书适用于请求的域名。如果未设置,则使用默认的域名验证器。
TrustManager 与 HostnameVerifier的关系与区别
这是stackoverflow上的一个回答:
The HostnameVerifier runs after the TLS handshake, over a TLS connection that is already valid from the TLS point of view, so at that point you know that the certificate is valid, signed by a trusted issuer, non-expired (?), etc., and all you have to do is decide (a) whether it’s from the correct server and (b) whether you trust that server. You might do (b) inside a TrustManager, but far more commonly you wouldn’t provide your own TrustManager at all.
主要就是说执行HostnameVerifier的verify时,TLS的握手过程已经完成,此时,证书本身已经被验证是有效的,即证书是受信任的发布者颁发的(通过验证签名),没有过期等等。HostnameVerifier的verify方法要做的是判断该证书是否的确是请求的ip或者域名对应的服务器的证书。
如何判断?根据okhttp的代码,是根据certificate.getSubjectAlternativeNames();
返回的结果中是否有与请求的ip或者域名相等的ip/域名进行判断的,如果有,即验证成功。
综上:
即TrustManager是用于判断证书是否是有效的证书,是否是受信任CA机构颁发的证书,是否在有效期内等等,总之,是判断
证书本身是否是受信任的、有效的。
而HostnameVerifier是用于判断当前请求的ip或者域名是否与证书中登记的ip或者域名一致,即判断请求的服务器是否是真正的服务器。
看下okhttp的hostnameVerifier.verify()方法是在哪里调用的:
//RealConnection.java
...
private void connectTls(ConnectionSpecSelector connectionSpecSelector) throws IOException {
Address address = route.address();
SSLSocketFactory sslSocketFactory = address.sslSocketFactory();
boolean success = false;
SSLSocket sslSocket = null;
try {
// Create the wrapper over the connected socket.
sslSocket = (SSLSocket) sslSocketFactory.createSocket(
rawSocket, address.url().host(), address.url().port(), true /* autoClose */);
// Configure the socket's ciphers, TLS versions, and extensions.
ConnectionSpec connectionSpec = connectionSpecSelector.configureSecureSocket(sslSocket);
if (connectionSpec.supportsTlsExtensions()) {
Platform.get().configureTlsExtensions(
sslSocket, address.url().host(), address.protocols());
}
// Force handshake. This can throw!
sslSocket.startHandshake();
// block for session establishment
SSLSession sslSocketSession = sslSocket.getSession();
Handshake unverifiedHandshake = Handshake.get(sslSocketSession);
// Verify that the socket's certificates are acceptable for the target host.
if (!address.hostnameVerifier().verify(address.url().host(), sslSocketSession)) {
List<Certificate> peerCertificates = unverifiedHandshake.peerCertificates();
if (!peerCertificates.isEmpty()) {
X509Certificate cert = (X509Certificate) peerCertificates.get(0);
throw new SSLPeerUnverifiedException(
"Hostname " + address.url().host() + " not verified:"
+ "\n certificate: " + CertificatePinner.pin(cert)
+ "\n DN: " + cert.getSubjectDN().getName()
+ "\n subjectAltNames: " + OkHostnameVerifier.allSubjectAltNames(cert));
} else {
throw new SSLPeerUnverifiedException(
"Hostname " + address.url().host() + " not verified (no certificates)");
}
}
// Check that the certificate pinner is satisfied by the certificates presented.
address.certificatePinner().check(address.url().host(),
unverifiedHandshake.peerCertificates());
// Success! Save the handshake and the ALPN protocol.
String maybeProtocol = connectionSpec.supportsTlsExtensions()
? Platform.get().getSelectedProtocol(sslSocket)
: null;
socket = sslSocket;
source = Okio.buffer(Okio.source(socket));
sink = Okio.buffer(Okio.sink(socket));
handshake = unverifiedHandshake;
protocol = maybeProtocol != null
? Protocol.get(maybeProtocol)
: Protocol.HTTP_1_1;
success = true;
} catch (AssertionError e) {
if (Util.isAndroidGetsocknameError(e)) throw new IOException(e);
throw e;
} finally {
if (sslSocket != null) {
Platform.get().afterHandshake(sslSocket);
}
if (!success) {
closeQuietly(sslSocket);
}
}
}
...
