OkHttp javax.net.ssl.SSLPeerUnverifiedException:未验证主机名domain.com

我一直在努力让这个工作.我正在尝试使用自签名证书通过https连接到我的服务器.我不认为现在还没有任何页面或示例.

我做了什么:

>按照本教程创建bks密钥库:http://blog.crazybob.org/2010/02/android-trusting-ssl-certificates.html

它使用openssl s_client -connect domain.com:443从服务器获取证书.然后使用充气城堡创建一个bks密钥库.

>从原始文件夹中读取创建的密钥库,将其添加到sslfactory,然后再添加到OkHttpClient.像这样:

public ApiService() {
    mClient = new OkHttpClient();
    mClient.setConnectTimeout(TIMEOUT_SECONDS, TimeUnit.SECONDS);
    mClient.setReadTimeout(TIMEOUT_SECONDS, TimeUnit.SECONDS);
    mClient.setCache(getCache());
    mClient.setCertificatePinner(getPinnedCerts());
    mClient.setSslSocketFactory(getSSL());
}

protected SSLSocketFactory getSSL() {
    try {
        KeyStore trusted = KeyStore.getInstance("BKS");
        InputStream in = Beadict.getAppContext().getResources().openRawResource(R.raw.mytruststore);
        trusted.load(in, "pwd".toCharArray());
        SSLContext sslContext = SSLContext.getInstance("TLS");
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trusted);
        sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
        return sslContext.getSocketFactory();
    } catch(Exception e) {
        e.printStackTrace();
    }
    return null;
}

public CertificatePinner getPinnedCerts() {
    return new CertificatePinner.Builder()
            .add("domain.com", "sha1/theSha=")
            .build();
}

>由于某种原因,这总是会生成带有或不带有密钥库的SSLPeerUnverifiedException.有或没有CertificatePinner.

javax.net.ssl.SSLPeerUnverifiedException: Hostname domain.com not verified: 0         
 W/System.err﹕ certificate: sha1/theSha=
 W/System.err﹕ DN: 1.2.840.113549.1.9.1=#1610696e666f40626561646963742e636f6d,CN=http://domain.com,OU=development,O=domain,L=Valencia,ST=Valencia,C=ES
 W/System.err﹕ subjectAltNames: []
 W/System.err﹕ at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:124)
 W/System.err﹕ at com.squareup.okhttp.Connection.connect(Connection.java:143)
 W/System.err﹕ at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:185)
 W/System.err﹕ at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128)
 W/System.err﹕ at com.squareup.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:341)
 W/System.err﹕ at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330)
 W/System.err﹕ at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)
 W/System.err﹕ at com.squareup.okhttp.Call.getResponse(Call.java:273)
 W/System.err﹕ at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:230)
 W/System.err﹕ at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:201)
 W/System.err﹕ at com.squareup.okhttp.Call.execute(Call.java:81)
 ...

我究竟做错了什么?

解决方法:

我有同样的问题,但是我需要我的应用程序在几个临时环境中工作,所有这些环境都有自签名证书.更糟糕的是,他们可以动态更改这些证书.

为了解决这个问题,当仅连接到staging时,我添加了一个信任所有证书的SSLSocketFactory.这修复了java错误,但它给我留下了此票证中提到的okhttp异常.

为了避免这个错误,我需要为okHttpClient添加一个自定义.这为我修复了错误.

okHttpClient.setHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        });
上一篇:转载 Silverlight实用窍门系列:1.Silverlight读取外部XML加载配置---(使用WebClient读取XAP包同目录下的XML文件))


下一篇:android – 如何在OkHttpClient中将对象(即UserData)类型的列表添加到MultipartBody