Android 2.2：javax.net.ssl.SSLException：不受信任的服務器證書-Android 2.3：javax.net.ssl.SSLPeerUnverifiedException：沒有對等證書

Question

在Android 2.2上進行了一些測試後，我想我解決了這個問題後，再次得到這個錯誤信息，我第一次做了這個故事，並且它工作了一天，但現在我又面臨這個問題。有人在下面使用的解決方案旁邊有解決方案嗎？還是有問題返回的解釋？

在Android 2.3我從來沒有得到它的工作，我得到了以下錯誤：

07-26 19:48:12.580: W/System.err(1201): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

錯誤信息2.2：

07-23 00:12:18.726: W/System.err(22569): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found. 
07-23 00:12:18.730: W/System.err(22569): at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:149) 
07-23 00:12:18.730: W/System.err(22569): at java.security.cert.CertPathValidator.validate(CertPathValidator.java:202) 
07-23 00:12:18.730: W/System.err(22569): at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:164) 

編輯：我想我固定以下像這樣的問題：

當我通過我的Windows Web瀏覽器發佈HTTP請求到第三方服務器返回的XML，但在Android活動做同樣的當我得到以下錯誤：

W/System.err(9471): javax.net.ssl.SSLException: Not trusted server certificate 
. 
. 
. 
W/System.err(7207): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found. 

我用下面的要求：

https://www.voipinfocenter.com/API/ Request.ashx?command=_&username= _&password=______&customer=__&customerpassword=___ &geocallcli=__&tariffrate=_ 

似乎不聰明地忽略這個安全問題，是否有辦法解決這個問題，特別是因爲它不是我自己的服務器？

編輯：我發現那位android-trusting-ssl-certificates崗位和管理，下載證書與SSLCertDownloader-Download

C:\ssl>SSLCertDownloader.exe www.server.com 443 c:\ssl\CAcert.cer

下載bcprov-jdk16-145.jar並在c:\ssl文件夾

保存它確信密鑰工具是在c:\ssl文件夾

Importe d證書：

keytool -importcert -v -trustcacerts -file "CAcert.cer" -alias In 
ermediateCA -keystore "mykeystore.bks" -provider org.bouncycastle.jce.provider. 
ouncyCastleProvider -providerpath "bcprov-jdk16-145.jar" -storetype BKS -storep 
ss Password 

