proxyee
proxyee copied to clipboard
monkeyWie
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
An exception 'java.lang.Exception: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown' [enable DEBUG level for full stacktrace] was thrown by a user handler's exceptionCaught() method while handling the following exception: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647) at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582) at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461) at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.lang.Thread.run(Thread.java:748) Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294) at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1275) at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1177) at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1221) at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ... 16 more
楼主,mac电脑下运行代理服务,并且安装了根证书,然后手机也安装了根证书,手机设置代理,访问网络就出现这些问题,请问楼主咋修复了,谢谢回复
是这样的吗?
小米手机手机自带浏览器 以及苹果手机iPhone7测试相同效果啊,例如访问百度网页,会提示不安全,需要信任:Android需要信任,但是一些图片不显示,以及某些页面加载不出来;iOS直接提示不安全
我试了下小米自带浏览器确实有问题,我测试用的夸克浏览器可以用
并且Android 中写了一个demo APP,发送HTTPS网络请求,也出现一样问题啊。这大概是什么原因了,有好的解决方法么,为啥Charles没有出现该问题?
我用Charles抓包也会提示证书不安全啊
对,浏览器也提示证书不安全,但问题是浏览器打开网页时某些元素不显示,应该和这个报错有关系;更重要一点是,我写了一个Android APP demo,发起HTTPS网络请求,Charles能正常请求响应,而这个代理工具下不成功,应该和这个错误有关系啊。
Android 下使用OKHTTP 发起HTTPS请求报以下错误,原因是不是因为以下代码只生成了服务器证书,而没用生成证书链返回给APP端,所以导致APP端验证证书失败呀? /**
- 生成CA服务器证书 */ public static X509Certificate genCACert(String subject, Date caNotBefore, Date caNotAfter, KeyPair keyPair) throws Exception { JcaX509v3CertificateBuilder jv3Builder = new JcaX509v3CertificateBuilder(new X500Name(subject), BigInteger.valueOf(System.currentTimeMillis() + (long) (Math.random() * 10000) + 1000), caNotBefore, caNotAfter, new X500Name(subject), keyPair.getPublic()); jv3Builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); return new JcaX509CertificateConverter().getCertificate(jv3Builder.build(signer)); };
W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 03-05 19:59:43.702 7843-7913/? W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:355) 03-05 19:59:43.702 7843-7913/? W/System.err: at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:318) 03-05 19:59:43.702 7843-7913/? W/System.err: at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:282) 03-05 19:59:43.702 7843-7913/? W/System.err: at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:167)
你用okhttp的话可以设置成信任所有证书,这是生成客户端的CA证书
这是一种不得已的方法呀,但问题是:本工程的原理基本和Charles原理一致,Charles在安装他们自签CA证书下,不用对APP端作代码入侵,就能抓取HTTPS的网络请求,所以本着这个原则下,发现proxyee做不到,会出现以上的bug。 怀疑是不是代理在返回服务器证书时 确实中间证书造成的,因为浏览器走代理弹出不安全提示语与Charles不一样的是——当前网站证书不可信且证书长度为1,可能是服务器没有配置完整的证书链? 还麻烦楼主一起定位下这个问题呀,希望该代理工具抓取HTTPS能做到同Charles一样,不对APP有代码入侵性。
