关于SSL握手的错误解决

问题描述

  在公司的项目中遇到个比较烦人的错误,牢骚就不多说了,下面我们直接步入正题。主要因为在进行利用Okhttp访问图片的时候出现的问题,这里的图片是用Glide加载,当然Glide也是用Okhttp注册过的,具体方法去了解Glide.register()方法,那么这里出现SSL握手错误的原因到底在哪?为了解决这个问题,我搜集了一些解决方案和原因,就都罗列到下面了。

Tips:下面的方案仅适用于安卓移动端,其他开发人员请酌情参考

错误日志

  这是出现SSL握手出现错误的主要日志,如果你也报了类似下面的错误,那么后面解决方案可能就很适合你

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:219)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:302)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:270)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:162)
	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257)
	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200)
	at okhttp3.RealCall.execute(RealCall.java:77)
	at hik.business.ga.common.imageloader.OkHttpStreamFetcher.loadData(OkHttpStreamFetcher.java:63)
	at hik.business.ga.common.imageloader.OkHttpStreamFetcher.loadData(OkHttpStreamFetcher.java:36)
	at com.bumptech.glide.load.model.ImageVideoModelLoader$ImageVideoFetcher.loadData(ImageVideoModelLoader.java:70)
	at com.bumptech.glide.load.model.ImageVideoModelLoader$ImageVideoFetcher.loadData(ImageVideoModelLoader.java:53)
	at com.bumptech.glide.load.engine.DecodeJob.decodeSource(DecodeJob.java:170)
	at com.bumptech.glide.load.engine.DecodeJob.decodeFromSource(DecodeJob.java:128)
	at com.bumptech.glide.load.engine.EngineRunnable.decodeFromSource(EngineRunnable.java:127)
	at com.bumptech.glide.load.engine.EngineRunnable.decode(EngineRunnable.java:106)
	at com.bumptech.glide.load.engine.EngineRunnable.run(EngineRunnable.java:58)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:457)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
	at java.lang.Thread.run(Thread.java:784)
	at com.bumptech.glide.load.engine.executor.FifoPriorityThreadPoolExecutor$DefaultThreadFactory$1.run(FifoPriorityThreadPoolExecutor.java:118)
原因1:Https访问,但证书过期

  如果是利用https进行访问,但出现了报错很大的原因就是因为证书已经过期,那么对于这种情况,我们可以有下面几步的解决方案。

  解决方案1:更新证书

  询问或者查看服务器端的证书是否过期,如果过期了,那么服务器有没有重新申请证书进行验证。所以第一个解决方案就是让服务器端申请证书进行验证。

  解决方案2:更新测试机时间

  如果解决方案1那里没有什么问题,这时候就需要看看你的测试机时间是不是不太对劲。就是时间比证书提交的时间早,那么就有很大可能出现这个错误,所以这里把时间更新就行。

  解决方案3:信任所有证书

  说起来作为移动开发人员实在是不太想用到第三个解决方案,这在一定程度上代表了无奈和妥协,那就是无条件信任或者说是忽略掉所有的证书,这样自然就访问通过,都不需要握手就过了,但其实也在一定程度上使https协议和http没有丝毫差别,毕竟连SSL的边都不用擦,废话不多说,信任所有证书的方法附上:

  简单版:
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
 
 
public class AllowX509TrustManager implements X509TrustManager {
 
    private static TrustManager[] trustManagers;
    private static final X509Certificate[] _AcceptedIssuers = new
            X509Certificate[] {};
 
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
 
    }
 
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
 
    }
 
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return _AcceptedIssuers;
    }
 
    public boolean isClientTrusted(X509Certificate[] chain) {
        return true;
    }
 
    public boolean isServerTrusted(X509Certificate[] chain) {
        return true;
    }
 
    public static void allowAllSSL() {
        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
 
            @Override
            public boolean verify(String arg0, SSLSession arg1) {
                // TODO Auto-generated method stub
                return true;
            }
 
        });
 
