【OKHttp】javax.net.ssl. SSLHandshakeException:PKIX path building failed

已于 2022-03-07 15:42:57 修改
阅读量5.9k 收藏
点赞数
文章标签: ssl https 网络协议
于 2022-03-07 15:40:28 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/SportHappy/article/details/123331274
版权

Android异常:java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class com.android.org.conscrypt.OpenSSLSocketFactoryImpl

web、java项目异常:javax.net.ssl. SSLHandshakeException:PKIX path building failed

以下解决,第一步创建NullHostNameVerifier

package com.malx.signature.network;

import android.annotation.SuppressLint;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;

/**
 * @author by maliang on 2021/12/13 17:25
 * #First Created Time:
 * #包名:com.malx.signature
 * class description:用于主机名验证,此不校验允许所有。
 */
public class NullHostNameVerifier implements HostnameVerifier {
    /**
     * Verify that the host name is an acceptable match with
     * the server's authentication scheme.
     *
     * @param hostname the host name
     * @param session  SSLSession used on the connection to host
     * @return true if the host name is acceptable
     */
    @SuppressLint("BadHostnameVerifier")
    @Override
    public boolean verify(String hostname, SSLSession session) {
        return true;
    }
}

第二步 :

创建OkHttpClient示例(中间其他配置代码省略...):

import java.net.Proxy;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.TimeUnit;

import javax.net.ssl.SSLContext;
import javax.net.ssl.X509TrustManager;

import okhttp3.HttpUrl;
import okhttp3.Interceptor;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;

...

OkHttpClient.Builder builder = new OkHttpClient.Builder();
...
try {
    X509TrustManager trustManager = new X509TrustManager() {

                /**
                 * Given the partial or complete certificate chain provided by the
                 * peer, build a certificate path to a trusted root and return if
                 * it can be validated and is trusted for client SSL
                 * authentication based on the authentication type.
                 * <p>
                 * The authentication type is determined by the actual certificate
                 * used. For instance, if RSAPublicKey is used, the authType
                 * should be "RSA". Checking is case-sensitive.
                 *
                 * @param chain    the peer certificate chain
                 * @param authType the authentication type based on the client certificate
                 * @throws IllegalArgumentException if null or zero-length chain
                 *                                  is passed in for the chain parameter or if null or zero-length
                 *                                  string is passed in for the  authType parameter
                 * @throws CertificateException     if the certificate chain is not trusted
                 *                                  by this TrustManager.
                 */
                @Override
                public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

                }

                /**
                 * Given the partial or complete certificate chain provided by the
                 * peer, build a certificate path to a trusted root and return if
                 * it can be validated and is trusted for server SSL
                 * authentication based on the authentication type.
                 * <p>
                 * The authentication type is the key exchange algorithm portion
                 * of the cipher suites represented as a String, such as "RSA",
                 * "DHE_DSS". Note: for some exportable cipher suites, the key
                 * exchange algorithm is determined at run time during the
                 * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,
                 * the authType should be RSA_EXPORT when an ephemeral RSA key is
                 * used for the key exchange, and RSA when the key from the server
                 * certificate is used. Checking is case-sensitive.
                 *
                 * @param chain    the peer certificate chain
                 * @param authType the key exchange algorithm used
                 * @throws IllegalArgumentException if null or zero-length chain
                 *                                  is passed in for the chain parameter or if null or zero-length
                 *                                  string is passed in for the  authType parameter
                 * @throws CertificateException     if the certificate chain is not trusted
                 *                                  by this TrustManager.
                 */
                @Override
                public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

