您可以在这篇Google Help Center文章中找到更多关于TrustManager的信息。
HostnameVerifier
您的应用程序正在使用HostnameVerifier接口的不安全实现。您可以在这篇Google Help Center文章中找到关于如何解决该问题的更多信息。
这是我的代码:
public class HttpsTrustManager implements X509TrustManager{
private static TrustManager[] trustManagers;
private static final X509Certificate[] _AcceptedIssuers = new X509Certificate[]{};
private X509Certificate[] x509Certificates;
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] x509Certificates, String s)
throws CertificateException {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] x509Certificates, String s)
throws CertificateException {
}
public boolean isClientTrusted(X509Certificate[] chain) {
return true;
}
public boolean isServerTrusted(X509Certificate[] chain) {
return true;
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return _AcceptedIssuers;
}
public static void allowAllSSL() {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
});
SSLContext context = null;
if (trustManagers == null) {
trustManagers = new TrustManager[]{new HttpsTrustManager()};
}
try {
context = SSLContext.getInstance("TLS");
context.init(null, trustManagers, new SecureRandom());
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
}
HttpsURLConnection.setDefaultSSLSocketFactory(context
.getSocketFactory());
}
}
我希望你能帮助我。谢谢你。
在您的代码中,您只是信任所有的东西。这是不安全的。正如谷歌所说,你应该判断证书并提出一个异常。像这样,
@override public void checkServerTrusted(java.security.cert.x509Certifice[]x509Certificates,String s)引发CertificateException{
// do some check here if the x509Certificates not valid just raise an CertificateException exception.
// this will check the certificate
if(!checkTheHostName(x509Certificates[0]){
throw new CertificateException("the certificate is invalid ...");
}
}
private boolean checkTheHostName(Certificate certificate,String hostName){
return OkHostnameVerifier.INSTANCE.verify("www.yourhostname.com",certificate)
}
the OkHostnameVerifier's code, just in
https://android.googlesource.com/platform/external/okhttp/+/e82a796/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java
和代码
@Override
public boolean verify(String hostName, SSLSession session) {
// here you should check the hostName, through session
// do not just return true here, cause it's not safe. like man-in-middle-attack
Certificate[] certificates = session.getPeerCertificates();
return verify(host, (X509Certificate) certificates[0]);
}
