在Android 2.3設備上沒有對等證書錯誤，但在Android 4+上工作正常

Question

1. 我已經爲我的服務器證書創建了bks文件。這是在項目的源代碼添加在原文件夾

2. 我已經建立了我HTTPS客戶如下：

   公共類MyHttpsClient擴展DefaultHttpClient {

   final Context context; 
   
   public MyHttpsClient(Context context) { 
       this.context = context; 
   } 
   
   @Override 
   protected ClientConnectionManager createClientConnectionManager() { 
       SchemeRegistry registry = new SchemeRegistry(); 
       registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80)); 
       // Register for port 443 our SSLSocketFactory with our keystore 
       // to the ConnectionManager 
       registry.register(new Scheme("https", newSslSocketFactory(), 443)); 
       return new SingleClientConnManager(getParams(), registry); 
   } 
   
   private SSLSocketFactory newSslSocketFactory() { 
       try { 
        // Get an instance of the Bouncy Castle KeyStore format 
        KeyStore trusted = KeyStore.getInstance("BKS"); 
        // Get the raw resource, which contains the keystore with 
        // your trusted certificates (root and any intermediate certs) 
        InputStream in = context.getResources().openRawResource(R.raw.mykeystore); 
        try { 
         // Initialize the keystore with the provided trusted certificates 
         // Also provide the password of the keystore 
         trusted.load(in, "testpassword".toCharArray()); 
        } finally { 
         in.close(); 
        } 
        // Pass the keystore to the SSLSocketFactory. The factory is responsible 
        // for the verification of the server certificate. 
        SSLSocketFactory sf = new SSLSocketFactory(trusted); 
        // Hostname verification from certificate 
        // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506 
        sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER); 
        return sf; 
       } catch (Exception e) { 
        throw new AssertionError(e); 
       } 
   } 
   

   }

3. 然後我使用它像：

   DefaultHttpClient httpClient = new MyHttpsClient(context); 
   HttpConnectionParams.setConnectionTimeout(httpClient.getParams(), 30000); 
   HttpContext localContext = new BasicHttpContext(); 
   HttpPost httpPost = new HttpPost(url); 
   httpPost.setHeader("Accept", "application/json"); 
   httpPost.setHeader("Content-type", "application/json"); 
   httpPost.setEntity(new StringEntity(jsonString)); 
   
   response = httpClient.execute(httpPost, localContext); 
   HttpEntity entity = response.getEntity(); 
   httpresponse = getResponse(entity); 
   

4. 現在來了有趣的部分。這適用於Android 4+真實設備和模擬器。在Android 2.3的失敗與

javax.net.ssl.SSLPeerUnverifiedException：沒有對方的證書

我怎樣才能讓它在Android 2.3工作，沒有已知的「信任所有證書」的方式？

Answer 1

幾天我解決了同樣的問題。解決方案包括以下內容。我將安裝在設備上的所有證書（在我的情況下是samsung galaxy II）並轉到管理服務器上安裝證書鏈的服務器端開發人員。他分析ssl鏈，並檢測到鏈中有一個證書（Thawte 2006）和其他證書（Thawte 2010）。他刪除了2006年發佈的最早的證書，並且在android 2.x上的ssl驗證開始工作。我建議你，在嘗試獲得工作本地密鑰庫之前，研究你的服務器端ssl鏈並檢查這個鏈沒有不必要的證書，因爲android 2.x設備不能忽略不必要的證書，但是其他平臺3.x 4x和IOS，Windows手機可以做到這一點，我的意思是忽略SSL證書鏈中的「垃圾」。