先完成ssl/tls握手,然后执行verifyHostname()方法。
okhttp中,实现HostnameVerifier接口的是OkHostnameVerifier:
//OkHostnameVerifier.java
/**
* A HostnameVerifier consistent with <a href="http://www.ietf.org/rfc/rfc2818.txt">RFC 2818</a>.
*/
public final class OkHostnameVerifier implements HostnameVerifier {
public static final OkHostnameVerifier INSTANCE = new OkHostnameVerifier();
private static final int ALT_DNS_NAME = 2;
private static final int ALT_IPA_NAME = 7;
private OkHostnameVerifier() {
}
@Override
public boolean verify(String host, SSLSession session) {
try {
Certificate[] certificates = session.getPeerCertificates();
return verify(host, (X509Certificate) certificates[0]);
} catch (SSLException e) {
return false;
}
}
public boolean verify(String host, X509Certificate certificate) {
return verifyAsIpAddress(host)
? verifyIpAddress(host, certificate)
: verifyHostname(host, certificate);
}
/** Returns true if {@code certificate} matches {@code ipAddress}. */
private boolean verifyIpAddress(String ipAddress, X509Certificate certificate) {
List<String> altNames = getSubjectAltNames(certificate, ALT_IPA_NAME);
for (int i = 0, size = altNames.size(); i < size; i++) {
if (ipAddress.equalsIgnoreCase(altNames.get(i))) {
return true;
}
}
return false;
}
/** Returns true if {@code certificate} matches {@code hostname}. */
private boolean verifyHostname(String hostname, X509Certificate certificate) {
hostname = hostname.toLowerCase(Locale.US);
List<String> altNames = getSubjectAltNames(certificate, ALT_DNS_NAME);
for (String altName : altNames) {
if (verifyHostname(hostname, altName)) {
return true;
}
}
return false;
}
...
可以看出OkHostnameVerifier的verify方法是验证https请求中的域名或者IP,与证书中登记的是否一致。
也可以看下apache的httpclient的hostnameVerifier.verify()方法是在哪里调用的:
//SSLConnectionSocketFactory.java
...
@Override
public Socket createLayeredSocket(
final Socket socket,
final String target,
final int port,
final HttpContext context) throws IOException {
final SSLSocket sslsock = (SSLSocket) this.socketfactory.createSocket(
socket,
target,
port,
true);
if (supportedProtocols != null) {
sslsock.setEnabledProtocols(supportedProtocols);
} else {
// If supported protocols are not explicitly set, remove all SSL protocol versions
final String[] allProtocols = sslsock.getEnabledProtocols();
final List<String> enabledProtocols = new ArrayList<String>(allProtocols.length);
for (final String protocol: allProtocols) {
if (!protocol.startsWith("SSL")) {
enabledProtocols.add(protocol);
}
}
if (!enabledProtocols.isEmpty()) {
sslsock.setEnabledProtocols(enabledProtocols.toArray(new String[enabledProtocols.size()]));
}
}
if (supportedCipherSuites != null) {
sslsock.setEnabledCipherSuites(supportedCipherSuites);
}
if (this.log.isDebugEnabled()) {
this.log.debug("Enabled protocols: " + Arrays.asList(sslsock.getEnabledProtocols()));
this.log.debug("Enabled cipher suites:" + Arrays.asList(sslsock.getEnabledCipherSuites()));
}
prepareSocket(sslsock);
this.log.debug("Starting handshake");
sslsock.startHandshake();
verifyHostname(sslsock, target);
return sslsock;
}
private void verifyHostname(final SSLSocket sslsock, final String hostname) throws IOException {
try {
SSLSession session = sslsock.getSession();
if (session == null) {
// In our experience this only happens under IBM 1.4.x when
// spurious (unrelated) certificates show up in the server'
// chain. Hopefully this will unearth the real problem:
final InputStream in = sslsock.getInputStream();
in.available();
// If ssl.getInputStream().available() didn't cause an
// exception, maybe at least now the session is available?
session = sslsock.getSession();
if (session == null) {
// If it's still null, probably a startHandshake() will
// unearth the real problem.
