javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException

最新推荐文章于 2026-04-11 08:30:00 发布
原创 最新推荐文章于 2026-04-11 08:30:00 发布 · 9.2k 阅读 · 7
本文详细分析了HTTPS请求中遇到的SSLHandshakeException异常,指出问题可能源于服务器证书未配置或非正规CA签发。解释了SSL/TLS证书的验证流程,包括TrustManager用于验证证书本身的有效性,而HostnameVerifier则确认证书与请求的域名匹配。同时,介绍了如何自定义TrustManager和HostnameVerifier以忽略证书验证,以及OkHttp中相关方法的使用。最后,讨论了X509证书和信任管理器在HTTPS连接中的作用。

项目中使用的是okhttp,https请求报异常:

     Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
        at org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:230)
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:320)
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:284)
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:169)
        at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:258)
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
        at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:127)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)

是由于Https使用的证书的问题,Https是安全的http请求,请求时需要验证SSL证书。

上述报错的原因有几种情况:
1.https服务器还没有配置SSL证书。
2.https服务器配置的不是正规的CA机构签发的证书,可能是二级代理商等签发的证书,验证不通过造成的。

SSL/TLS证书是需要去专门的CA机构购买的,一般是买一年期的。当然CA机构也提供免费的CA证书,但是有效期一般比较短,比如只有三个月,且安全性不高。

SSL/TLS证书提供商的常见品牌:Symantec、Comodo、GeoTrust、GlobalSign、RapidSSL、DigiCert、GlobalSign等

延伸的思考:

  1. https请求时在握手阶段请求下来的ssl证书存储在哪里?还是说不缓存,只存储在内存中?
  2. 客户端验证证书过程?是将证书发给CA机构进行验证,还是根据证书里的CA机构的签名以及CA机构的公钥进行验证?
  3. 数字证书提供商靠谱吗?
  4. 没有域名只有ip可以使用https请求吗?

在CA机构申请CA证书时填写的是域名,所以,证书里的信息绑定的是域名,跟ip无关,因此ip+端口的形式无法使用https请求,因为证书不能绑定到ip,请求时无法获取到证书?初步理解,有待考证…

AWS也是个CA机构,证书费用每个月3千多美刀,一年3-4万美刀。
阿里云的ssl服务是以代理商的方式,本身不是CA机构,证书费用一年两千多。

解决方案:

解决方案1:

向后台获取最新的ca证书,从后台服务器下载或者存储在app本地都可。

解决方案2:忽略https的证书校验

有时候为了测试需要,可以忽略证书验证。

public class SSLSocketClient {
    //获取这个SSLSocketFactory
    public static SSLSocketFactory getSSLSocketFactory() {
        try {
            SSLContext sslContext = SSLContext.getInstance("SSL");
            sslContext.init(null, getTrustManager(), new SecureRandom());
            return sslContext.getSocketFactory();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
 
    //获取TrustManager
    private static TrustManager[] getTrustManager() {
        TrustManager[] trustAllCerts = new TrustManager[]{
                new X509TrustManager() {
                    @Override
                    public void checkClientTrusted(X509Certificate[] chain, String authType) {
                    }
 
                    @Override
                    public void checkServerTrusted(X509Certificate[] chain, String authType) {
                    }
 
                    @Override
                    public X509Certificate[] getAcceptedIssuers() {
                        return new X509Certificate[]{};
                    }
                }
        };
        return trustAllCerts;
    }
 
    //获取HostnameVerifier
    public static HostnameVerifier getHostnameVerifier() {
        HostnameVerifier hostnameVerifier = new HostnameVerifier() {
            @Override
            public boolean verify(String s, SSLSession sslSession) {
                return true;
            }
        };
        return hostnameVerifier;
    }
}

使用:

        String url = "https://wwww.baidu.com";
        OkHttpClient okHttpClient = new OkHttpClient()
                .newBuilder()
                .sslSocketFactory(SSLSocketClient.getSSLSocketFactory())//配置
                .hostnameVerifier(SSLSocketClient.getHostnameVerifier())//配置
                .build();
        final Request request = new Request.Builder()
                .url(url)
                .get()
                .build();
        Call call = okHttpClient.newCall(request);
        call.enqueue(new Callback() {[添加链接描述](https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSocketFactory.html)
            @Override
            public void onFailure(Call call, IOException e) {
                Log.d(TAG, "onFailure: ");
            }
 
            @Override
            public void onResponse(Call call, Response response) throws IOException {
                Log.d(TAG, "onResponse: " + response.body().string());
            }
        });

OkHttpClient.Builder的sslSocketFactory方法

该方法的官方介绍:

//OkHttpClient.java

	...
 