如何知道是否下載了所有必需的證書？ OpenSSL的client_s連接-showcerts給了我下面的：我的應用程序的

Loading 'screen' into random state - done 
CONNECTED(000000D4) 
depth=0 /C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle 
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130 
verify error:num=20:unable to get local issuer certificate 
verify return:1 
depth=0 /C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle 
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130 
verify error:num=27:certificate not trusted 
verify return:1 
depth=0 /C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle 
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130 
verify error:num=21:unable to verify the first certificate 
verify return:1 
--- 
Certificate chain 
0 s:/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charles M 
rx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-A 
surance Secure Server CA 
-----BEGIN CERTIFICATE----- 
MIIFczCCBFugAwIBAgIQHXnQEnG/Ft0D1oCzycDFbDANBgkqhkiG9w0BAQUFADCB 
iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G 
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV 
BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTEx 
MDMzMTAwMDAwMFoXDTE0MDUwMjIzNTk1OVowga4xCzAJBgNVBAYTAkxVMQ0wCwYD 
VQQREwQyMTMwMQswCQYDVQQIEwJOQTETMBEGA1UEBxMKTHV4ZW1ib3VyZzEiMCAG 
A1UECRMZQm91bGV2YXJkIENoYXJsZXMgTWFyeCAyMzEWMBQGA1UEChMNRGVsbG1v 
bnQgU2FybDEaMBgGA1UECxMRQ29tb2RvIEluc3RhbnRTU0wxFjAUBgNVBAMTDTc3 
LjcyLjE3My4xMzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo5mTI 
oNnf4NsNKq3tXxxszbBOs22UubyUzwExBQ5i220y/qcXF0iA6h+lc+41WIJkT4mI 
IltTMdAs9L8BLMIu/bFQRBlL5M1y7GRnGTEr2IqgE83gOWq5Bpz6Mvmhu67HDkHv 
0ZBK/IwKn4f1lW+fntGD6++RfQixGAY0Ei+XDxn09mHV++qgFPA+4WpeOwVy3+I+ 
bk9hf8MR3aUfWDyPwdDF0BpNJ8yyzXwUzL/8RwEIN90wBRQ5O8KjociAXC/uqnXk 
f8/woZkhfwqtQ0yWbHDWJlBSIg+xs3HtB6UhagFRWuLLZiJz9AurGRfb0pfOmwjI 
XWkU6jVhLRDndzzpAgMBAAGjggGuMIIBqjAfBgNVHSMEGDAWgBQ/1bXQ1kR5UEoX 
o5uMSty4sCJkazAdBgNVHQ4EFgQUmIxbnFxciu12ZJ84pSL/aVMLVAcwDgYDVR0P 
AQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG 
AQUFBwMCMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYIKwYBBQUHAgEW 
HWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTME8GA1UdHwRIMEYwRKBCoECG 
Pmh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJhbmNlU2Vj 
dXJlU2VydmVyQ0EuY3JsMIGABggrBgEFBQcBAQR0MHIwSgYIKwYBBQUHMAKGPmh0 
dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET0hpZ2gtQXNzdXJhbmNlU2VjdXJl 
U2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5j 
b20wDwYDVR0RBAgwBocETUitgjANBgkqhkiG9w0BAQUFAAOCAQEAH1jjfuwJxIac 
s1uBibTiJyQKRVuyrb3MLo5A0D9mwQ+hew4GktAkJBc73AJ4gQgufADt06eJjzqc 
SzpxkATx38W6WuRcis5odJRvkVrNv0yiJfAsQf6mB0laMXCrvt9+drGy8O/Xd4TC 
4OU6A+s551SYKAhkAdlZuCCn4A0FgxL3nX/K/cXcvhHt+v2hDy/TraFlC3CQ73tp 
SOxVNO9g8DZBu38c0W6SejQti40/xR2245t/U39GznSy9sgeMdQVU1JHpkwR2R9J 
lXsRiev1PtTX1MZGLbyLhH1gSMn+n7gdBb7hZpaIZWicmp1NaRtC1oVQL49l7NdU 
WcXYaeeuQA== 
-----END CERTIFICATE----- 
--- 
Server certificate 
subject=/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle 
Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130 
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High 
Assurance Secure Server CA 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 1551 bytes and written 450 bytes 
--- 
New, TLSv1/SSLv3, Cipher is AES128-SHA 
Server public key is 2048 bit 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1 
    Cipher : AES128-SHA 
    Session-ID: F724000041ACE5FC6871CF549CAE1BC0F076578433238D6FF8B1DF3F374627D 

    Session-ID-ctx: 
    Master-Key: ADB009A0D064383C492EA9FBBDCFA81C5D945C88F168ECC225BCDF2798B063C 
814CDA4E1E29AFB91C75290C7C41CB66 
    Key-Arg : None 
    Start Time: 1374894544 
    Timeout : 300 (sec) 
    Verify return code: 21 (unable to verify the first certificate) 
--- 

保存的mykeystore.bks在res /原始文件夾，並創建了以下類：

public class MyHttpClient extends DefaultHttpClient { 

    final Context context; 

    public MyHttpClient(Context context) { 
     this.context = context; 
    } 

    @Override 
    protected ClientConnectionManager createClientConnectionManager() { 
     SchemeRegistry registry = new SchemeRegistry(); 
     registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80)); 
     // Register for port 443 our SSLSocketFactory with our keystore 
     // to the ConnectionManager 
     registry.register(new Scheme("https", newSslSocketFactory(), 443)); 
     return new SingleClientConnManager(getParams(), registry); 
    } 

    private SSLSocketFactory newSslSocketFactory() { 
     try { 
      // Get an instance of the Bouncy Castle KeyStore format 
      KeyStore trusted = KeyStore.getInstance("BKS"); 
      // Get the raw resource, which contains the keystore with 
      // your trusted certificates (root and any intermediate certs) 
      InputStream in = context.getResources().openRawResource(R.raw.mykeystore); 
      try { 
       // Initialize the keystore with the provided trusted certificates 
       // Also provide the password of the keystore 
       trusted.load(in, "Password".toCharArray()); 
      } finally { 
       in.close(); 
      } 
      // Pass the keystore to the SSLSocketFactory. The factory is responsible 
      // for the verification of the server certificate. 
      SSLSocketFactory sf = new SSLSocketFactory(trusted); 
      // Hostname verification from certificate 
      // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506 
      sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER); 
      return sf; 
     } catch (Exception e) { 
      throw new AssertionError(e); 
     } 
    } 
} 

在活動：

// Instantiate the custom HttpClient 
DefaultHttpClient client = new MyHttpClient(getApplicationContext()); 
HttpGet get = new HttpGet("https://www.mydomain.ch/rest/contacts/23"); 
// Execute the GET call and obtain the response 
HttpResponse getResponse = client.execute(get); 
HttpEntity responseEntity = getResponse.getEntity(); 

Answer 1

W/System.err(1201): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

您正在使用什麼密碼套件

？匿名Diffie-Hellman（ADH）將導致服務器而不是發送證書。

---

W/System.err(22569): Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.

