问题
I'm writing a small SSL proxy server and keep getting ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:661) from an android app client but not a browser. I did set ssl.CERT_NONE. Here is my test code:
SSLcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
SSLcontext.load_cert_chain('server.crt', 'server.key')
SSLcontext.verify_mode = ssl.CERT_NONE
SSLcontext.check_hostname = False
s = socket.socket()
s.bind(('127.0.0.1', 443))
s.listen(5)
c = s.accept()[0]
c = SSLcontext.wrap_socket(c, server_side = True)
print c.recv(1024)
Is this because of certificate pinning on the android app or I'm doing something wrong ?
回答1:
I did set ssl.CERT_NONE
This does not affect how the client verifies the server certificate at all. The server can not instruct the client to not verify the certificate and it would be a serious security issue if the server could do this.
SSLV3_ALERT_CERTIFICATE_UNKNOWN ... from an android app client but not a browser.
It is unknown what kind of certificate you use here. If this is a self-signed one you have probably added it once as trusted to the browser or added an explicit exception - but you did not do this for the Android app. If this is a certificate issued by a public CA then you are probably missing the chain certificates. Desktop browsers often work around this server side problem while most other clients don't.
来源:https://stackoverflow.com/questions/45978063/unexpected-pyssl-certificate-error