来自 Google Play 的 SSL 警告

Question

收到来自 google play 的警告。

如何处理 WebViewClient.onReceivedSslError 处理程序的不安全实现的“SSL 错误处理程序漏洞”。

“请尽快解决此漏洞并增加升级后的 APK 的版本号。为了正确处理 SSL 证书验证，请更改您的代码以在服务器提供的证书符合您的期望时调用 SslErrorHandler.proceed()，否则调用 SslErrorHandler.cancel()。"

Answer 1

您好，这是解决您问题的最新解决方案。希望它会帮助某人：

//复制粘贴此代码并删除 onReceivedError() 方法。

 /**
             * Notify the host application that an SSL error occurred while loading a
             * resource. The host application must call either handler.cancel() or
             * handler.proceed(). Note that the decision may be retained for use in
             * response to future SSL errors. The default behavior is to cancel the
             * load.
             *
             * @param view    The WebView that is initiating the callback.
             * @param handler An SslErrorHandler object that will handle the user's
             *                response.
             * @param error   The SSL error object.
             */
            @Override
            public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
                //final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
                String msg="";
                if(error.getPrimaryError()==SslError.SSL_DATE_INVALID
                        || error.getPrimaryError()== SslError.SSL_EXPIRED
                        || error.getPrimaryError()== SslError.SSL_IDMISMATCH
                        || error.getPrimaryError()== SslError.SSL_INVALID
                        || error.getPrimaryError()== SslError.SSL_NOTYETVALID
                        || error.getPrimaryError()==SslError.SSL_UNTRUSTED) {
                    if(error.getPrimaryError()==SslError.SSL_DATE_INVALID){
                        msg="The date of the certificate is invalid";
                    }else if(error.getPrimaryError()==SslError.SSL_INVALID){
                        msg="A generic error occurred";
                    }
                    else if(error.getPrimaryError()== SslError.SSL_EXPIRED){
                        msg="The certificate has expired";
                    }else if(error.getPrimaryError()== SslError.SSL_IDMISMATCH){
                        msg="Hostname mismatch";
                    }
                    else if(error.getPrimaryError()== SslError.SSL_NOTYETVALID){
                        msg="The certificate is not yet valid";
                    }
                    else if(error.getPrimaryError()==SslError.SSL_UNTRUSTED){
                        msg="The certificate authority is not trusted";
                    }
                }
                final AlertDialog.Builder builder = new AlertDialog.Builder(OnlinePayment.this);
                builder.setMessage(msg);
                builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
                    @Override
                    public void onClick(DialogInterface dialog, int which) {
                        handler.proceed();
                    }
                });
                builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
                    @Override
                    public void onClick(DialogInterface dialog, int which) {
                        handler.cancel();
                    }
                });
                final AlertDialog dialog = builder.create();
                dialog.show();

            }

Answer 2

如果你不需要处理onReceivedSslErr(WebView,SslErrorHandler,SslError)中的事情，只要去掉这个方法，避免google playwarning.Otherwise，你也不应该直接进行。 这是@sakiM,Webview avoid security alert from google play upon implementation of onReceivedSslError的示例

@Override
public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
    final AlertDialog.Builder builder = new AlertDialog.Builder(this);
    builder.setMessage(R.string.notification_error_ssl_cert_invalid);
    builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.proceed();
        }
    });
    builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
        @Override
        public void onClick(DialogInterface dialog, int which) {
            handler.cancel();
        }
    });
    final AlertDialog dialog = builder.create();
    dialog.show();
}

如果方法onReceivedSslErr 已被第三个库调用，请联系提供者。

Answer 3

您应该首先检查您是否正确使用了 WebViewClient.onReceivedSslError 处理程序。

如果您没有使用 WebViewClient 库，或者您已经在正确使用它，则问题可能来自第三方库。您可以首先在项目的根目录中使用此 linux 命令来确定哪些库可能导致该问题：

find . -name '*.jar' -exec zipgrep -i onreceivedsslerror {} \;

这将列出所有 jar 文件中具有“OnReceivedSslError”字符串的文件。

之后，您可以检查每个匹配的文件是否遵守 Google 处理漏洞的建议。

Answer 4

这可能是因为您的应用程序中使用了第三方库，包括 open ssl。它发生在我的案例中。 Google play 的警报中提到了该库。我使用了包含该库的以下 grep 命令

