Android 7 introduced some changes to the way certificates are handled (http://android-developers.blogspot.com/2016/07/changes-to-trusted-certificate.html) and somehow I cannot make my Charles proxy work any more.
Android 7对证书的处理方式进行了一些更改(http://android-developers.blogspot.com/2016/07/changes-to行内证书。html),不知何故,我无法让Charles代理继续工作。
My network_security_config.xml:
我的network_security_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
<debug-overrides>
<trust-anchors>
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
I'm running in debug mode. But no matter what, I get javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
.
我在调试模式下运行。但是无论如何,我都会得到javax.net.ssl.SSLHandshakeException: java.security.cert。CertPathValidatorException:未找到认证路径的信任锚。
Needless to say, I did install a pfx
certificate from Settings -> Security -> Install from storage
. The certificate shows in User Credentials
but not in Trusted credentials -> User
. On my lollipop device, the certificates are listed there.
不用说,我确实安装了一个来自设置的pfx证书—>安全性—来自存储的>安装。证书显示在用户凭据中,但不显示在可信凭据—>用户中。在我的棒棒糖设备上,证书列在那里。
I'm using okhttp3 as HTTP library.
我使用okhttp3作为HTTP库。
Any idea what I am doing wrong ?
知道我做错了什么吗?
4 个解决方案
#1
21
Based on the troubleshooting thread of comments for the OP, the answer is to install just the proxy's CA cert as trusted, not its cert + private key.
根据OP的注释的故障排除线程,答案是仅将代理的CA cert安装为受信任的,而不是将其cert + private密钥安装。
The issue was caused by two factors:
这一问题是由两个因素引起的:
-
Installing not just the MiTM proxy's CA cert but also its private key (thus enabling VPN apps on the device to decrypt/MiTM network traffic from other apps). You don't need the MiTM proxy's private key on the device.
不仅要安装MiTM代理的CA cert,还要安装它的私钥(从而使设备上的VPN应用程序能够解密来自其他应用程序的MiTM网络流量)。在设备上不需要MiTM代理的私钥。
-
Android Nougat change in behavior of the
Settings -> Security -> Install from storage
flow for files which contain a private key in addition to cert(s). This change in behavior unmasked the above issue.Android Nougat对设置行为的更改—>安全性—>从存储流中安装到除了cert(s)之外还包含一个私钥的文件。这种行为上的改变揭示了上述问题。
Prior to Nougat, the Settings -> Security -> Install from storage
flow for files containing a private key in addition to certs erroneously installed the certs as trusted for server authentication (e.g., HTTPS, TLS, thus making your MiTM succeed), in addition to being correctly installed as client certs used for authenticating this Android device to servers. In Nougat, the bug was fixed and these certs are no longer installed as trusted for server authentication. This prevents client authentication credentials from affecting (weaking) the security of connections to servers. In your scenario, this prevents your MiTM from succeeding.
牛轧糖之前,设置- >安全- >安装从存储流文件包含私钥除了确实的事情错误安装的证书作为受信任的服务器身份验证(例如,HTTPS,TLS,从而使你的MiTM成功),除了正确安装客户机能够用于验证这个Android设备服务器。在Nougat中,错误被修复,并且这些证书不再作为服务器身份验证的受信任文件被安装。这可以防止客户端身份验证凭证影响到服务器连接的安全性。在您的场景中,这会防止您的MiTM成功。
What complicates matters is that the Settings -> Security -> Install from storage
does not provide an explicit way for the user to specify whether they are installing a client authentication credential (private key + cert chain) or a server authentication trust anchor (just a CA cert -- no private key needed). As a result, the Settings -> Security -> Install from storage
flow guesses whether it's dealing with client/user authentication credential or server authentication trust anchor by assuming that, if a private key is specified, it must be a client/user authentication credential. In your case, it incorrectly assumed that you are installing a client/user authentication credential rather than a server authentication trust anchor.
