Disable SSL certificate check in retrofit library
I am using retrofit in android to connect with server.
public class ApiClient {
public static final String BASE_URL = \"https://example.com/\";
priva
-
IMO, you can read Google's documentation - Security with HTTPS and SSL.
About sample code to use Retrofit with your self-signed certificate, please try the following, hope it helps!
... @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); try{ OkHttpClient client = new OkHttpClient.Builder() .sslSocketFactory(getSSLSocketFactory()) .hostnameVerifier(getHostnameVerifier()) .build(); Retrofit retrofit = new Retrofit.Builder() .baseUrl(API_URL_BASE) .addConverterFactory(GsonConverterFactory.create()) .client(client) .build(); WebAPIService service = retrofit.create(WebAPIService.class); Call<JsonObject> jsonObjectCall = service.getData(...); ... } catch (Exception e) { e.printStackTrace(); } } // for SSL... // Read more at https://developer.android.com/training/articles/security-ssl.html#CommonHostnameProbs private HostnameVerifier getHostnameVerifier() { return new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { return true; // verify always returns true, which could cause insecure network traffic due to trusting TLS/SSL server certificates for wrong hostnames //HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier(); //return hv.verify("localhost", session); } }; } private TrustManager[] getWrappedTrustManagers(TrustManager[] trustManagers) { final X509TrustManager originalTrustManager = (X509TrustManager) trustManagers[0]; return new TrustManager[]{ new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return originalTrustManager.getAcceptedIssuers(); } public void checkClientTrusted(X509Certificate[] certs, String authType) { try { if (certs != null && certs.length > 0){ certs[0].checkValidity(); } else { originalTrustManager.checkClientTrusted(certs, authType); } } catch (CertificateException e) { Log.w("checkClientTrusted", e.toString()); } } public void checkServerTrusted(X509Certificate[] certs, String authType) { try { if (certs != null && certs.length > 0){ certs[0].checkValidity(); } else { originalTrustManager.checkServerTrusted(certs, authType); } } catch (CertificateException e) { Log.w("checkServerTrusted", e.toString()); } } } }; } private SSLSocketFactory getSSLSocketFactory() throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException, KeyManagementException { CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = getResources().openRawResource(R.raw.your_cert); // File path: app\src\main\res\raw\your_cert.cer Certificate ca = cf.generateCertificate(caInput); caInput.close(); KeyStore keyStore = KeyStore.getInstance("BKS"); keyStore.load(null, null); keyStore.setCertificateEntry("ca", ca); String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); TrustManager[] wrappedTrustManagers = getWrappedTrustManagers(tmf.getTrustManagers()); SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, wrappedTrustManagers, null); return sslContext.getSocketFactory(); } ...讨论(0) -
The syntax has changed a little since Hitesh Sahu's answer was posted. Now you can use lambdas for some of the methods, remove some throw clauses and chain builder method invocations.
private static OkHttpClient createOkHttpClient() { try { final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { @Override public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {} @Override public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {} @Override public java.security.cert.X509Certificate[] getAcceptedIssuers() { return new java.security.cert.X509Certificate[]{}; } } }; final SSLContext sslContext = SSLContext.getInstance("SSL"); sslContext.init(null, trustAllCerts, new java.security.SecureRandom()); return new OkHttpClient.Builder() .sslSocketFactory(sslContext.getSocketFactory()) .hostnameVerifier((hostname, session) -> true) .build(); } catch (Exception e) { throw new RuntimeException(e); } }讨论(0) -
In my case I solved like this with kotlin:
object Instance { private const val BASE_URL: String = "https://base_url/" val service: Service by lazy { Retrofit .Builder() .baseUrl(BASE_URL) .client(getUnsafeOkHttpClient()) .build().create(Service::class.java) } private fun getUnsafeOkHttpClient(): OkHttpClient? { return try { // Create a trust manager that does not validate certificate chains val trustAllCerts = arrayOf<TrustManager>( object : X509TrustManager { @Throws(CertificateException::class) override fun checkClientTrusted( chain: Array<X509Certificate?>?, authType: String? ) { } @Throws(CertificateException::class) override fun checkServerTrusted( chain: Array<X509Certificate?>?, authType: String? ) { } override fun getAcceptedIssuers(): Array<X509Certificate?>? { return arrayOf() } } ) // Install the all-trusting trust manager val sslContext = SSLContext.getInstance("SSL") sslContext.init(null, trustAllCerts, SecureRandom()) // Create an ssl socket factory with our all-trusting manager val sslSocketFactory = sslContext.socketFactory val trustManagerFactory: TrustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) trustManagerFactory.init(null as KeyStore?) val trustManagers: Array<TrustManager> = trustManagerFactory.trustManagers check(!(trustManagers.size != 1 || trustManagers[0] !is X509TrustManager)) { "Unexpected default trust managers:" + trustManagers.contentToString() } val trustManager = trustManagers[0] as X509TrustManager val builder = OkHttpClient.Builder() builder.sslSocketFactory(sslSocketFactory, trustManager) builder.hostnameVerifier(HostnameVerifier { _, _ -> true }) builder.build() } catch (e: Exception) { throw RuntimeException(e) } } }讨论(0) -
I tried @whirlwin's solution on this page but that didn't work with java 9+. Some small changes resulted in this:
private static OkHttpClient createTrustingOkHttpClient() { try { X509TrustManager x509TrustManager = new X509TrustManager() { @Override public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {} @Override public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {} @Override public java.security.cert.X509Certificate[] getAcceptedIssuers() { return new java.security.cert.X509Certificate[]{}; } }; final TrustManager[] trustAllCerts = new TrustManager[] { x509TrustManager }; final SSLContext sslContext = SSLContext.getInstance("SSL"); sslContext.init(null, trustAllCerts, new java.security.SecureRandom()); return new OkHttpClient.Builder() .sslSocketFactory(sslContext.getSocketFactory(), x509TrustManager) .hostnameVerifier((hostname, session) -> true) .build(); } catch (Exception e) { throw new RuntimeException(e); } }And this worked for me as you can imagine. Happy days! Still, be careful when using this.
讨论(0) -
Implementation of such workaround in code, even for testing purposes is a bad practice.
You can:
- Generate your CA.
- Sign your certificate with CA.
- Add your CA as trusted.
Some links that may be useful:
https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html
http://wiki.cacert.org/FAQ/ImportRootCert
讨论(0) -
I strongly discourage doing this
Short answer - subclass HostNameVerifier, over-ride verify() to always return true.
This has better options
Long answer - check my (getting pretty old) blog here: Making Android and SSL Work Together
Maybe the best option for your scenario
Drop the https to http for your test server, then the logic doesn't have to change.
HTH
讨论(0)
加载中...
- 热议问题