        SSLContext context = null;
        if (trustManagers == null) {
            trustManagers = new TrustManager[] { new AllowX509TrustManager() };
        }
        try {
            context = SSLContext.getInstance("SSL");
            context.init(null, trustManagers, new SecureRandom());
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (KeyManagementException e) {
            e.printStackTrace();
        }
 
        HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
    }
}

  如上在Appliaction中调用这个类的allowAllSSL()方法,也就是调用AllowX509TrustManager.allowAllSSL();就会在这个Appliaction中建立信任。

  Okhttp配合版:
 private OkHttpClient getHttpsClient() {
        OkHttpClient.Builder okhttpClient = new OkHttpClient().newBuilder();
        //信任所有服务器地址
        okhttpClient.hostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String s, SSLSession sslSession) {
                //设置为true
                return true;
            }
        });
        //创建管理器
        TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
            @Override
            public void checkClientTrusted(
                    java.security.cert.X509Certificate[] x509Certificates,
                    String s) throws java.security.cert.CertificateException {
            }

            @Override
            public void checkServerTrusted(
                    java.security.cert.X509Certificate[] x509Certificates,
                    String s) throws java.security.cert.CertificateException {
            }

            @Override
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return new java.security.cert.X509Certificate[] {};
            }
        } };
        try {
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());

            //为OkHttpClient设置sslSocketFactory
            okhttpClient.sslSocketFactory(sslContext.getSocketFactory());

        } catch (Exception e) {
            e.printStackTrace();
        }

        return okhttpClient.build();
    }

其中关于添加sslSocketFactory这个方法在Okhttp新版本里的写法是:

okhttpClient.sslSocketFactory(sslContext.getSocketFactory(),trustAllCerts);
  解决方案4:更新证书信任

  看到这里,你应该还是比较喜欢挑战的一个程序小伙,那么我只好将失传已久的更新证书的方法告诉尔等,望各位好生珍惜。这里其实是基于你已经拿到证书了,那么你只是忘了更新,很简单,这里把它跟新上就行。
  将证书文件放置在assets目录(或者其他能读取到证书的目录),在创建OkhttpClient对象时sslSocketFactory()将该证书信息添加。仅仅信任你更新的证书就行,这样https还是我们熟悉的样子。

private SSLContext getSLLContext() {
        SSLContext sslContext = null;
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            InputStream certificate = mContext.getAssets().open("jiuge-j1.crt");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            String certificateAlias = Integer.toString(0);
            keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate));
            sslContext = SSLContext.getInstance("TLS");
            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            sslContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
        } catch (CertificateException e) {
            e.printStackTrace();
        } catch (KeyStoreException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (KeyManagementException e) {
            e.printStackTrace();
        }
        return sslContext;
    }
    

使用Okhttp时进行设置就行

OkHttpClient httpClient = new OkHttpClient().newBuilder()
                .sslSocketFactory(getSLLContext().getSocketFactory())
                .build();

同样在Okhttp新版本里的写法是,当然这里你需要参考解决方法3,创建管理器trustAllCerts:

okhttpClient.sslSocketFactory(getSLLContext().getSocketFactory(),trustAllCerts);

这里的方法仅仅适用于Okhttp,如果是其他情况可用参考下面两篇文章
为你的android App实现自签名的ssl证书(https)
android https遇到自签名证书/信任证书

原因2:利用Http访问,但服务端却是需要https验证

  这个原因没错就是我导致错误的主要原因之一,因为是使用http进行访问,却报了个SSL的握手错误,这让我沉思了许久。因为http它就没用到SSL协议啊,最终发现是服务器端返回的链接中是夹带ssl证书的,且在服务器端需要进行一个ssl校验,也就是是不管怎么样,我服务器就是要https,其他什么都不行,于是这里我迫于淫威,将所有的http访问变成的https进行访问,当然有一部分原因是因为公司网络环境比较特殊,这里就不予赘述,然后添加上了所有证书信任就可以了。

那么到此就是对SSL访问的一些原因分析和解决方案,希望能给诸君带来收获。

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值