    /**
     * Sets the socket factory and trust manager used to secure HTTPS connections. If unset, the
     * system defaults will be used.
     *
     * <p>Most applications should not call this method, and instead use the system defaults. Those
     * classes include special optimizations that can be lost if the implementations are decorated.
     *
     * <p>If necessary, you can create and configure the defaults yourself with the following code:
     *
     * <pre>   {@code
     *
     *   TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
     *       TrustManagerFactory.getDefaultAlgorithm());
     *   trustManagerFactory.init((KeyStore) null);
     *   TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
     *   if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
     *     throw new IllegalStateException("Unexpected default trust managers:"
     *         + Arrays.toString(trustManagers));
     *   }
     *   X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
     *
     *   SSLContext sslContext = SSLContext.getInstance("TLS");
     *   sslContext.init(null, new TrustManager[] { trustManager }, null);
     *   SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
     *
     *   OkHttpClient client = new OkHttpClient.Builder()
     *       .sslSocketFactory(sslSocketFactory, trustManager)
     *       .build();
     * }</pre>
     */
    public Builder sslSocketFactory(SSLSocketFactory sslSocketFactory, X509TrustManager trustManager) {
   
   
      if (sslSocketFactory == null) throw new NullPointerException("sslSocketFactory == null");
      if (trustManager == null) throw new NullPointerException("trustManager == null");
      this.sslSocketFactory = sslSocketFactory;
      this.certificateChainCleaner = CertificateChainCleaner.get(trustManager);
      return this;
    }

	...

该方法有两个参数:sslSocketFactory和trustManager。

sslSocketFactory是用于创建SSLSocket的。

trustManager是用于传递给CertificateChainCleaner.get(trustManager);的,是用于构造证书链清洁器CertificateChainCleaner并用于清理证书列表的:

//CertificateChainCleaner.java


/**
 * Computes the effective certificate chain from the raw array returned by Java's built in TLS APIs.
 * Cleaning a chain returns a list of certificates where the first element is {@code chain[0]}, each
 * certificate is signed by the certificate that follows, and the last certificate is a trusted CA
 * certificate.
 *
 * <p>Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
 * the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
 * pinning.
 */
public abstract class CertificateChainCleaner {
   
