应用与服务端的交互方式采用https,证书是自制的并非权威机构颁发,在联调时移动端并未导入证书也没做什么设置或修改,但所有https请求都正常处理了没有被拦截,请问Android版的SDK对于所有https证书是跳过系统检验一律放行吗?
木子喵
- 发布:2016-10-25 11:52
- 更新:2016-12-29 15:04
- 阅读:3385
最佳回复
WebView加载https地址时,会以下处理。
5+ 应用配置文件 manifest.json中在plus节点添加ssl节点,
比如"ssl":{"untrustedca": "allow|warning|refuse"},
allow表示允许https请求,
warning表示会进行弹窗提示,
refuse表示拒绝https请求
注,上传、下载、5+ Ajax等网络请求也会根据ssl节点值进行处理,唯一区别是warning时会使用系统浏览器安全策略。
木子喵 (作者)
按照@DCloud_Android_磊子 所说的我在manifest.json中配置了"ssl":{"untrustedca":"warning"},此时通过mui.ajax返回失败,打出失败原因为“ CertPathValidatorException: Trust anchor for certification path not found”,因为我们的证书是自己做的,所以这样的结果在预期之内,查询解决办法如下:
http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https/6378872#6378872
文中提到的解决方案为:
1.Trust all certificates. Don't do this, unless you really know what you're doing.
2.Create a custom SSLSocketFactory that trusts only your certificate. This works as long as you know exactly which servers you're going to connect to, but as soon as you need to connect to a new server with a different SSL certificate, you'll need to update your app.
3.Create a keystore file that contains Android's "master list" of certificates, then add your own. If any of those certs expire down the road, you are responsible for updating them in your app. I can't think of a reason to do this.
4.Create a custom SSLSocketFactory that uses the built-in certificate KeyStore, but falls back on an alternate KeyStore for anything that fails to verify with the default.
This answer uses solution #4, which seems to me to be the most robust.
推荐的第四种是自己创建一个SSLSocketFactory,请问我使用基座是封装好的,要怎么处理这一环节呢?
谢谢
Liao2012
默认allow允许https请求? 还需要native层做SSL证书安装和双向认证吗?
2016-11-05 11:28
Android_磊子
目前5+没有支持证书安装功能,以及双向认证;日后开发者可以通过离线打包自行处理。
2016-11-07 18:19
木子喵 (作者)
回复 Android_磊子:请问“开发者可以通过离线打包自行处理”具体的方法是什么呢?
2016-12-29 13:38