最近在使用HttpClient请求https url 时,遇到以下问题:
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
搜索分析之后,得到原因如下:
Android证书库里带着startssl ca证书,而服务器的Web容器中没有带startssl ca证书,这样Android客户端访问该Web容器发布出来的https url时,
校验就会失败。
解决方式:
1.客户端相信所有证书;
2.为服务器端Web容器添加startssl ca证书;
我的解决方式采取第1种。
实现代码:
public static class TrustAllSSLSocketFactory extends SSLSocketFactory {
SSLContext sslContext = SSLContext.getInstance("TLS");
public TrustAllSSLSocketFactory(KeyStore truststore)
throws NoSuchAlgorithmException, KeyManagementException,
KeyStoreException, UnrecoverableKeyException {
super(truststore);
TrustManager tm = new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] chain,
String authType)
throws java.security.cert.CertificateException {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] chain,
String authType)
throws java.security.cert.CertificateException {
}
};
sslContext.init(null, new TrustManager[] { tm }, null);
}
@Override
public Socket createSocket(Socket socket, String host, int port,
boolean autoClose) throws IOException, UnknownHostException {
return sslContext.getSocketFactory().createSocket(socket, host,
port, autoClose);
}
@Override
public Socket createSocket() throws IOException {
return sslContext.getSocketFactory().createSocket();
}
}
private static SSLSocketFactory getSSLSocketFactory() {
try {
KeyStore trustStore = KeyStore.getInstance(KeyStore
.getDefaultType());
trustStore.load(null, null);
SSLSocketFactory sslSocketFactory = new TrustAllSSLSocketFactory(
trustStore);
sslSocketFactory
.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
return sslSocketFactory;
}
catch (Exception e) {
e.printStackTrace();
}
return null;
}
// 支持http和https两种模式
SchemeRegistry schReg = new SchemeRegistry();
schReg.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
schReg.register(new Scheme("https", getSSLSocketFactory(), 443));
// 使用线程安全的连接管理来创建HttpClient
ClientConnectionManager conMgr = new ThreadSafeClientConnManager(
params, schReg);
PS:如果请求网络使用HttpURLConnection,实现方式也是一样,让客户端信任所有证书。