[英]How to get charles proxy work with Android 7 nougat?
Android 7 introduced some changes to the way certificates are handled ( http://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html ) and somehow I cannot make my Charles proxy work any more. Android 7 对证书的处理方式进行了一些更改( http://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html ),不知何故我无法让我的 Charles 代理工作了。
My.network_security_config.xml:我的.network_security_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
I'm running in debug mode.我在调试模式下运行。 But no matter what, I get javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
但无论如何,我得到javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
. .
Needless to say, I did install a pfx
certificate from Settings -> Security -> Install from storage
.不用说,我确实从Settings -> Security -> Install from storage
安装了pfx
证书。 The certificate shows in User Credentials
but not in Trusted credentials -> User
.该证书显示在User Credentials
中,但不显示在Trusted credentials -> User
中。 On my lollipop device, the certificates are listed there.在我的棒棒糖设备上,证书列在那里。
I'm using okhttp3 as HTTP library.我正在使用 okhttp3 作为 HTTP 库。
Any idea what I am doing wrong?知道我做错了什么吗?
The solution is do not use .p12 , just navigate with Chrome (with configured proxy on wifi) to http://charlesproxy.com/getssl and install downloaded .pem file .解决方案是不使用 .p12 ,只需使用 Chrome(在 wifi 上配置代理)导航到http://charlesproxy.com/getssl并安装下载的 .pem 文件。
I had exactly the same problem on my Nexus 5X running Android 7.0.我在运行 Android 7.0 的 Nexus 5X 上遇到了完全相同的问题。 There was previously exported .p12 from Charles 3.11.5 (Help->SSL Proxying->Export Charles Root certificate and Private key).之前从 Charles 3.11.5 (Help->SSL Proxying->Export Charles Root certificate and Private key) 导出了 .p12。 When I tried to install .p12 from phone (Settings->Security->Install from storage) it appears only under "User credentials" and never at "Trusted credentials", and of course SSL with Charles proxy did not work.当我尝试从手机(设置->安全->从存储安装)安装 .p12 时,它只出现在“用户凭据”下,而从不出现在“受信任的凭据”下,当然带有 Charles 代理的 SSL 不起作用。
The total "how-to" for Android 7.0 would be like that: Android 7.0 的总“操作方法”如下:
android:networkSecurityConfig="@xml/network_security_config"
to <application>
at Manifest.xml将属性android:networkSecurityConfig="@xml/network_security_config"
放在 Manifest.xml 的<application>
中PS Check date/time on the device. PS 检查设备上的日期/时间。 It should be correct.它应该是正确的。
I wrote a script that inject the apk with the required exceptions and allow to use Charles Proxy with the app. 我编写了一个脚本,为apk注入了所需的异常,并允许将Charles Proxy与应用程序一起使用。
This is the Github https://github.com/levyitay/AddSecurityExceptionAndroid 这是Github https://github.com/levyitay/AddSecurityExceptionAndroid
Based on the troubleshooting thread of comments for the OP, the answer is to install just the proxy's CA cert as trusted, not its cert + private key.根据 OP 评论的故障排除线程,答案是仅将代理的 CA 证书安装为受信任的,而不是其证书 + 私钥。
The issue was caused by two factors:这个问题是由两个因素引起的:
Installing not just the MiTM proxy's CA cert but also its private key (thus enabling VPN apps on the device to decrypt/MiTM network traffic from other apps).不仅安装 MiTM 代理的 CA 证书,还安装其私钥(从而使设备上的 VPN 应用程序能够解密来自其他应用程序的 MiTM 网络流量)。 You don't need the MiTM proxy's private key on the device.您不需要设备上的 MiTM 代理的私钥。
Android Nougat change in behavior of the Settings -> Security -> Install from storage
flow for files which contain a private key in addition to cert(s). Android Nougat 的行为更改Settings -> Security -> Install from storage
流Settings -> Security -> Install from storage
,文件除证书外还包含私钥。 This change in behavior unmasked the above issue.这种行为变化揭示了上述问题。
Prior to Nougat, the Settings -> Security -> Install from storage
flow for files containing a private key in addition to certs erroneously installed the certs as trusted for server authentication (eg, HTTPS, TLS, thus making your MiTM succeed), in addition to being correctly installed as client certs used for authenticating this Android device to servers.在 Nougat 之前,对于包含私钥和证书的文件, Settings -> Security -> Install from storage
流Settings -> Security -> Install from storage