這聽起來像你不信任驗證鏈需要CA的根證書。它是否被加載？它是信任的正確根源嗎？

---

Certificate chain 
0 s:/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle 
    Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130 
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO 
    High-Asurance Secure Server CA 
[Repeated three times] 

這看起來在實踐畸形。無需將終端實體證書發送三次或四次。

編輯：該證書是隻發送一次：

一般有在鏈驗證使用三個或四個證書：（1）CA根證書，（2）一個或兩個中間證書，以及（3）最終實體（或葉子或服務器）證書。在SSL/TLS服務器Hello中，應發送來自（2）和（3）的證書。

作爲一個例子，OpenSSL wiki上的Server Hello中使用的所有證書都有一個截圖。它是如何編寫OpenSSL客戶端的一個例子，它基於一個實際使用COMODO的網站。這裏是捕獲：http://wiki.openssl.org/index.php/File:Bio-fetch-1.png，這裏是例子：http://wiki.openssl.org/index.php/SSL/TLS_Client。

所以我相信鏈缺少根：

• AddTrust外部CA根

和兩個中間體：

• COMODO證書頒發機構
• COMODO擴展驗證安全服務器CA

有問題的證書可以在COMODO的站點找到：Root and Intermediate Certificates。或者，您可以從下面的修復2中提供的鏈中複製和粘貼它。

---

修復1

要解決這個問題，有問題的服務器應發送三個證的串聯。第一個是服務器證書，第二個是「COMODO擴展驗證安全服務器CA」（中級）證書，第三個是「COMODO證書頒發機構」（中級）證書。您還需要信任「AddTrust External CA Root」（根）證書。

下面是使用Google網站和「Equifax安全證書頒發機構」的實際情況。注意中間證書，除了服務器的終端實體證書發送：

$ echo "GET/HTTP\1.0" | openssl s_client -connect www.google.com:443 -showcerts 
CONNECTED(00000003) 
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA 
verify error:num=20:unable to get local issuer certificate 
verify return:0 
--- 
Certificate chain 
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 
    i:/C=US/O=Google Inc/CN=Google Internet Authority G2 
-----BEGIN CERTIFICATE----- 
MIIEdjCCA16gAwIBAgIIRYUpUVjSfHQwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE 
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl 
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMxMTIwMTUxMDQ3WhcNMTQwMzIwMDAwMDAw 
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN 
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW8ZNM 
PeVQTl+gbie7LVVCUrZ/Y3pM7EhWD9L9ZDeL39IeGeyKIfTIWLBpQRnM2xk3ITuR 
2cIEH7WuhGfXi2bKwp27N2H9j5vPfsl04b50pus8XaJXUvwq+TgT1852QQy+sGQl 
QE9UN0HIK8qleDV5VycpK6KnhSl7QH6283WX2xtiW1oxVETspRPv5gLIFXm9po9X 
fTzQZm/Wnkvyl3SAXa4msAMABqrrczWM6ySC6UoWUEttYTAEy2OPsqEBhTBSseP5 
W4w5X6kM7nU7u2R05NtxaVb/vO7RxIngU73+i7PF3ZDg6TxfQYGdAs0h03WoZCrI 
JjsvdRU9QEhnZXVjAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI 
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE 
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G 
A1UdDgQWBBSloFBACjHuLBs7YbSkN82IHLBklzAMBgNVHRMBAf8EAjAAMB8GA1Ud 
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW 
eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB 
RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCQSyYioqaFpkdSfBReEEFHffMcXzE9 
VL5L/ysdFAqCk9bmMyHsYKZ8FET1mh2BqzwXY7VWulaeOg+SPv8D4kwKRtCGuDgp 
/6Jo7+TzkU5GSQxnrrSuA4DW+nKwrkoS+bLEMV67MrSAMSQ3/TVwIHpxWmU16aGO 
08ICQCzXyWevTaCxbC49n1iBloZPNYFk74QfUTllKYbzhKrUPqJvCjlkaHPAVzv0 
OtGjXuOdSfB4nURA7INNYvx8ULMECg5Sj8Gan8kIOfeW3jt9vdxsZrbn0Cu/bcTm 
OEK3nH1sBk2Hy5ZBcyludHyUzqTHsXSjnIjwZNPpihVmFrs5I1Ma7iEj 
-----END CERTIFICATE----- 
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
-----BEGIN CERTIFICATE----- 
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT 
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i 
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG 
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy 
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB 
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP 
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv 
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE 
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ 
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC 
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7 
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD 
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g 
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI 
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n 
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB 
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY 
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/ 
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza 
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto 
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6 
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx 
-----END CERTIFICATE----- 
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 
-----BEGIN CERTIFICATE----- 
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT 
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw 
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE 
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB 
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m 
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu 
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c 
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR 
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz 
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm 
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM 
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g 
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO 
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv 
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB 
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL 
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W 
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S 
-----END CERTIFICATE----- 
--- 
Server certificate 
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com 
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 3728 bytes and written 448 bytes 
... 

