Android 客戶端證書 403

Question

我正在嘗試使用帶有客戶端證書的 ssl 在 android 設備和 Web 服務之間建立連接（服務器檢查需要客戶端證書），服務器上的證書由 CA（go-daddy）簽名我也有一個客戶端證書（* .pfx），我放棄了本教程以附加客戶端證書文件，我正在使用 ksoap2 調用 Web 服務，我不斷收到錯誤 403，但是從設備（或 PC）Web 瀏覽器它工作正常（安裝證書后）。 .. 我對客戶端證書不太了解，但在我看來，連接沒有以正確的方式使用我的證書。

當我使用自簽名證書進行測試時，一切正常。

任何想法我做錯了什么？ 我的 ksoap2 kod：

public void GetUser(String user_name, String password, boolean isSchedule,
        boolean writeTostatistic) throws Exception {

    Log.d(GlobalUtil.TAG_LOG, "Calling GetUser()  web service");
    String METHOD_NAME = "GetUser";
    globalUtil.user = new User();
    User us = new User();
    HttpsTransportSE httpTransport = new KeepAliveHttpsTransportSE(host,
            port, file, timeout);

    SoapSerializationEnvelope envelope = new SoapSerializationEnvelope(
            SoapEnvelope.VER12);
    SoapObject Request = new SoapObject(NAMESPACE, METHOD_NAME);
    httpTransport.debug = true;
    envelope.dotNet = true;
    envelope.headerOut = new Element[1];
    envelope.headerOut[0] = elementHeaders;

    Request.addProperty("user_name", user_name);
    Request.addProperty("password", password);
    Request.addProperty("isSchedule", isSchedule);
    Request.addProperty("writeTostatistic", writeTostatistic);
    envelope.implicitTypes = true;
    envelope.setOutputSoapObject(Request); // prepare request

    envelope.addMapping(NAMESPACE, "User", new User().getClass());

    if (useCertificate) {
        try {
            ((HttpsServiceConnectionSE) httpTransport
                    .getServiceConnection())
                    .setSSLSocketFactory(sSLContext);
        } catch (IOException e) {

            e.printStackTrace();
        }
    } else
        allowAllSSL();

    List<HeaderProperty> httpHeaders = null;
    try {

        httpHeaders = httpTransport.call(SOAP_ACTION + METHOD_NAME,
                envelope, null);

        SoapObject response = (SoapObject) envelope.getResponse();

        if (response == null)
            return;

        us.Id = Integer.parseInt(response.getProperty("Id").toString());
        if (!response.getProperty("User_Name").toString()
                .equals("anyType{}"))
            us.User_Name = response.getProperty("User_Name").toString();
        if (!response.getProperty("Password").toString()
                .equals("anyType{}"))
            us.Password = response.getProperty("Password").toString();
        if (!response.getProperty("USER_HEBREW_FIRSTNAME").toString()
                .equals("anyType{}"))
            us.USER_HEBREW_FIRSTNAME = response.getProperty(
                    "USER_HEBREW_FIRSTNAME").toString();
        if (!response.getProperty("USER_HEBREW_LASTNAME").toString()
                .equals("anyType{}"))
            us.USER_HEBREW_LASTNAME = response.getProperty(
                    "USER_HEBREW_LASTNAME").toString();

        us.Merhav = Integer.parseInt(response.getProperty("Merhav")
                .toString());
        us.Yaam = Integer.parseInt(response.getProperty("Yaam").toString());
        us.Tat_Mifal = Integer.parseInt(response.getProperty("Tat_Mifal")
                .toString());
        us.Ezor = Integer.parseInt(response.getProperty("Ezor").toString());
        us.EzorLahatz = Integer.parseInt(response.getProperty("EzorLahatz")
                .toString());
        /*
         * us.PasswordExpirationDate=(Date)
         * response.getProperty("PasswordExpirationDate");
         */
        us.PasswordExpirationDate = User
                .ParsePasswordExpirationDate((response
                        .getProperty("PasswordExpirationDate").toString()));
        us.Password = password;
        globalUtil.user = us;
        SetSessionCookie(httpHeaders);
        Log.d(GlobalUtil.TAG_LOG, "Finish calling GetUser()  web service");

    } catch (IOException | XmlPullParserException e1) {
        if(e1!=null)
        {
            Log.e(GlobalUtil.TAG_LOG, e1.getMessage());
             throw e1;
        }
        Log.e(GlobalUtil.TAG_LOG, "Error in Login web service.");
        Log.e(GlobalUtil.TAG_LOG, "requestDump: "
                + httpTransport.requestDump);
        Log.e(GlobalUtil.TAG_LOG, "responseDump: "
                + httpTransport.responseDump);
    }

Answer 1

對你來說可能為時已晚，但我處於類似的情況......

舊版本的 Android（和 1.7 之前的 Java）在 SSL 中（缺少）SNI 存在問題。 據說這已經從 2.3 開始修復，但我相信我已經設法在我的 5.0 Android 模擬器中模仿了這個錯誤。 （可能通過使用自定義套接字上下文工廠。）在瀏覽器中，我可以使用相同的密鑰庫/信任庫訪問 URL，從 Android 我得到 403。

是什么讓我相信確實缺乏服務器名稱指示是原因......

openssl s_client -tls1_2 -connect myhost.domain.com:443 -state -cert client.crt -key client.key -pass pass:******** -CAfile server.cer -servername myhost.domain.com

...最后省略 -servername 參數會導致 403，這正是我的 Android 代碼實現的。 :D