Android 这个HTTPS连接安全吗?
我正在寻找一种使用Https和自签名证书从服务器端检索数据的方法。就这个问题: 布莱恩·雅格回答我的问题: EasySslocketFactory:Android 这个HTTPS连接安全吗?,android,security,ssl,https,httpclient,Android,Security,Ssl,Https,Httpclient,我正在寻找一种使用Https和自签名证书从服务器端检索数据的方法。就这个问题: 布莱恩·雅格回答我的问题: EasySslocketFactory: public class EasySSLSocketFactory implements SocketFactory, LayeredSocketFactory { private SSLContext sslcontext = null; private static SSLContext createEasySSLContext() th
public class EasySSLSocketFactory implements SocketFactory, LayeredSocketFactory {
private SSLContext sslcontext = null;
private static SSLContext createEasySSLContext() throws IOException {
try {
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new TrustManager[] { new EasyX509TrustManager(null) }, null);
return context;
} catch (Exception e) {
throw new IOException(e.getMessage());
}
}
private SSLContext getSSLContext() throws IOException {
if (this.sslcontext == null) {
this.sslcontext = createEasySSLContext();
}
return this.sslcontext;
}
/**
* @see org.apache.http.conn.scheme.SocketFactory#connectSocket(java.net.Socket, java.lang.String, int,
* java.net.InetAddress, int, org.apache.http.params.HttpParams)
*/
public Socket connectSocket(Socket sock, String host, int port, InetAddress localAddress, int localPort,
HttpParams params) throws IOException, UnknownHostException, ConnectTimeoutException {
int connTimeout = HttpConnectionParams.getConnectionTimeout(params);
int soTimeout = HttpConnectionParams.getSoTimeout(params);
InetSocketAddress remoteAddress = new InetSocketAddress(host, port);
SSLSocket sslsock = (SSLSocket) ((sock != null) ? sock : createSocket());
if ((localAddress != null) || (localPort > 0)) {
// we need to bind explicitly
if (localPort < 0) {
localPort = 0; // indicates "any"
}
InetSocketAddress isa = new InetSocketAddress(localAddress, localPort);
sslsock.bind(isa);
}
sslsock.connect(remoteAddress, connTimeout);
sslsock.setSoTimeout(soTimeout);
return sslsock;
}
/**
* @see org.apache.http.conn.scheme.SocketFactory#createSocket()
*/
public Socket createSocket() throws IOException {
return getSSLContext().getSocketFactory().createSocket();
}
/**
* @see org.apache.http.conn.scheme.SocketFactory#isSecure(java.net.Socket)
*/
public boolean isSecure(Socket socket) throws IllegalArgumentException {
return true;
}
/**
* @see org.apache.http.conn.scheme.LayeredSocketFactory#createSocket(java.net.Socket, java.lang.String, int,
* boolean)
*/
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException,
UnknownHostException {
return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
}
// -------------------------------------------------------------------
// javadoc in org.apache.http.conn.scheme.SocketFactory says :
// Both Object.equals() and Object.hashCode() must be overridden
// for the correct operation of some connection managers
// -------------------------------------------------------------------
public boolean equals(Object obj) {
return ((obj != null) && obj.getClass().equals(EasySSLSocketFactory.class));
}
public int hashCode() {
return EasySSLSocketFactory.class.hashCode();
}
}
public class EasyX509TrustManager implements X509TrustManager {
private X509TrustManager standardTrustManager = null;
/**
* Constructor for EasyX509TrustManager.
*/
public EasyX509TrustManager(KeyStore keystore) throws NoSuchAlgorithmException, KeyStoreException {
super();
TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
factory.init(keystore);
TrustManager[] trustmanagers = factory.getTrustManagers();
if (trustmanagers.length == 0) {
throw new NoSuchAlgorithmException("no trust manager found");
}
this.standardTrustManager = (X509TrustManager) trustmanagers[0];
}
/**
* @see javax.net.ssl.X509TrustManager#checkClientTrusted(X509Certificate[],String authType)
*/
public void checkClientTrusted(X509Certificate[] certificates, String authType) throws CertificateException {
standardTrustManager.checkClientTrusted(certificates, authType);
}
/**
* @see javax.net.ssl.X509TrustManager#checkServerTrusted(X509Certificate[],String authType)
*/
public void checkServerTrusted(X509Certificate[] certificates, String authType) throws CertificateException {
if ((certificates != null) && (certificates.length == 1)) {
certificates[0].checkValidity();
} else {
standardTrustManager.checkServerTrusted(certificates, authType);
}
}
/**
* @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
*/
public X509Certificate[] getAcceptedIssuers() {
return this.standardTrustManager.getAcceptedIssuers();
}
}
我添加了这个方法:getNewHttpClient()
最后,对于我代码中的每个地方:
DefaultHttpClient client = new DefaultHttpClient();
我将其替换为:
HttpClient client = getNewHttpClient();
我现在可以从服务器端接收数据了
问题是:我所做的是安全的吗?或者它接受任何自签名证书?如果是这种情况,应该采取什么措施来改变它
任何帮助都将不胜感激。您可以捕获数据包并检查读取数据包,如果连接是安全的,那么数据包将以编码格式出现。否则,您可以让解码器插件读取数据包。具有该信任管理器的对等方可能不安全。要检查提供自签名证书的服务器是否可信,您所做的只是检查证书的有效性。这是不够的。您对中间人攻击开放。您是否尝试使用自签名证书?您的意思是什么?我对https连接几乎没有经验。使用这段代码,我能够从使用https URL的自签名证书的服务器端连接和检索数据。这是一个编程问题。这不是离题。我被禁的原因(几乎)是一样的:我不知道。我可以认识到我的问题不是最好的,也许看起来它们没有显示出令人难以置信的研究成果。你知道为什么吗?因为我不是专家,我来这里是为了提问和学习。但别再抱怨了。。。我已经吸取了教训,我正在尽我最大的努力去解开束缚,但当不可思议的人回答我能在10秒钟内回答的问题时,这并不容易。你的分数很高,所以在这里发布问题之前说10次想10次可能是没有用的。ps当然我可以尝试回答问题专家的答案,但需要10秒钟多一点:对不起,如果我不清楚:)你能提供一些代码片段吗?因为我不知道这是怎么做到的,这既不必要也不充分。问题不在于它是否加密。问题是它是否安全。这不是一回事-1.@EmilAdz最好的方法是在给定的机器上获取tcpdumo,获取转储后,使用wireshark打开此文件并检查hopeit帮助。请解释一下,要使其成为安全连接并避免中间主攻击,需要采取哪些步骤?非常欢迎使用代码片段或进一步阅读材料,因为我对这些安全内容一无所知。(1)如果安全管理器出现问题,请将其清除;(2)采取脱机步骤导入任何受信任的自签名证书。您所说的:“(2)采取脱机步骤导入任何受信任的自签名证书”是什么意思,我应该直接在我的应用程序资源目录中导入服务器证书,并在调用服务器端时检查它们是否匹配?将自签名证书导入客户端的信任库。就这样。JSSE将完成其余的工作。好的,我将尝试实现它,如果它有效的话,我将接受你的答案。
HttpClient client = getNewHttpClient();