Android-使用Retrofit 2.3和OkHTTP进行证书固定
[英]Android - Certificate Pinning with Retrofit 2.3 and OkHTTP
问题描述
Hello dear developers, 
您好亲爱的开发人员,
I have the following Problem: 我有以下问题:
I´m using Certificate Pinning successfully since a few months now, with OkHTTP 3.6 and Retrofit 1.9.0. 几个月以来,我一直在成功使用证书固定,并使用OkHTTP 3.6和Retrofit 1.9.0。
Recently I updated the used Retrofit version to 2.3.0 and with this started using OkHttp 3.8. 最近,我将使用的Retrofit版本更新为2.3.0,并开始使用OkHttp 3.8。 Since the updates the Certificate Pinning is no longer working on devices between AN 4.1 and AN 6.0. 由于更新,证书固定不再在AN 4.1和AN 6.0之间的设备上起作用。
I tried using different OkHTTP versions but had no luck. 我尝试使用其他OkHTTP版本,但没有运气。 Furthermore I tried to enforce the usage of a specific OkHTTP Version via gradle, but that didn´t change anything. 此外,我尝试通过gradle强制使用特定的OkHTTP版本,但这没有任何改变。
Here the code we use for Pinning: 这是我们用于固定的代码:
public CertificatePinner provideCertificatePinner(@PinForDomain(DEUTSCHE_POST) final PinnedDomain deutschePost, @PinForDomain(NOVOMIND) final PinnedDomain novomindPin, @PinForDomain(EMMI) final PinnedDomain emmiPin) {
Log.d(LOG_TAG, "Creating CertificatePinner");
final CertificatePinner.Builder builder = new CertificatePinner.Builder();
builder.add("www.url.com", "sha256Key");
return builder.build();
}
public OkHttpClient provideOkHttpClient(CertificatePinner pinner) {
Log.d(LOG_TAG, "Creating OkHttpClient");
final OkHttpClient.Builder clientBuilder = new OkHttpClient().newBuilder();
clientBuilder.certificatePinner(provideCertificatePinner);
clientBuilder.connectTimeout(BuildConfig.CONNECTION_TIMEOUT, TimeUnit.MILLISECONDS);
clientBuilder.writeTimeout(BuildConfig.WRITE_TIMEOUT, TimeUnit.MILLISECONDS);
clientBuilder.readTimeout(BuildConfig.CONNECTION_TIMEOUT, TimeUnit.MILLISECONDS);
return clientBuilder.build();
}
So I tried the following things: 因此,我尝试了以下操作:
Forcing the usage of TLS v1.2 强制使用TLS v1.2
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS)
.tlsVersions(TlsVersion.TLS_1_2)
.cipherSuites(
CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
.build();
OkHttpClient client = new OkHttpClient.Builder()
.connectionSpecs(Collections.singletonList(spec))
.build();
And implementing a custom SSLSocketFactory forcing the usage of TLS v1.2 in Version under AN 4.1 according to: : https://github.com/square/okhttp/issues/2372 并实现一个自定义SSLSocketFactory,以根据以下条件在AN 4.1下强制使用TLS v1.2: https : //github.com/square/okhttp/issues/2372
EDIT: 编辑:
For clarification. 为了澄清。 The Pining is not working means that I´m able to intercept the connection between my App and the Backend Server => 'Man in the middle'. 固定不起作用意味着我可以拦截我的App与后端服务器=>'中间人'之间的连接。
Right now I´m completely lost on how to fix this Issue. 现在,我完全不知道如何解决此问题。 Any help is appreciated. 任何帮助表示赞赏。
Cheers Pascal 干杯帕斯卡
1 个解决方案
解决方案1
0 已采纳 2017-08-18 07:06:10
I found out that the Problem was not caused by OKHTTP / Retrofit, but by a misconfiguration on client side. 我发现问题不是由OKHTTP / Retrofit引起的,而是由客户端的错误配置引起的。 Being fairly new in that project I didn´t know all of it. 作为那个项目的新手,我并不了解全部。
Sorry to have bothered you and thanks for any help given 抱歉打扰您了,感谢您提供的任何帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.