$ unzip -p YourApp.apk | strings | grep "OpenSSL"

如果由于该库而存在打开的 ssl 问题，此命令将显示很长的日志。

+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
%s(%d): OpenSSL internal error, assertion failed: %s
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
CAMELLIA part of OpenSSL 1.0.1h 5 Jun 2014
EDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
RC4 part of OpenSSL 1.0.1h 5 Jun 2014
:Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014
OpenSSLDie
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
DSA_OpenSSL
ECDSA_OpenSSL
ECDH_OpenSSL
UI_OpenSSL
%s(%d): OpenSSL internal error, assertion failed: %s
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
OpenSSL default user interface
OpenSSL 'dlfcn' shared library method
OpenSSL/%lx.%lx.%lx%s
OpenSSL 1.0.1h 5 Jun 2014
OpenSSL DH Method
OpenSSL CMAC method
OpenSSL HMAC method
OpenSSL EC algorithm
OpenSSL RSA method
OpenSSL DSA method
OpenSSL ECDSA method
OpenSSL PKCS#3 DH method
OpenSSL ECDH method
OpenSSL default
SSLv2 part of OpenSSL 1.0.1h 5 Jun 2014
SSLv3 part of OpenSSL 1.0.1h 5 Jun 2014
TLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
DTLSv1 part of OpenSSL 1.0.1h 5 Jun 2014
MD4 part of OpenSSL 1.0.1h 5 Jun 2014
MD5 part of OpenSSL 1.0.1h 5 Jun 2014
SHA1 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-256 part of OpenSSL 1.0.1h 5 Jun 2014
SHA-512 part of OpenSSL 1.0.1h 5 Jun 2014
DES part of OpenSSL 1.0.1h 5 Jun 2014
libdes part of OpenSSL 1.0.1h 5 Jun 2014
AES part of OpenSSL 1.0.1h 5 Jun 2014
Big Number part of OpenSSL 1.0.1h 5 Jun 2014
^RSA part of OpenSSL 1.0.1h 5 Jun 2014
Diffie-Hellman part of OpenSSL 1.0.1h 5 Jun 2014
Stack part of OpenSSL 1.0.1h 5 Jun 2014
lhash part of OpenSSL 1.0.1h 5 Jun 2014
EVP part of OpenSSL 1.0.1h 5 Jun 2014
ASN.1 part of OpenSSL 1.0.1h 5 Jun 2014
PEM part of OpenSSL 1.0.1h 5 Jun 2014
X.509 part of OpenSSL 1.0.1h 5 Jun 2014
RC2 part of OpenSSL 1.0.1h 5 Jun 2014
IDEA part of OpenSSL 1.0.1h 5 Jun 2014
DSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDSA part of OpenSSL 1.0.1h 5 Jun 2014
ECDH part of OpenSSL 1.0.1h 5 Jun 2014
RAND part of OpenSSL 1.0.1h 5 Jun 2014
CONF part of OpenSSL 1.0.1h 5 Jun 2014
CONF_def part of OpenSSL 1.0.1h 5 Jun 2014
TXT_DB part of OpenSSL 1.0.1h 5 Jun 2014
SHA part of OpenSSL 1.0.1h 5 Jun 2014
RIPE-MD160 part of OpenSSL 1.0.1h 5 Jun 2014
Blowfish part of OpenSSL 1.0.1h 5 Jun 2014
\CAST part of OpenSSL 1.0.1h 5 Jun 2014

为另一个 apk 尝试相同的命令，但不使用该库。它只会显示如下两行

+com.android.org.conscrypt.OpenSSLSocketImpl
7org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl

Answer 5

我今天收到了同样的警告，它告诉我这个问题 来自我的一个广告网络的 SDK（InMobi，我真的在考虑放弃它们，因为它们有很多欺诈性的自动重定向横幅，现在......）：

com.inmobi.commons.analytics.iat.impl.net.AdTrackerWebViewLoader$MyWebViewClient

在您的情况下，受影响的班级是什么？如果它是您自己的课程之一，您必须阅读技术 documentation 并修复您的实现。

如果像我一样，您只是某个外部库的受害者，请联系开发人员要求他们提供固定库（或删除该库）。