当我的
Android 23项目尝试通过HTTPS连接到我的服务器时,一切都很好.
如果我将目标SDK切换为24,我会收到以下错误:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361) at android.net.SSLCertificateSocketFactory.verifyHostname(SSLCertificateSocketFactory.java:198) at android.net.SSLCertificateSocketFactory.createSocket(SSLCertificateSocketFactory.java:443) at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:394) at org.apache.http.impl.conn.DefaultClientConnectionoperator.openConnection(DefaultClientConnectionoperator.java:170) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:366) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:560) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:492) at com.worklight.wlclient.WLRequestSender.run(WLRequestSender.java:47) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:761) Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:563) at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:444) at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508) at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508) at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:401) at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:375) at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:304) at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94) at android.security.net.config.RoottrustManager.checkServerTrusted(RoottrustManager.java:88) at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:178) at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596) at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357) ... 13 more Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
切换回23,它再次起作用.
关于证书的最低要求,24有什么变化吗?
解决方法
如果您的targetSdkVersion为24,则默认情况下,通过“设置”应用程序,用户安装的证书不会合并到Android 7.0上:
By default secure (e.g. TLS,HTTPS) connections from all apps trust the pre-installed system CAs,and apps targeting API level 23 (Android M) and below also trust the user-added CA store by default.
(自the network security configuration docs起)
要解决此问题,您需要定义network security configuration XML资源:
<?xml version="1.0" encoding="utf-8"?> <network-security-config> <base-config> <trust-anchors> <certificates src="system"/> <certificates src="user"/> </trust-anchors> </base-config> </network-security-config>
然后,从< application>中的android:networkSecurityConfig属性指向该XML资源.清单中的元素.
通常,Android 7.0通过网络安全配置子系统(android.security.net.config.RoottrustManager和来自堆栈跟踪的亲属)路由HTTPS.此处引入的其他兼容性问题可能与targetSdkVersion相关联.因此,如果缺少用户证书不是您的问题,并且您可以创建一个再现问题的示例项目,file an issue.由于我维护a backport of that stuff,我将有兴趣了解任何错误.