   
  public abstract List<Certificate> clean(List<Certificate><
最低0.47元/天 解锁文章
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternat...
qq_24850045的博客
12-14 4854
问题原因 访问https的网站,没有携带证书 解决方案 一、忽略证书 public RestTemplate dtRestTemplate() { RestTemplate restTemplate = null; try { SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); sslContext.init(null, disableSslCheck(), ne
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative
baiyongliang
11-16 5059
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative 问题挺奇怪的,以前访问都是好好的,今天访问突然就不行了,出现了:出现SSL证书认证失败 ,安裝接口对应的网站证书并不好使,决定在代码层跳出SSL验证 异常显示如下: javax.net.ssl.SSLHandshakeException: java.security.cert.Certificate.
安卓应用开发中 HTTPS 证书验证失败问题详解
最新发布
深山技术宅的博客
04-11 668
文章摘要 本文详细分析了Android应用开发中HTTPS证书验证失败的常见原因及解决方案。主要问题包括自签名证书不受信任、证书过期、证书链不完整、主机名不匹配等,导致OkHttp/Retrofit请求抛出SSLHandshakeException等异常。针对不同场景提供了调试和生产环境的应对策略:开发阶段可临时信任用户证书(仅限Debug版本),内部测试建议配置网络安全文件信任指定证书,生产环境必须采用证书固定等安全措施。文章强调绝对禁止在生产环境跳过证书验证,并提供了openssl检测工具和代码调试方法
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:No subject alternative
weixin_53273474的博客
10-28 2745
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:No subject alternative names present解决方案。
https服务证书错误javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException:
qq_35373269的博客
04-21 5706
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: 情况分析和客户端解决方法
QG
06-14 4299
SSL
SSL证书认证失败javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 解决方法
qq_40315210的博客
10-11 3万+
访问第三方接口传递数据,出现SSL证书认证失败的情况,于是做出了如下解决方案: 1.代码层跳出SSL验证 javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching idcardcert.market.al...
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for
yuerliang的专栏
07-22 1307
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:231) at okhtt.
Android 日常开发 (39)javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException:
ZPCrobot的博客
06-22 3448
前言 运维说服务器证书到期了,更新了证书,结果出现了上述问题。 解决方案 通过排查项目代码,发现之前没有做证书信赖验证。这里先提供一个能解决问题但是不是最佳做法的方案,方便大家快速处理问题 项目使用了okhttp 通过对okhttp的builder添加证书校验 OkHttpClient.Builder builder SSLContext sslContext = SSLContextUtil.getDefaultSLLContext(); if (sslContext != null) {
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor ...
rocrocflying的专栏
10-29 1万+
今天项目升级targetSDK到android 9.0(28)后,下载文件出现了个异常: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 经分析主要问题原因: 由于项目...
网络请求发生javax.net.ssl.SSLHandshakeException异常的情况
热门推荐
网鱼的栈
05-22 8万+
在使用volley和okhttp的时候,访问https的网站,经常会碰到一个异常就是javax.net.ssl.SSLHandshakeException,大致就是证书相关的异常。发生了好几次。先是怀疑是不是访问的网站是自签名网站,即没有在CA进行认证。一般这种情况下会报的异常是这样的:javax.net.ssl.SSLHandshakeException: java.security.c...
解决 javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException
liangcai_csdn的博客
08-03 1万+
解决 javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.问题 1. 首先创建一个类继承于此类 import java.security.KeyManagementExcept
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException:
MoonLoong的博客
03-30 5万+
因为Https的安全性,现在很多公司的项目开始切换Https,保证信息安全,对于我们程序员而言就是随之而来的适配问题。现在比较火的网络请求框架RxJava + Retrofit + OkHttp ,在我们进行网络请求时,需要区分链接是http还是https,便于进行https的校验。以下是本人遇到的https证书验证造成的问题: 在使用Glide加载图片时,部分图片无法展示,进行Debug发现在...
解决远程调用三方接口:javax.net.ssl.SSLHandshakeException报错
qq_38031730的博客
05-08 1万+
最近在对接腾讯会议API接口,在鉴权完成后开始调用对方的接口,在此过程中出现调用报错:javax.net.ssl.SSLHandshakeException
android版本对tls支持,Android TLS 版本过低造成的问题
weixin_42319865的博客
05-26 2814
8种机械键盘轴体对比本人程序员,要买一个写代码的键盘,请问红轴和茶轴怎么选?由于集成的 SSL 库版本不同,不同 Android 版本的默认 SSL/TLS 版本配置如下表:ProtocolSupported (API Levels)Enabled by default (API Levels)SSLv31–TBD1–22TLSv11+1+TLSv1.120+20+TLSv1.220+20+An...
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: 服务器证书链验证失败
weixin_50003028的博客
02-25 2680
Keytool工具和 java.security.cert.CertificateException异常处理
证书异常导致:javax.net.ssl.SSLHandshakeException: sun.security.validator
记录工作生活中的学习笔记和心得体会
10-08 1万+
程序访问Https地址时报错处理
已解决javax.net.ssl.SSLHandshakeException: SSL握手异常的正确解决方法,亲测有效!!!
小明的Java问道之路
04-03 3万+
已解决javax.net.ssl.SSLHandshakeException: SSL握手异常的正确解决方法,亲测有效!!!
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateNotYetValidException:
阿年的博客
01-14 2893
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateNotYetValidException: NotBefore: Tue Oct 11 17:24:18 CST 2022 CertificateNotYetValidException证书不合法异常
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.securi
weixin_46311652的博客
11-17 2021
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值