是让人纠结的设置- >安全- >安装从存储并没有提供一个明确的为用户指定是否安装一个客户端身份验证证书(私钥+证书链)或服务器身份验证信任锚(只是一个CA证书——不需要私钥)。因此,设置—>安全性—来自存储流的>安装猜测它是在处理客户机/用户身份验证凭据还是服务器身份验证信任锚,假设如果指定了私钥,那么它必须是客户机/用户身份验证凭据。在您的示例中,它错误地假定您正在安装客户机/用户身份验证凭据,而不是服务器身份验证信任锚。
P. S. With regards to your Network Security Config, you should probably configure the app to also trust "system" trust anchors in debug mode (debug-overrides section). Otherwise debug builds of the app won't work unless connections are MiTM'd by a proxy whose CA cert is installed as trusted on the Android device.
对于您的网络安全配置,您可能应该将应用程序配置为在调试模式(debug-overrides)中也信任“系统”信任锚。否则,应用程序的调试构建将无法工作,除非连接被安装在Android设备上的CA cert的代理进行MiTM。
#2
91
The solution is do not use .p12, just navigate with Chrome (with configured proxy on wifi) to http://charlesproxy.com/getssl and install downloaded .pem file.
解决方案是不要使用.p12,只需使用Chrome(在wifi上配置了代理)导航到http://charlesproy.com/getssl并安装下载的.pem文件。
I had exactly the same problem on my Nexus 5X running Android 7.0. There was previously exported .p12 from Charles 3.11.5 (Help->SSL Proxying->Export Charles Root certificate and Private key). When I tried to install .p12 from phone (Settings->Security->Install from storage) it appears only under "User credentials" and never at "Trusted credentials", and of course SSL with Charles proxy did not work.
我在运行Android 7.0的Nexus 5X上也遇到了同样的问题。之前已经导出了来自Charles 3.11.5 (Help->SSL代理->导出Charles Root证书和私钥)的p12。当我尝试从电话(设置->安全性->存储安装)安装.p12时,它只出现在“用户凭证”下,而从不出现在“可信凭证”下,当然,Charles proxy的SSL也不能工作。
The total "how-to" for Android 7.0 would be like that:
Android 7.0的总的“操作方法”是这样的:
- Configure WiFi + proxy (how Charles requires it). Connect it.
- 配置WiFi +代理(查尔斯要求的方式)。连接它。
- On device, navigate with Chrome to http://charlesproxy.com/getssl, accept request for download .pem, then press "open", it launches "Certificate installer" app. Use it to install the certificate as "VPN and apps".
- 在设备上,使用Chrome导航到http://charlesproxy.com/getssl,接受下载请求。
- Put the attribute
android:networkSecurityConfig="@xml/network_security_config"
to<application>
at Manifest.xml -
将属性android:networkSecurityConfig=“@xml/network_security_config”放到Manifest.xml上的
- Create res/xml/network_security_config.xml with content from the first post (it is totally correct).
- 创建res / xml / network_security_config。包含第一篇文章内容的xml(完全正确)。
- Launch Charles and app and have fun.
- 启动Charles和app,玩得开心。
P.S. Check date/time on the device. It should be correct.
请检查设备上的日期/时间。它应该是正确的。
#3
21
I wrote a script that inject the apk with the required exceptions and allow to use Charles Proxy with the app.
我编写了一个脚本,将apk注入所需的异常,并允许在应用程序中使用Charles Proxy。
This is the Github https://github.com/levyitay/AddSecurityExceptionAndroid
这是Github https://github.com/levyitay/AddSecurityExceptionAndroid
#4
1
I'm on Android 7.1.1, here's how I setup on my device (OnePlus One) - without the change of manifest (I was targeting API 21 for my app):
我使用的是Android 7.1.1,这是我如何在我的设备(一加一)上设置的——没有改变清单(我的应用程序的目标是API 21):
In Charles Proxy:
在查尔斯代理:
-
Help > SSL Proxying > Install Charles Root Certificate on a Mobile Device or Remote Browser
. This steps gives you the proxy IP and port number and also the link to where you should download charles proxy SSL. - 帮助> SSL代理>在移动设备或远程浏览器上安装Charles Root证书。此步骤提供代理IP和端口号,以及下载charles proxy SSL的链接。
On your phone:
在你的手机上:
-
Wifi Settings > Modify Network > Advanced Options
. Set Proxy toManual
and enter the IP and Port number you received from Charles intoProxy hostname
andProxy port
respectively.Wifi设置>修改网络>高级选项。将代理设置为Manual并将从Charles接收到的IP和端口号分别输入到代理主机名和代理端口。
-
(OPTIONAL) You may or may not be able to access the chls.pro/ssl link provided by Charles earlier. On my device, I was always notified that I had no network connection. I added the charlesproxy.com to the
Bypass proxy for
field.(可选)你可以或不可以进入卫生防护中心。由Charles早期提供的pro/ssl链接。在我的设备上,我总是被告知我没有网络连接。我将charlesproxy.com添加到旁路代理中。
-
On your browser, go to the link in step 3 and download whatever certificate necessary (if it doesn't work on Chrome, download Dolphin Browser).You can name your certificate with whatever name.