服務器必須發送所需要的證書鏈驗證，以避免該「目錄」的問題。它在PKI中是衆所周知的，它實質上意味着客戶不知道去哪裏找到丟失的證書。例如，客戶如何知道從哪裏獲取「COMODO高保證安全服務器CA」？

修復2：

在此修復程序，加載根和中間證書，因爲服務器或網站未正確設置（一般只讀取你信任根）。要了解OpenSSL在實踐中如何完成，請參閱http://wiki.openssl.org/index.php/SSL/TLS_Client處的OpenSSL客戶端示例。在該文件中openssl-bio-fetch.c（線115），你會看到下面的調用設置鏈驗證期間使用的可信根（和中間體）：

res = SSL_CTX_load_verify_locations(ctx, "random-org-chain.pem", NULL); 
ASSERT(res == 1) 
... 

文件random-org-chain.pem包含以下PEM編碼級聯。級聯由根證書和驗證www.random.org的服務器證書所需的兩個中間證書組成。

$ cat random-org-chain.pem 
# 
# AddTrust External CA Root 
# 
-----BEGIN CERTIFICATE----- 
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU 
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs 
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux 
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h 
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v 
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt 
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX 
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX 
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN 
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD 
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU 
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx 
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN 
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH 
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC 
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX 
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a 
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= 
-----END CERTIFICATE----- 

# 
# COMODO Certification Authority 
# 
-----BEGIN CERTIFICATE----- 
MIIE8TCCA9mgAwIBAgIQbyXcFa/fXqMIVgw7ek/H+DANBgkqhkiG9w0BAQUFADBv 
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk 
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF 
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow 
gYExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO 
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMScwJQYD 
VQQDEx5DT01PRE8gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3 
DQEBAQUAA4IBDwAwggEKAoIBAQDQQIuLcuORG/dRwRtUBJjTqb/B5opdO4f7u4jO 
DeMvPwaW8KIpUJmu2zuhV7B0UXHN7UKRTUH+qcjYaoZ3RLtZZpdQXrTULHBEz9o3 
lUJpPDDEcbNS8CFNodi6OXwcnqMknfKDFpiqFnxDmxVbt640kf7UYiYYRpo/68H5 
8ZBX66x6DYvbcjBqZtXgRqNw3GjZ/wRIiXfeten7Z21B6bw5vTLZYgLxsag9bjec 
4i/i06Imi8a4VUOI4SM+pdIkOWpHqwDUobOpJf4NP6cdutNRwQuk2qw471VQJAVl 
RpM0Ty2NrcbUIRnSjsoFYXEHc0flihkSvQRNzk6cpUisuyb3AgMBAAGjggF0MIIB 
cDAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUC1jl 
i8ZMFTekQKkwqSG+RzZaVv8wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB 
Af8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9j 
cmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYI 
KwYBBQUHAQEEgaYwgaMwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0 
LmNvbS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0 
cDovL2NydC51c2VydHJ1c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsG 
AQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUA 
A4IBAQAHYJOZqs7Q00fQNzPeP2S35S6jJQzVMx0Njav2fkZ7WQaS44LE5/X289kF 
z0k0LTdf9CXH8PtrI3fx8UDXTLtJRTHdAChntylMdagfeTHJNjcPyjVPjPF+3vxG 
q79om3AjMC63xVx7ivsYE3lLkkKM3CyrbCK3KFOzGkrOG/soDrc6pNoN90AyT99v 
uwFQ/IfTdtn8+7aEA8rJNhj33Wzbu7qBHKat/ij5z7micV0ZBepKRtxzQe+JlEKx 
Q4hvNRevHmCDrHqMEHufyfaDbZ76iO4+3e6esL/garnQnweyCROa9aTlyFt5p0c1 
M2jlVZ6qW8swC53HD79oRIGXi1FK 
-----END CERTIFICATE----- 

