问题描述
我正在尝试在我的 Android 应用程序中建立与 LDAP 服务器的连接,并且正在使用 UnboundID SDK.最近,从不安全的 LDAP 更改为安全的 LDAP,我必须相应地更改应用程序.我已获得要验证的 SSL 证书文件.我已经使用该文件创建了一个密钥库,如 这里.我在我的应用程序的资产文件夹中有这个密钥库文件,并且正在从中提取.下面的代码目前不起作用,并抛出异常:
I'm trying to make a connection to an LDAP server in my Android app, and am using the UnboundID SDK. Recently, a change was made from unsecured to secured LDAP, and I have to change the app accordingly. I have been given the SSL certificates file to validate against. I've already used the file to make a keystore as described here. I've got this keystore file in the assets folder of my app, and am pulling from that. The code below does not currently work, and throws the exception:
LDAPException(resultCode=01 (连接错误), errorMessage=('尝试连接服务器时发生错误 place.myserver.com:636: javax.net.ssl.SSLHandShakeException: java.security.cert.CertPathValidatorException:找不到证书路径的信任锚
LDAPException(resultCode=01 (connect error), errorMessage=('An error occurred while attempting to connect to server place.myserver.com:636: javax.net.ssl.SSLHandShakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
// code from above link
AssetManager assetManager = getApplicationContext().getAssets();
InputStream keyStoreInputStream = assetManager.open("yourapp.store");
KeyStore trustStore = KeyStore.getInstance("BKS");
trustStore.load(keyStoreInputStream, "myPassword".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);
// my code
SSLUtil sslUtil = new SSLUtil(tmf.getTrustManagers());
LDAPConnection connection = new LDAPConnection(sslUtil.createSSLSocketFactory());
connection.connect("place.myserver.com", 636);
但是,代码段:
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
LDAPConnection connection = new LDAPConnection(sslUtil.createSSLSocketFactory());
connection.connect("place.myserver.com", 636);
确实有效(尽管我被上级告知这是不安全的).我不太确定我在这里做错了什么,所以任何帮助将不胜感激.另外,如果有比我上面尝试做的更好的方法来完成这个,请随时告诉我:) 不过我想坚持使用 UnboundID 库,因为其余代码已经使用同样,如果我使用 TrustAllTrustManager,一切正常.
does work (although I was informed by the higher-ups that this would be insecure). I'm not quite sure as to what exactly I'm doing wrong here, so any help would be appreciated. Also, if there is a better way of accomplishing this than what I'm attempting to do above, feel free to let me know :) I would like to stick with the UnboundID library though, since the rest of the code is already written using that as well, and everything works if I use the TrustAllTrustManager.
推荐答案
确实,trust all trust manager 是不安全的.它便于测试目的,但它会允许坏人使用他为自己生成的证书设置自己的服务器,并使用它来冒充真实的服务器,或者作为中间人操作,拦截并可能警告任何客户端和真实服务器之间的通信.有了更严格的信任管理器,客户端应该拒绝假服务器将提供的伪造证书.
It's true that the trust all trust manager isn't secure. It's convenient for testing purposes, but it will allow a bad guy to set up his own server with a certificate he generates for himself and use it to impersonate the real server, or to operate as a man in the middle, intercepting and potentially alerting any communication between the client and the real server. With a more strict trust manager in place, the client should reject the bogus certificate that the fake server will present.
不过,不幸的是,您在这种情况下尝试使用的信任管理器似乎不喜欢您的服务器提供给它的证书.因为 trust all 信任管理器允许您建立连接,这意味着您的服务器确实具有证书并且能够执行 SSL 通信,但是您的信任管理器不喜欢该证书的某些内容.这几乎肯定不是 LDAP SDK 的问题,因为如果您使用相同的信任库,任何其他 LDAP API 都会出现同样的问题.
Unfortunately, though, it looks like the trust manager you're trying to use in this case doesn't like the certificate that your server is presenting to it. Because the trust all trust manager allows you to establish the connection, that means that your server does have a certificate and is capable of performing SSL communication, but there's something about that certificate that your trust manager doesn't like. It's almost certainly not an issue with the LDAP SDK, since the same problem should arise with any other LDAP API if you're using the same trust store.
如果您查看结果,它会显示未找到证书路径的信任锚"的消息.这意味着在信任库中既没有找到服务器正在使用的证书,也没有找到任何颁发者的证书.您需要将服务器证书(或其颁发者之一的证书)导入您正在使用的信任库.听起来您已经尝试过这样做,但是由于它不起作用,因此它的完成方式一定不太正确.我建议您与目录服务器管理员合作,以确保您尝试根据服务器配置导入正确的证书.
If you look at the result, it has a message of "Trust anchor for certification path not found". This implies that neither the certificate the server is using nor those of any of its issuers was found in the trust store. You'll need to import the server certificate (or the certificate of one of its issuers) into the trust store that you're using. It sounds like you've tried to do that, but since it's not working then something must not be quite right with the way it was done. I'd recommend working wit the directory server administrator to ensure that you're trying to import the right certificate based on the server configuration.
这篇关于使用带有 SSL 证书文件的 UnboundID SDK 连接到 Android 应用程序中的 LDAP 服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!