Does Android have issues with 1024-bit certificates?_问答_开发者

Does Android have issues with 1024-bit certificates?

开发者 https://www.devze.com 2023-03-24 02:44 出处：网络

I have run into an issue where Android (versions 3.1 and 2.3.4) throws a: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

I have run into an issue where Android (versions 3.1 and 2.3.4) throws a:

javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

error accessing an RSS server that has a Versign V3 1024-bit certificate (CN = VeriSign Class 3 Secure Server CA - G2). I can access a different server using a Versign V3 2048-bit certificate and it is fine. Does anyone know if Android has issues with the older 1024-bit certficates?

The actual stacktrace looks like this:

08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260): Caused by: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:258)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:164)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:359)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
08-01 08:24:54.390: ER开发者_如何转开发ROR/DownloadRssFeedTask(1260):     at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:80)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:46)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:56)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:451)
08-01 08:24:54.390: ERROR/DownloadRssFeedTask(1260):     ... 10 more

You should have a look at this thread :

1024-bit SSL certificates provider

It looks like it's just too weak to use 1024 bits ssl certificates. I looked at the code from apache harmony but the API seems to be a bit complex (and clumsy to be honest as some fields are modified outside the SSLImpl class), and I couldn't find much more information.

It looks like the best solution would be to ask for a modern 2048 bits x509 certificate form your web hosting provider.

Regards, Stéphane