# 
# COMODO Extended Validation Secure Server CA 
# 
-----BEGIN CERTIFICATE----- 
MIIFBjCCA+6gAwIBAgIQEaO00OyNt3+doM1dLVEvQjANBgkqhkiG9w0BAQUFADCB 
gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G 
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV 
BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDA1MjQwMDAw 
MDBaFw0yMDA1MzAxMDQ4MzhaMIGOMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl 
YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P 
RE8gQ0EgTGltaXRlZDE0MDIGA1UEAxMrQ09NT0RPIEV4dGVuZGVkIFZhbGlkYXRp 
b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC 
ggEBAMxKljPNJY1n7iiWN4dG8PYEooR/U6qW5h+xAhxu7X0h1Nc8HqLYaS+ot/Wi 
7WRYZOFEZTZJQSABjTsT4gjzDPJXOZM3txyTRIOOvy3xoQV12m7ue28b6naDKHRK 
HCvT9cQDcpOvhs4JjDx11MkKL3Lzrb0OMDyEoXMfAyUUpY/D1vS15N2GevUZumjy 
hVSiMBHK0ZLLO3QGEqA3q2rYVBHfbJoWlLm0p2XGdC0x801S6VVRn8s+oo12mHDS 
b6ZlRS8bhbtbbfnywARmE4R6nc4n2PREnr+svpnba0/bWCGwiSe0jzLWS15ykV7f 
BZ3ZSS/0tm9QH3XLgJ3m0+TR8tMCAwEAAaOCAWkwggFlMB8GA1UdIwQYMBaAFAtY 
5YvGTBU3pECpMKkhvkc2Wlb/MB0GA1UdDgQWBBSIRFH/UCppXi2I9CG62Qzyzsvq 
fDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADA+BgNVHSAENzA1 
MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNv 
bS9DUFMwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v 
Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdAYIKwYBBQUHAQEEaDBm 
MD4GCCsGAQUFBzAChjJodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9BZGRU 
cnVzdFNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv 
Y2EuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCaQ7+vpHJezX1vf/T8PYy7cOYe3QT9 
P9ydn7+JdpvyhjH8f7PtKpFTLOKqsOPILHH3FYojHPFpLoH7sbxiC6saVBzZIl40 
TKX2Iw9dej3bQ81pfhc3Us1TocIR1FN4J2TViUFNFlW7kMvw2OTd3dMJZEgo/zIj 
hC+Me1UvzymINzR4DzOq/7fylqSbRIC1vmxWVKukgZ4lGChUOn8sY89ZIIwYazgs 
tN3t40DeDDYlV5rA0WCeXgNol64aO+pF11GZSe5EWVYLXrGPaOqKnsrSyaADfnAl 
9DLJTlCDh6I0SD1PNXf82Ijq9n0ezkO21cJqfjhmY03n7jLvDyToKmf6 
-----END CERTIFICATE----- 

對不起，關於C/C++代碼。我沒有方便的Java示例，但它是OpenSSL代碼，適用相同的概念。

---

0 s:/C=LU/postalCode=2130/ST=NA/L=Luxembourg/streetAddress=Boulevard Charle 
    Marx 23/O=Dellmont Sarl/OU=Comodo InstantSSL/CN=77.72.173.130 

當使用通用名稱（CN）的IP，我相信IP也必須在主題備用名稱（SAN）中列出。最終實體證書是否形成良好並不明顯，而且Bouncy Castle在驗證中可能會很積極。證書要求由CA /瀏覽器論壇公佈，並可以在這裏找到：

• Baseline Certificate Requirements
• Extended Validation Certificate Requirements

---

一些正在使用的方法都被標記爲已過時。例如，X509HostnameVerifier的STRICT_HOSTNAME_VERIFIER已被棄用。

---

最後，你可以得到Startcom由埃迪尼格大多數桌面和移動瀏覽器信任的免稅證明。如果需要撤銷，Startcom會收取費用，因爲這是費用所在。 CA將收取您前面的撤銷和口袋未使用的收益;）