在你的浏览器上,进入步骤3的链接,并下载任何必要的证书(如果它不能在Chrome上运行,下载海豚浏览器)。您可以用任何名称命名您的证书。
Back on Charles Proxy:
回到查尔斯代理:
- You should get the prompt to either
Allow
orDeny
your phone to use the proxy if your settings is defaulted to prompt you for remote connections. - 如果您的设置默认为提示您进行远程连接,您应该得到允许或拒绝您的手机使用代理的提示。
You can now use Charles on Nougat 7.1.1.
现在可以在Nougat 7.1.1中使用Charles。
#1
21
Based on the troubleshooting thread of comments for the OP, the answer is to install just the proxy's CA cert as trusted, not its cert + private key.
根据OP的注释的故障排除线程,答案是仅将代理的CA cert安装为受信任的,而不是将其cert + private密钥安装。
The issue was caused by two factors:
这一问题是由两个因素引起的:
-
Installing not just the MiTM proxy's CA cert but also its private key (thus enabling VPN apps on the device to decrypt/MiTM network traffic from other apps). You don't need the MiTM proxy's private key on the device.
不仅要安装MiTM代理的CA cert,还要安装它的私钥(从而使设备上的VPN应用程序能够解密来自其他应用程序的MiTM网络流量)。在设备上不需要MiTM代理的私钥。
-
Android Nougat change in behavior of the
Settings -> Security -> Install from storage
flow for files which contain a private key in addition to cert(s). This change in behavior unmasked the above issue.Android Nougat对设置行为的更改—>安全性—>从存储流中安装到除了cert(s)之外还包含一个私钥的文件。这种行为上的改变揭示了上述问题。
Prior to Nougat, the Settings -> Security -> Install from storage
flow for files containing a private key in addition to certs erroneously installed the certs as trusted for server authentication (e.g., HTTPS, TLS, thus making your MiTM succeed), in addition to being correctly installed as client certs used for authenticating this Android device to servers. In Nougat, the bug was fixed and these certs are no longer installed as trusted for server authentication. This prevents client authentication credentials from affecting (weaking) the security of connections to servers. In your scenario, this prevents your MiTM from succeeding.
牛轧糖之前,设置- >安全- >安装从存储流文件包含私钥除了确实的事情错误安装的证书作为受信任的服务器身份验证(例如,HTTPS,TLS,从而使你的MiTM成功),除了正确安装客户机能够用于验证这个Android设备服务器。在Nougat中,错误被修复,并且这些证书不再作为服务器身份验证的受信任文件被安装。这可以防止客户端身份验证凭证影响到服务器连接的安全性。在您的场景中,这会防止您的MiTM成功。
What complicates matters is that the Settings -> Security -> Install from storage
does not provide an explicit way for the user to specify whether they are installing a client authentication credential (private key + cert chain) or a server authentication trust anchor (just a CA cert -- no private key needed). As a result, the Settings -> Security -> Install from storage
flow guesses whether it's dealing with client/user authentication credential or server authentication trust anchor by assuming that, if a private key is specified, it must be a client/user authentication credential. In your case, it incorrectly assumed that you are installing a client/user authentication credential rather than a server authentication trust anchor.
