android - SSLPinning 不适用于带有 OKHTTTP 的 android <= 23
问题描述
1-我们能够在 API <=23 的 burp 套件工具中拦截请求/响应。2-当我将不正确的 sha-256 pin 传递给证书 pinner 时,它会抛出异常 com.android.volley.NoConnectionError: javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!3-当我通过正确的引脚时,它的工作请求会成功。4-我们没有在网络安全配置中设置静态 PIN sha256。我们正在为所有版本进行编程。请检查我缺少什么。
使用'com.squareup.okhttp3',名称:'okhttp',版本:'3.11.0,网络安全配置为
<network-security-config>
<base-config cleartextTrafficPermitted="true"/>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
<domain-config cleartextTrafficPermitted="true">
<domain includeSubdomains="true">abc.com</domain>
</domain-config>
</network-security-config>
**and ssl pinning android code**
public static HurlStack getOkHttpStack(Context context) {
HurlStack stack = null;
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
CertificatePinner certPinner = buildCertificatePinner(context);
stack = new OkHttpStack(trustManager, certPinner);
} catch (Exception e) {
e.printStackTrace();
}
if (stack == null) {
stack = new HurlStack();
}
return stack;
}
**CertificatePinner object creation**
private static CertificatePinner buildCertificatePinner(Context context) {
CertificatePinner pinner = null;
// COde ---
return pinner;
}
**Okhttp client object creation**
public OkHttpStack(X509TrustManager trustManager, CertificatePinner certPinner) throws Exception {
OkHttpClient.Builder builder = new OkHttpClient.Builder();
if (trustManager != null) {
TLSSocketFactory factory = new TLSSocketFactory(trustManager);
builder.sslSocketFactory(factory, trustManager);
}
if(certPinner != null){
builder.certificatePinner(certPinner);
}
mClient = builder.build();
}
解决方案
在 API 级别 15 和 22 之间,需要强制启用 TLS 1.2。因此,在构建 OkHttpClient 时必须这样做。
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1) {
SSLContext sc = SSLContext.getInstance("TLSv1.2");
sc.init(null, null, null);
okHttpClientBuilder.sslSocketFactory(new Tls12SocketFactory(sc.getSocketFactory()),
trustManager
);
}
推荐阅读
- ios - 在 swift 中使用 SWReveal 设置根视图控制器时出错
- python - 与 apply() 多次匹配时向数据框添加新值
- java - 使用java删除String中行之间的换行符
- mysql - 对嵌套 SQL Oracle 查询中的多行值求和
- swiftui - 如何更改 SwiftUI 列表中文本数量的最大限制?
- css - 媒体查询继续以不应该的视口大小应用
- android - 在特定设备中通话期间未显示抬头通知
- ios - 如何在 swift 中使用 UserDefaults 实现登录/注销导航?
- python - 如何等待 twilio 回调,直到它从 TBD 变为实际价格?
- graphql - apollo 客户端 nodejs 使用过滤器查询本地状态