木子喵
木子喵
  • 发布:2016-10-25 11:52
  • 更新:2016-12-29 15:04
  • 阅读:3014

自制SSL证书在Android平台使用不拦截

分类:5+ SDK

应用与服务端的交互方式采用https,证书是自制的并非权威机构颁发,在联调时移动端并未导入证书也没做什么设置或修改,但所有https请求都正常处理了没有被拦截,请问Android版的SDK对于所有https证书是跳过系统检验一律放行吗?

2016-10-25 11:52 负责人:无 分享
已邀请:

最佳回复

Android_磊子

Android_磊子

WebView加载https地址时,会以下处理。
5+ 应用配置文件 manifest.json中在plus节点添加ssl节点,
比如"ssl":{"untrustedca": "allow|warning|refuse"},
allow表示允许https请求,
warning表示会进行弹窗提示,
refuse表示拒绝https请求
注,上传、下载、5+ Ajax等网络请求也会根据ssl节点值进行处理,唯一区别是warning时会使用系统浏览器安全策略。

  • Liao2012

    默认allow允许https请求? 还需要native层做SSL证书安装和双向认证吗?

    2016-11-05 11:28

  • Android_磊子

    目前5+没有支持证书安装功能,以及双向认证;日后开发者可以通过离线打包自行处理。

    2016-11-07 18:19

  • 木子喵 (作者)

    回复 Android_磊子:请问“开发者可以通过离线打包自行处理”具体的方法是什么呢?

    2016-12-29 13:38

木子喵

木子喵 (作者)

按照@DCloud_Android_磊子 所说的我在manifest.json中配置了"ssl":{"untrustedca":"warning"},此时通过mui.ajax返回失败,打出失败原因为“ CertPathValidatorException: Trust anchor for certification path not found”,因为我们的证书是自己做的,所以这样的结果在预期之内,查询解决办法如下:
http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https/6378872#6378872
文中提到的解决方案为:
1.Trust all certificates. Don't do this, unless you really know what you're doing.
2.Create a custom SSLSocketFactory that trusts only your certificate. This works as long as you know exactly which servers you're going to connect to, but as soon as you need to connect to a new server with a different SSL certificate, you'll need to update your app.
3.Create a keystore file that contains Android's "master list" of certificates, then add your own. If any of those certs expire down the road, you are responsible for updating them in your app. I can't think of a reason to do this.
4.Create a custom SSLSocketFactory that uses the built-in certificate KeyStore, but falls back on an alternate KeyStore for anything that fails to verify with the default.
This answer uses solution #4, which seems to me to be the most robust.

推荐的第四种是自己创建一个SSLSocketFactory,请问我使用基座是封装好的,要怎么处理这一环节呢?

谢谢

该问题目前已经被锁定, 无法添加新回复