繞過Google Play的SSL警告

Question

我使用JSOUP連接到許多 https網站。 我使用方法Jsoup.connect（url），但是它拋出異常：

javax.net.ssl.SSLHandshakeException: Certificate not valid or trusted.

因此，我使用此代碼來信任所有cert ssl：

public static void enableSSLSocket() throws KeyManagementException, NoSuchAlgorithmException {
   TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }
        public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType ) { }
        public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType ) { }
    }
};

// Install the all-trusting trust manager
try {
    SSLContext sc = SSLContext.getInstance( "SSL" );
    sc.init( null, trustAllCerts, new java.security.SecureRandom() );
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    HttpsURLConnection.setDefaultHostnameVerifier(
        new HostnameVerifier() {
            public boolean verify(String urlHostName, SSLSession session) {
                return true;
            }
        });
}
catch ( Exception e ) {
    //We can not recover from this exception.
    e.printStackTrace();
}}

但是因為我在上面使用的代碼在play store上有goole警告。

您的應用正在使用帶有Apache HTTP客戶端的X509TrustManager接口的不安全實現，從而導致安全漏洞。 請參閱此Google幫助中心文章以了解詳細信息，包括修復漏洞的截止日期。

如果我添加以下代碼：

 public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                try {
                    chain[0].checkValidity();
                } catch (Exception e) {
                    throw new CertificateException("Certificate not valid or trusted.");
                }
            }

警告消失了，但是JSOUP無法正常工作，但又出現了同樣的異常。 那么有什么方法可以信任所有SSL並繞過Google警告？ 預先謝謝你。

Answer 1

我找到了解決方案，希望有人需要它：

  public static void trustSSLCertificate(final Activity mActivity, final DownloadPortalTask task){ try { HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, new X509TrustManager[]{new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { chain[0].checkValidity(); } catch (final Exception e) { mActivity.runOnUiThread(new Runnable() { @Override public void run() { AlertDialog.Builder builder = new AlertDialog.Builder(mActivity); AlertDialog alertDialog = builder.create(); alertDialog.setCancelable(false); String message = "There a problem with the security certificate for this web site."; message += "\\nDo you want to continue anyway?"; alertDialog.setTitle("SSL Certificate Error"); alertDialog.setMessage(message); alertDialog.setButton(DialogInterface.BUTTON_POSITIVE, "OK", new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { acceptSSL = true; return; } }); alertDialog.setButton(DialogInterface.BUTTON_NEGATIVE, "Cancel", new DialogInterface.OnClickListener() { @Override public void onClick(DialogInterface dialog, int which) { acceptSSL = true; task.onInterruptedDownload(); } }); alertDialog.show(); } }); while( !acceptSSL){ try{ Thread.sleep(1000); } catch( InterruptedException er) { } } } } public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } }}, new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory()); } catch (Exception e) { // should never happen e.printStackTrace(); } } 

在調用Jsoup之前先調用此方法。 Google Play上的SSL警告也消失了。