                }

                /**
                 * Return an array of certificate authority certificates
                 * which are trusted for authenticating peers.
                 *
                 * @return a non-null (possibly empty) array of acceptable
                 * CA issuer certificates.
                 */
                @Override
                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            };
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, new X509TrustManager[]{trustManager}, new SecureRandom());
            builder.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
            builder.hostnameVerifier(new NullHostNameVerifier());
        } catch (IllegalStateException | NoSuchAlgorithmException | KeyManagementException e) {
            e.printStackTrace();
        }
// 不使用代理,防止抓包
builder.proxy(Proxy.NO_PROXY);
// 解决网络java.net.SocketException: Socket closed问题
builder.addNetworkInterceptor(new Interceptor() {
            @NonNull
            @Override
            public Response intercept(@NonNull Chain chain) throws IOException {
                // ("Connection", "keep-alive") close
                Request.Builder newBuilder = chain.request().newBuilder();
                // 这个是默认情况下,如果服务器自定义需要使用自定义方式解决
                newBuilder.addHeader("Connection", "keep-alive")
                        .addHeader("Accept-Charset", "UTF-8");
                Request request = newBuilder.build();
                return chain.proceed(request);
            }
        });
OkHttpClient okHttpClient = builder.build();
...

SportHappy
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
java.net.SocketException: Connection reset 解决方法
09-05
最近纠结致死的一个java报错java.net.SocketException: Connection reset 终于得到解决
关于Androidhttps通讯安全
沃德菠萝
03-20 1106
漏洞描述 对于数字证书相关概念、Android 里 https 通信代码就不再复述了,直接讲问题。缺少相应的安全校验很容易导致中间人攻击,而漏洞的形式主要有以下3种: 自定义X509TrustManager 在使用HttpsURLConnection发起 HTTPS 请求的时候,提供了一个自定义的X509TrustManager,未实现安全校验逻辑,下面片段就是当时新浪微博 sdk 内部
Android 10及以上0khttp跳过SSL证书校验Unable to extract the trust manager javax.net.ssl.SSLHandshakeException:
qq_33209777的博客
11-18 2449
参考一:Unable to extract the trust manager on Android10Platform_CHZKAL的博客-CSDN博客无法在android10平台上提取信任管理器,sslSocketFactoryclass com.android.org.conscrypt.OpenSSLSocketFactoryImpl。记录一下填坑内容。服务器测试接口是http的,不是https,之前一直拿的8.0的手机调试一直好好的,今天换成android 10的手机测试发现请求服务器的时候奔溃
Android 12 Unable to extract the trust manager on Android10Platform
最新发布
qq_15950325的博客
04-01 547
1.最近由于升级Android sdk版本 导致上传报告使用okhttp报错,于是我查看源码分析一波发现问题出现在 在 OkHttpClient 构建方法中 于是尝试修改代码。4、到这里基本结束,只是简单记录下,后续有其他同学遇到这个坑这样解决就行。
Android P设备SSL证书报错
Sunxiaolin2016的博客
07-10 4399
最近在做高德地图SDK开发,遇到一个SSL证书报错的问题,虽然该问题出现概率极低,还是记录一下,以防止以后遇到类似的问题。 报错信息如下: System.err: javax.net.ssl.SSLHandshakeException: Chain validation failed System.err: at com.android.org.conscrypt.ConscryptFil...
OPENSSL与KeyStore
DavyJonesWang的专栏
11-09 5018
1、OpenSSL实践 工作中需要配置使用SSL来双向认证并通信的FTP服务器,以OpenSSLJava的keytool为例,来完成证书的制作: d:/openssl/mkcerts>openssl genrsa -out ca.key 1024 创建CA私钥 Loading 'screen' into random state - done warning, not mu
javax.net.ssl.SSLHandshakeException: PKIX path building failed