错误地将证书安装为受信任的服务器身份验证(例如,HTTPS、TLS,从而使您的 MiTM 成功),此外正确安装为用于向服务器验证此 Android 设备的客户端证书。 In Nougat, the bug was fixed and these certs are no longer installed as trusted for server authentication.在 Nougat 中,该错误已修复,并且不再将这些证书安装为受信任的服务器身份验证。 This prevents client authentication credentials from affecting (weaking) the security of connections to servers.这可以防止客户端身份验证凭据影响(削弱)服务器连接的安全性。 In your scenario, this prevents your MiTM from succeeding.在您的场景中,这会阻止您的 MiTM 成功。
What complicates matters is that the Settings -> Security -> Install from storage
does not provide an explicit way for the user to specify whether they are installing a client authentication credential (private key + cert chain) or a server authentication trust anchor (just a CA cert -- no private key needed).使问题复杂化的是, Settings -> Security -> Install from storage
并没有为用户提供明确的方式来指定他们是安装客户端身份验证凭据(私钥 + 证书链)还是服务器身份验证信任锚(只是一个CA 证书——不需要私钥)。 As a result, the Settings -> Security -> Install from storage
flow guesses whether it's dealing with client/user authentication credential or server authentication trust anchor by assuming that, if a private key is specified, it must be a client/user authentication credential.因此, Settings -> Security -> Install from storage
流Settings -> Security -> Install from storage
通过假设,如果指定了私钥,则它必须是客户端/用户身份验证凭据,从而猜测它是在处理客户端/用户身份验证凭据还是服务器身份验证信任锚. In your case, it incorrectly assumed that you are installing a client/user authentication credential rather than a server authentication trust anchor.在您的情况下,它错误地假设您正在安装客户端/用户身份验证凭据而不是服务器身份验证信任锚。
PS With regards to your Network Security Config, you should probably configure the app to also trust "system" trust anchors in debug mode (debug-overrides section). PS 关于您的网络安全配置,您可能应该将应用程序配置为在调试模式下也信任“系统”信任锚(调试覆盖部分)。 Otherwise debug builds of the app won't work unless connections are MiTM'd by a proxy whose CA cert is installed as trusted on the Android device.否则,应用程序的调试版本将无法工作,除非连接由代理进行 MiTM,其 CA 证书安装为受信任的 Android 设备。
I also had the same error and tried every way until I read the following message which was key: " The certificate shows in User Credentials but not in Trusted credentials ".我也遇到了同样的错误并尝试了各种方法,直到我读到以下关键消息:“证书显示在用户凭据中,但不显示在受信任的凭据中”。
So the problem was how to make the certificate appear there and these were the steps I followed:所以问题是如何让证书出现在那里,这些是我遵循的步骤:
I'm on Android 7.1.1, here's how I setup on my device (OnePlus One) - without the change of manifest (I was targeting API 21 for my app):我使用的是 Android 7.1.1,以下是我在我的设备 (OnePlus One) 上的设置方式 - 没有更改清单(我的应用程序的目标是 API 21):
In Charles Proxy:在查尔斯代理中:
Help > SSL Proxying > Install Charles Root Certificate on a Mobile Device or Remote Browser
. Help > SSL Proxying > Install Charles Root Certificate on a Mobile Device or Remote Browser
。 This steps gives you the proxy IP and port number and also the link to where you should download charles proxy SSL.此步骤为您提供代理 IP 和端口号,以及指向您应下载 charles 代理 SSL 的位置的链接。On your phone:在您的手机上:
Wifi Settings > Modify Network > Advanced Options
. Wifi Settings > Modify Network > Advanced Options
。 Set Proxy to Manual
and enter the IP and Port number you received from Charles into Proxy hostname
and Proxy port
respectively.将代理设置为Manual
然后分别在Proxy hostname
和Proxy port
输入您从 Charles 收到的 IP 和端口号。
(OPTIONAL) You may or may not be able to access the chls.pro/ssl link provided by Charles earlier. (可选)您可能无法访问 Charles 之前提供的chls.pro/ssl链接。 On my device, I was always notified that I had no network connection.在我的设备上,我总是收到没有网络连接的通知。 I added the charlesproxy.com to the Bypass proxy for
field.我将 charlesproxy.com 添加到字段的Bypass proxy for
。
On your browser, go to the link in step 3 and download whatever certificate necessary (if it doesn't work on Chrome, download Dolphin Browser).You can name your certificate with whatever name.在您的浏览器上,转到第 3 步中的链接并下载任何必要的证书(如果它在 Chrome 上不起作用,请下载 Dolphin Browser)。您可以使用任何名称命名您的证书。
Back on Charles Proxy:回到查尔斯代理:
Allow
or Deny
your phone to use the proxy if your settings is defaulted to prompt you for remote connections.如果您的设置默认为提示您进行远程连接,您应该会收到Allow
或Deny
您的手机使用代理的提示。You can now use Charles on Nougat 7.1.1.您现在可以在 Nougat 7.1.1 上使用 Charles。
For me SSL proxy was not working in release
build variant.对我来说,SSL 代理在release
版本变体中不起作用。 In debug
worked.在debug
工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.