问题描述
我正在尝试使用内置浏览器从 Android 2.3.4 访问受 SSL 保护的 Web 应用程序.
I am trying to access my web application protected by SSL from an Android 2.3.4 using the built-in browser.
服务器证书是我使用 MAKECERT 创建并安装在服务器上的自签名证书.当我尝试访问该页面时,我从浏览器收到一条错误消息,指出 站点名称与证书上的名称不匹配.
The server certificate is a self-signed certificate I created using MAKECERT and installed on the server.
When I try to access the page, I get an error message from the browser stating The name of the site does not match name on the certificate.
我已经验证并且服务器地址与我的证书的公用名完全匹配(它实际上只是一个 IP 地址).
I have verified and the server address is exactly maching the Common Name of my certificate (it is actually just an IP address).
当我尝试在 Android 设备上访问使用非自签名证书保护的其他网站时,该消息未弹出.
The message does not pop up when I try to access, on the Android device, other websites secured with not self signed certificates.
如果我在桌面上使用 IE 或 Chrome 访问同一页面 - 除了签名机构消息 - 我不会收到任何警告,并且一旦我在受信任的根 CA 中安装了证书,浏览器就会顺利接受证书.
If I access the same page using IE or Chrome on a desktop - apart for the signing authority message - I get no warnings and, once I have installed the certificate in the Trusted Root CA, the certificate is smoothly accepted by the browser.
我是否应该认为该消息实际上是 Android 拒绝自签名证书?
Should I take it that the message is actually a rejection of self signed certificate by Android?
对此我有些疑惑.
我尝试在凭据存储中安装证书,但这并没有改善这种情况.现在我不知道接下来我会尝试什么.
I tried to install the certificate in the Credential Storage but that does not improve the situation. and now I have no clue what I might try next.
问题是:在创建 Android 可接受的自签名证书时,我应该遵循什么特殊的要求吗?有没有人设法在没有此警告的情况下获得 Android 接受的自签名证书?
Questions are: Is there any particular thing I should follow creating a self-signed certificate acceptable for Android? has anyone managed to get the self-signed certs accepted by Android without this warning?
我还能尝试什么?
-更新-Bruno 的回复将我引向了正确的方向,因此我设法向前迈出了一步:我重新制作了添加 SAN 的证书(不得不放弃 MAKECERT for OpenSSL,遵循 Andy Arismendi 的说明).
-UPDATE-
Bruno's reply steered me in the right direction, so I managed to do one step forward: I remade the certificate adding SAN (had to abandon MAKECERT for OpenSSL, following there instructions from Andy Arismendi).
现在消息已经消失,但我在已经讨论过的证书授权不受信任"问题中被阻止 in this SO post,所以我仍在努力为我的问题找到最终解决方案 - Android 浏览器上没有弹出任何警告.
Now the message has gone but I am blocked in the 'certification autority not trusted' issue already discussed in this SO post, so I am still working to find a final solution to my issue - not having any warning popping up on the Android browser.
推荐答案
我已验证,服务器地址与通用地址完全一致我的证书名称(实际上只是一个 IP 地址).
I have verified and the server address is exactly maching the Common Name of my certificate (it is actually just an IP address).
Android 的主机名验证器更严格地符合 RFC 2818比一些浏览器.根据规范,如果使用 IP 地址,则必须在 IP 地址 类型的 Subject Alternative Name 条目中:而不是 DNS 类型的 SAN 条目或 CN:
Android's host name verifier is more strictly compliant with RFC 2818 than some browsers. According to the specification, if an IP address is used, it must be in a Subject Alternative Name entry of IP address type: not on a SAN entry of DNS type or in the CN:
如果存在 dNSName 类型的 subjectAltName 扩展,则必须将其用作身份.否则,(最具体的)Common必须使用证书主题字段中的名称字段.虽然使用通用名称是现有的做法,但它是已弃用,并鼓励证书颁发机构使用改为 dNSName.
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
[...]
在某些情况下,URI 被指定为 IP 地址而不是主机名.在这种情况下,iPAddress subjectAltName 必须存在在证书中,并且必须与 URI 中的 IP 完全匹配.
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
最简单的方法是使用主机名.(在证书中使用 IP 地址永远不会真正实用.)或者,生成带有 SAN IP 地址条目的证书.(您可能对这个感兴趣.)
The easiest would be to use a host name. (Using IP addresses in certificates is never really practical.) Alternatively, generate a certificate with a SAN IP address entry. (You may be interested in this.)
这篇关于错误:Android 上自签名 SSL 证书的名称不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!