javax.net.ssl.SSLPeerUnverifiedException:主机名未验证:
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/30745342/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:
提问by CROSP
I am trying to use HTTPSconnection with self-signed certificate.
I have followed steps of creating self-signed certificate as mentioned here - Creating Self-signed certificate.
Everything works fine even in browser, it only shows me a message that my certificate is signed by unknown CA.
But I have problem with my FQDN(server name doesn't match) name in certificate because I have set incorrect name while generating certificate.
I have regenerated it and now no such error.
我正在尝试使用HTTPS与自签名证书的连接。
我已按照此处所述的创建自签名证书的步骤进行操作 -创建自签名证书。
即使在浏览器中一切正常,它只向我显示一条消息,表明我的证书是由未知 CA 签署的。
但是我的证书中的 FQDN(服务器名称不匹配)名称有问题,因为我在生成证书时设置了错误的名称。
我已经重新生成它,现在没有这样的错误。
I need to use my server sertificate from mobile Android Client, I have found great article about this problem - Use Retrofit with a self-signed or unknown SSL certificate in Android. I have followed all steps, but unfortunately get an error (exception).
我需要使用来自移动 Android 客户端的服务器证书,我找到了关于此问题的精彩文章 - Use Retrofit with a self-signed or unknown SSL certificate in Android。我已遵循所有步骤,但不幸的是出现错误(异常)。
javax.net.ssl.SSLPeerUnverifiedException: Hostname 195.xx.xx.xx not verified:
certificate: sha1/qvH7lFeijE/ZXxNHI0B/M+AU/aA=
DN: 1.2.840.113549.1.9.1=#160e63726f73704078616b65702e7275,CN=195.xx.xx.xx,OU=Departament of Development,O=CROSP Solutions,L=Chernihiv,ST=Chernihiv,C=UA
subjectAltNames: []
at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:124)
As you can see hostname are the same, but error is still present.
Please help to deal with this problem, I will be grateful for any help.
Thank you.
如您所见,主机名相同,但错误仍然存在。
请帮助解决这个问题,我将不胜感激。
谢谢你。
PSEUDO-SOLUTION
伪解决方案
Of course I searched before and found HostName Verifier Solution.
I have tried it, it works. But is it OK to use this workaround, I added certificate into my app in order to read it dynamicly as in the prior example, is it still being used in this case.
当然我之前搜索过,找到了HostName Verifier Solution。
我试过了,它有效。但是可以使用此解决方法吗,我将证书添加到我的应用程序中,以便像前面的示例一样动态读取它,在这种情况下它是否仍在使用。
Solution with OkHttp is one line. (If you followed all steps in tutorial).
OkHttp 的解决方案是一行。(如果您遵循教程中的所有步骤)。
okHttpClient.setHostnameVerifier(new NullHostNameVerifier());
But I still feel that it is not the best solution, please any thoughts ?
但我仍然觉得这不是最好的解决方案,请问有什么想法吗?
采纳答案by ZhongYu
Interestingly, if the request host is an IP, "CN" is not used to match it; instead,
有趣的是,如果请求主机是IP,则不使用“CN”来匹配;反而,
http://tools.ietf.org/html/rfc2818#section-3.1
http://tools.ietf.org/html/rfc2818#section-3.1
the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI"
iPAddress subjectAltName 必须存在于证书中,并且必须与 URI 中的 IP 完全匹配”
If you use java's keytool, it can be done by
如果你使用java的keytool,可以通过
keytool -genkeypair -ext SAN=IP:195.xx.xx.xx ........
NullHostNameVerifier is also ok for you use case. You client is trusting only one certificate; as long as the connection uses that certificate, you are secure; host name doesn't matter here.
NullHostNameVerifier 也适用于您的用例。您的客户只信任一个证书;只要连接使用该证书,您就是安全的;主机名在这里无关紧要。
回答by Praba
Self signed certificates are ideally for development only. You can't go live with it, because you know it's not verified, apps and browsers won't trust you without the CA's approving you.
自签名证书仅适用于开发。你不能使用它,因为你知道它没有经过验证,如果没有 CA 的批准,应用程序和浏览器不会信任你。
So, this is not a 'solution' for your live app, but only to test if it works (and will work with a valid cert, if and when you get one). Because you're allowing all hostnames (or at the least, hardcoded hostnames if you restrict it to a few) and both are bad.
因此,这不是您的实时应用程序的“解决方案”,而只是为了测试它是否有效(并且将使用有效的证书,如果以及何时获得)。因为您允许所有主机名(或者至少,如果您将其限制为几个,则至少是硬编码的主机名)并且两者都不好。
Do you plan on having to use a self signed cert in your live app too?
您是否也打算在您的实时应用程序中使用自签名证书?