sslsock.startHandshake();
session = sslsock.getSession();
}
}
if (session == null) {
throw new SSLHandshakeException("SSL session not available");
}
if (this.log.isDebugEnabled()) {
this.log.debug("Secure session established");
this.log.debug(" negotiated protocol: " + session.getProtocol());
this.log.debug(" negotiated cipher suite: " + session.getCipherSuite());
try {
final Certificate[] certs = session.getPeerCertificates();
final X509Certificate x509 = (X509Certificate) certs[0];
final X500Principal peer = x509.getSubjectX500Principal();
this.log.debug(" peer principal: " + peer.toString());
final Collection<List<?>> altNames1 = x509.getSubjectAlternativeNames();
if (altNames1 != null) {
final List<String> altNames = new ArrayList<String>();
for (final List<?> aC : altNames1) {
if (!aC.isEmpty()) {
altNames.add((String) aC.get(1));
}
}
this.log.debug(" peer alternative names: " + altNames);
}
final X500Principal issuer = x509.getIssuerX500Principal();
this.log.debug(" issuer principal: " + issuer.toString());
final Collection<List<?>> altNames2 = x509.getIssuerAlternativeNames();
if (altNames2 != null) {
final List<String> altNames = new ArrayList<String>();
for (final List<?> aC : altNames2) {
if (!aC.isEmpty()) {
altNames.add((String) aC.get(1));
}
}
this.log.debug(" issuer alternative names: " + altNames);
}
} catch (final Exception ignore) {
}
}
if (!this.hostnameVerifier.verify(hostname, session)) {
final Certificate[] certs = session.getPeerCertificates();
final X509Certificate x509 = (X509Certificate) certs[0];
final List<SubjectName> subjectAlts = DefaultHostnameVerifier.getSubjectAltNames(x509);
throw new SSLPeerUnverifiedException("Certificate for <" + hostname + "> doesn't match any " +
"of the subject alternative names: " + subjectAlts);
}
// verifyHostName() didn't blowup - good!
} catch (final IOException iox) {
// close the socket before re-throwing the exception
try { sslsock.close(); } catch (final Exception x) { /*ignore*/ }
throw iox;
}
}
先完成ssl/tls握手,然后执行verifyHostname()方法。
X509
X.509 是密码学里公钥证书的格式标准。 X.509 证书己应用在包括TLS/SSL(WWW万维网安全浏览的基石)在内的众多 Internet协议里。同时它也用在很多非在线应用场景里,比如电子签名服务。
X.509证书里含有公钥、身份信息(比如网络主机名,组织的名称或个体名称等)和签名信息(可以是证书签发机构CA的签名,也可以是自签名)。对于一份经由可信的证书签发机构签名或者可以通过其它方式验证的证书,证书的拥有者就可以用证书及相应的私钥来创建安全的通信,对文档进行数字签名。
X509TrustManager
/**
* Instance of this interface manage which X509 certificates
* may be used to authenticate the remote side of a secure
* socket. Decisions may be based on trusted certificate
* authorities, certificate revocation lists, online
* status checking or other means.
*
* @since 1.4
*/
public interface X509TrustManager extends TrustManager {
/**
* Given the partial or complete certificate chain provided by the
* peer, build a certificate path to a trusted root and return if
* it can be validated and is trusted for client SSL
* authentication based on the authentication type.
* <p>
* The authentication type is determined by the actual certificate
* used. For instance, if RSAPublicKey is used, the authType
* should be "RSA". Checking is case-sensitive.
*
* @param chain the peer certificate chain
* @param authType the authentication type based on the client certificate
* @throws IllegalArgumentException if null or zero-length chain
* is passed in for the chain parameter or if null or zero-length
* string is passed in for the authType parameter
* @throws CertificateException if the certificate chain is not trusted
* by this TrustManager.
*/
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException;
/**
* Given the partial or complete certificate chain provided by the
* peer, build a certificate path to a trusted root and return if
* it can be validated and is trusted for server SSL
* authentication based on the authentication type.
* <p>
* The authentication type is the key exchange algorithm portion
* of the cipher suites represented as a String, such as "RSA",
* "DHE_DSS". Note: for some exportable cipher suites, the key
* exchange algorithm is determined at run time during the
* handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,
* the authType should be RSA_EXPORT when an ephemeral RSA key is
* used for the key exchange, and RSA when the key from the server
* certificate is used. Checking is case-sensitive.
