问题描述
我为使用Comodo/Sectigo SSL证书的公司工作.但是突然之间,在使用ok 4客户端的android 4和5版本中,将POST发送到服务器时,我们的应用程序开始引发此错误.
I work for a company that uses a Comodo/Sectigo SSL certificate. But suddenly our app started throwing this error when sending POST to the server, in versions with android 4 and 5, with Okhttp client.
HTTP FAILED: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Sat May 30 05:48:38 CDT 2020 (compared to Mon Jun 08 23:13:02 CDT 2020)
我尝试了许多StackOverflow解决方案,但均未成功.然后我在Comodo博客上发现了这种交叉签名证书警告
I tried many StackOverflow solutions, without success. Then I found on the Comodo blog this cross-sign certificates warning
我尝试了一些其他操作,以使okhttp客户端信任证书(在Socket上启用了TLS,在okhttp构建器中的连接规范中添加了现代TLS,TLS版本和密码套件,将证书添加到了原始资源中,我也将自定义SslSocketFactory放到客户端),但是这些都不起作用,总是向我抛出一个与证书有效性或握手异常有关的错误.
I tried a few more things to get my okhttp client to trust the certificate (enabled TLS on Socket, added Modern TLS, TLS Versions and cipher Suites to connection Specs in okhttp builder, adding the cert to the raw resources, also I put a custom SslSocketFactory to the client) but none of this works, always throws me an error related to certificate validity or a handshake exception.
对我唯一起作用的是创建一个不安全的okhttp,但是显然不建议在生产环境中使用它.
The only thing that has worked for me is to make an unsafe okhttp, but obviously its use in production is not recommended.
该应用程序在android> 5上运行良好,但是由于此问题,我们仍然在android 5甚至4上仍有一些用户无法使用该应用程序.仍然有任何方法可以让android< = 5信任这个过期的根吗?
The app works fine in android > 5, but we still have some users on android 5 and even 4 who cannot use the app due to this problem. Is there still any way to achieve android <= 5 trust this expired root?
感谢您的帮助
推荐答案
如果证书有效,则有望解决此问题.
This should hopefully fix the issue if the the certificates are otherwise valid.
在您的构建文件中
implementation 'org.conscrypt:conscrypt-android:2.5.1'
并在您的请求前激活Conscrypt
And activate Conscrypt before your request
import org.conscrypt.Conscrypt
Security.insertProviderAt(Conscrypt.newProvider(), 1)
val client = OkHttpClient.Builder().build()
val request = Request.Builder().url("https://status.datadoghq.com/").build()
client.newCall(request).execute().use { response ->
println(response.code())
}
如果在此之后仍然失败,那么您可能还需要注册一个自定义证书,但是请先进行测试,然后再进行此操作.
If it's still failing after this then you might need to register a custom certificate as well, but test without this first.
这篇关于如何信任具有交叉签名根的SSL证书已在android< = 5上过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!