hubxx的博客
03-10 9211
错误信息 本地环境缺少ssl证书 一、下载证书 可以通过浏览器下载;也可以使用命令行 1、浏览器 查看证书,直接导出即可 2、命令行 openssl s_client -connect <目标网址:端口号> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > 证书名.crt 二、导入证书 1. 将证书移动到$JAVA_HOME/lib/security/c...
异常: javax.net.ssl.SSLHandshakeException: PKIX path building failed: SunCertPathBuilderException
Java小皮孩
03-28 6360
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
IllegalStateException: Unable to extract the trust manager on Android10Platform
嗯...
12-18 4465
V7 升级到 AndroidX 过程中遇见的问题 IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class com.android.org.conscrypt.OpenSSLSocketFactoryImpl 错误在okhttp builder.sslSocketFactory 方法 builder.sslSocketFactory(sslSock
解决 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path buildin
weixin_43496689的博客
05-17 9897
PS:后来对windows和mac下java访问https也做了测试,发现mac上的jdk缺省不带startssl ca证书所以能访问通过,而加上startssl ca证书后同android一样访问不通过。JAVA的证书库里已经带了startssl ca证书,而nginx默认不带startssl ca证书,这样JAVA端访问nginx为容器的https url校验就会失败,jetty默认带startssl ca证书,所以正常。最后一行就是jdk的安装路径。
解决Exception in thread “main“ javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.sec
user123name的博客
11-26 4299
访问一个接口,通过postman可以调用但是使用HttpClient无法访问报错误。 Exception in thread “main” javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at
okhttp-3.14.9-API文档-中英对照版.zip
05-04
赠送jar包:okhttp-3.14.9.jar; 赠送原API文档:okhttp-3.14.9-javadoc.jar; 赠送源代码:okhttp-3.14.9-sources.jar; 赠送Maven依赖信息文件:okhttp-3.14.9.pom; 包含翻译后的API文档:okhttp-3.14.9-javadoc-...
okhttp-3.14.9-API文档-中文版.zip
05-09
赠送jar包:okhttp-3.14.9.jar; 赠送原API文档:okhttp-3.14.9-javadoc.jar; 赠送源代码:okhttp-3.14.9-sources.jar; 赠送Maven依赖信息文件:okhttp-3.14.9.pom; 包含翻译后的API文档:okhttp-3.14.9-javadoc-...
okhttp-4.8.1.jar和 okhttp-4.9.1.jar
11-24
okhttp-4.8.1和4.9.1的jar包
okhttp-4.8.1.jar
11-24
okhttp-4.8.1.jar
Unable to extract the trust manager on Android10Platform
热门推荐
CHZKAL的博客
05-21 1万+
无法在android10平台上提取信任管理器,sslSocketFactoryclass com.android.org.conscrypt.OpenSSLSocketFactoryImpl。记录一下填坑内容。 服务器测试接口是http的,不是https,之前一直拿的8.0的手机调试一直好好的,今天换成android 10的手机测试发现请求服务器的时候奔溃了。, 网上这个问题比较少嘞,在此记录一下。 有大佬说这是okhttp的问题,解决方案是X509TrustManager改成X509Exte.
Android异常之:Unable to extract the trust manager on Android10Platform, sslSocketFactory is class
吕氏春秋i
01-04 982
在集成华为云上传的时候 项目跑起来就报错报错问题就是上述。 Unable to extract the trust manager on Android10Platform, sslSocketFactory is class com.android.org.conscrypt.OpenSSLSocketFactoryImpl
启动报错解决java.lang.IllegalStateException: Unable to find a @SpringBootConfiguration, you need to use
weixin_44257023的博客
11-28 2195
测试类和启动类包名要一致,就可以了!
OkHttp报错javax.net.ssl.SSLHandshakeException: Handshake failed
09-18
这个错误通常是由于SSL握手失败引起的。它可能是由以下几个原因导致的: 1. 安全证书问题:服务器的安全证书可能无效、过期或不受信任。你可以尝试忽略证书验证来排除此问题,但这不是一个安全的做法。 2. 协议版本不匹配:客户端和服务器之间的SSL/TLS协议版本可能不兼容。你可以尝试指定更低的协议版本来解决此问题。 3. 主机名验证失败:服务器的主机名与安全证书中的主机名不匹配。你可以尝试禁用主机名验证来解决此问题,但同样需要注意安全性。 4. 代理配置问题:如果你正在使用代理服务器,则可能是代理服务器配置不正确导致的。 解决这个问题的方法因情况而异,你可以根据具体情况尝试以下方法: 1. 检查服务器的安全证书是否有效,是否过期,并确保受信任。 2. 尝试指定更低的SSL/TLS协议版本,以确保与服务器兼容。 3. 确保服务器的主机名与证书中的主机名匹配。如果不匹配,可以考虑更新证书或修改主机名验证设置。 4. 如果使用代理服务器,请确保代理配置正确,包括正确的代理地址和端口以及认证信息(如果需要)。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值