*
* @param chain the peer certificate chain
* @param authType the key exchange algorithm used
* @throws IllegalArgumentException if null or zero-length chain
* is passed in for the chain parameter or if null or zero-length
* string is passed in for the authType parameter
* @throws CertificateException if the certificate chain is not trusted
* by this TrustManager.
*/
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException;
/**
* Return an array of certificate authority certificates
* which are trusted for authenticating peers.
*
* @return a non-null (possibly empty) array of acceptable
* CA issuer certificates.
*/
public X509Certificate[] getAcceptedIssuers();
}
证书信任管理器(用于https请求) 。
在JSSE中,证书信任管理器类就是实现了接口X509TrustManager的类。我们可以自己实现该接口,让它信任我们指定的证书。
接口X509TrustManager有下述三个公有的方法需要我们实现:
1.checkClientTrusted
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException
该方法检查客户端的证书,若不信任该证书则抛出异常。由于我们不需要对客户端进行认证,因此我们只需要执行默认的信任管理器的这个方法。JSSE中,默认的信任管理器类为TrustManager。
2.checkServerTrusted
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException
该方法检查服务器的证书,若不信任该证书同样抛出异常。通过自己实现该方法,可以使之信任我们指定的任何证书。在实现该方法时,也可以简单的不做任何处理,即一个空的函数体,由于不会抛出异常,它就会信任任何证书。
3.getAcceptedIssuers
public X509Certificate[] getAcceptedIssuers()
返回受信任的X509证书数组。
返回证书颁发机构的证书的数组,它们被信任用于验证对等方的身份。
返回:可接受的 CA 发行者的证书的数组,非 null(可能为空)。
自己实现了信任管理器类,如何使用呢?HttpsURLConnection类似乎并没有提供方法设置信任管理器。其实,HttpsURLConnection通过SSLSocket来建立与HTTPS的安全连接,SSLSocket对象是由SSLSocketFactory生成的。SSLSocketFactory通过SSLContext对象来获得,在初始化SSLContext对象时,可以指定信任管理器对象。HttpsURLConnection提供了方法setSSLSocketFactory(SSLSocketFactory)设置它使用的SSLSocketFactory对象。
假设自己实现的X509TrustManager类的类名为:MyX509TrustManager,下面的代码片断说明了如何使用MyX509TrustManager:
//创建SSLContext对象,并使用我们指定的信任管理器初始化
TrustManager[] tm = {new MyX509TrustManager ()};
SSLContext sslContext = SSLContext.getInstance("SSL","SunJSSE");
sslContext.init(null, tm, new java.security.SecureRandom());
//从上述SSLContext对象中得到SSLSocketFactory对象
SSLSocketFactory ssf = sslContext.getSocketFactory();
//创建HttpsURLConnection对象,并设置其SSLSocketFactory对象
HttpsURLConnection httpsConn = (HttpsURLConnection)myURL.openConnection();
httpsConn.setSSLSocketFactory(ssf);
这样,HttpsURLConnection对象就可以正常连接HTTPS了,无论其证书是否经权威机构的验证,只要实现了X509TrustManager接口的类MyX509TrustManager信任该证书即可。
参考:
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSocketFactory.html
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/HostnameVerifier.html
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/TrustManager.html
CertPathValidatorException: Trust anchor for certification path not found解决方法
android https 证书报错 CertPathValidatorException: Trust anchor for certification path not found
Android: CertPathValidatorException: Trust anchor for certification path not found
Trust anchor for certification path not found.问题解决(关于okhttputils的BUG)
okhttp使用https报 Trust anchor for certification path not found解决办法
Trust anchor for certification path not found异常解决方法
X509证书结构及解析
【漏洞修复】自定义实现的X509TrustManager子类中…
证书信任管理器(用于https请求) X509TrustManager
HostnameVerifier vs TrustManager?
自签证书 doesn’t match any of the subject alternative names
报错 No subject alternative names matching IP address
What is the SSL Certificate Subject Alternative Name?
http、https 协议运行过程 公钥私钥,证书存放位置,传递证书,(非)对称加密。
SSL/TLS证书的最长有效期现在是一年
SSL和TLS证书有效期设置为一年
「公告」9月1日起,TrustAsia品牌SSL证书最长有效期变更为一年
AWS Certificate Manager
AWS Certificate Manager 常见问题
阿里云SSL证书服务:https://help.aliyun.com/product/28533.html