How to trust SSL certificates with cross-signed root expired on android <= 5

十年热恋 提交于 2020-12-31 13:47:33

问题


I work for a company that uses a Comodo/Sectigo SSL certificate. But suddenly our app started throwing this error when sending POST to the server, in versions with android 4 and 5, with Okhttp client.

HTTP FAILED: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Sat May 30 05:48:38 CDT 2020 (compared to Mon Jun 08 23:13:02 CDT 2020)

I tried many StackOverflow solutions, without success. Then I found on the Comodo blog this cross-sign certificates warning

Sectigo at present offers the ability to cross-sign certificates with the AddTrust legacy root to increase support among very old systems and devices. This root is due to expire at the end of May, 2020. Any applications or installations that depend on this cross-signed root must be updated by May, 2020 or run the risk of outage or displayed error message.

I tried a few more things to get my okhttp client to trust the certificate (enabled TLS on Socket, added Modern TLS, TLS Versions and cipher Suites to connection Specs in okhttp builder, adding the cert to the raw resources, also I put a custom SslSocketFactory to the client) but none of this works, always throws me an error related to certificate validity or a handshake exception.

The only thing that has worked for me is to make an unsafe okhttp, but obviously its use in production is not recommended.

The app works fine in android > 5, but we still have some users on android 5 and even 4 who cannot use the app due to this problem. Is there still any way to achieve android <= 5 trust this expired root?

Thanks for your help


回答1:


This should hopefully fix the issue if the the certificates are otherwise valid.

In your build file

  implementation 'org.conscrypt:conscrypt-android:2.5.1'

And activate Conscrypt before your request

import org.conscrypt.Conscrypt


Security.insertProviderAt(Conscrypt.newProvider(), 1)
val client = OkHttpClient.Builder().build()

val request = Request.Builder().url("https://status.datadoghq.com/").build()
client.newCall(request).execute().use { response ->
  println(response.code())
}

If it's still failing after this then you might need to register a custom certificate as well, but test without this first.

https://github.com/square/okhttp/blob/okhttp_3.12.x/samples/guide/src/main/java/okhttp3/recipes/CustomTrust.java



来源:https://stackoverflow.com/questions/62275157/how-to-trust-ssl-certificates-with-cross-signed-root-expired-on-android-5

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!