是让人纠结的设置- >安全- >安装从存储并没有提供一个明确的为用户指定是否安装一个客户端身份验证证书(私钥+证书链)或服务器身份验证信任锚(只是一个CA证书——不需要私钥)。因此,设置—>安全性—来自存储流的>安装猜测它是在处理客户机/用户身份验证凭据还是服务器身份验证信任锚,假设如果指定了私钥,那么它必须是客户机/用户身份验证凭据。在您的示例中,它错误地假定您正在安装客户机/用户身份验证凭据,而不是服务器身份验证信任锚。
P. S. With regards to your Network Security Config, you should probably configure the app to also trust "system" trust anchors in debug mode (debug-overrides section). Otherwise debug builds of the app won't work unless connections are MiTM'd by a proxy whose CA cert is installed as trusted on the Android device.
对于您的网络安全配置,您可能应该将应用程序配置为在调试模式(debug-overrides)中也信任“系统”信任锚。否则,应用程序的调试构建将无法工作,除非连接被安装在Android设备上的CA cert的代理进行MiTM。
#2
91
The solution is do not use .p12, just navigate with Chrome (with configured proxy on wifi) to http://charlesproxy.com/getssl and install downloaded .pem file.
解决方案是不要使用.p12,只需使用Chrome(在wifi上配置了代理)导航到http://charlesproy.com/getssl并安装下载的.pem文件。
I had exactly the same problem on my Nexus 5X running Android 7.0. There was previously exported .p12 from Charles 3.11.5 (Help->SSL Proxying->Export Charles Root certificate and Private key). When I tried to install .p12 from phone (Settings->Security->Install from storage) it appears only under "User credentials" and never at "Trusted credentials", and of course SSL with Charles proxy did not work.
我在运行Android 7.0的Nexus 5X上也遇到了同样的问题。之前已经导出了来自Charles 3.11.5 (Help->SSL代理->导出Charles Root证书和私钥)的p12。当我尝试从电话(设置->安全性->存储安装)安装.p12时,它只出现在“用户凭证”下,而从不出现在“可信凭证”下,当然,Charles proxy的SSL也不能工作。
The total "how-to" for Android 7.0 would be like that:
Android 7.0的总的“操作方法”是这样的:
- Configure WiFi + proxy (how Charles requires it). Connect it.
- 配置WiFi +代理(查尔斯要求的方式)。连接它。
- On device, navigate with Chrome to http://charlesproxy.com/getssl, accept request for download .pem, then press "open", it launches "Certificate installer" app. Use it to install the certificate as "VPN and apps".
- 在设备上,使用Chrome导航到http://charlesproxy.com/getssl,接受下载请求。
- Put the attribute
android:networkSecurityConfig="@xml/network_security_config"
to<application>
at Manifest.xml -
将属性android:networkSecurityConfig=“@xml/network_security_config”放到Manifest.xml上的
- Create res/xml/network_security_config.xml with content from the first post (it is totally correct).
- 创建res / xml / network_security_config。包含第一篇文章内容的xml(完全正确)。
- Launch Charles and app and have fun.
- 启动Charles和app,玩得开心。
P.S. Check date/time on the device. It should be correct.
请检查设备上的日期/时间。它应该是正确的。
#3
21
I wrote a script that inject the apk with the required exceptions and allow to use Charles Proxy with the app.
我编写了一个脚本,将apk注入所需的异常,并允许在应用程序中使用Charles Proxy。
This is the Github https://github.com/levyitay/AddSecurityExceptionAndroid
这是Github https://github.com/levyitay/AddSecurityExceptionAndroid
#4
1
I'm on Android 7.1.1, here's how I setup on my device (OnePlus One) - without the change of manifest (I was targeting API 21 for my app):
我使用的是Android 7.1.1,这是我如何在我的设备(一加一)上设置的——没有改变清单(我的应用程序的目标是API 21):
In Charles Proxy:
在查尔斯代理:
-
Help > SSL Proxying > Install Charles Root Certificate on a Mobile Device or Remote Browser
. This steps gives you the proxy IP and port number and also the link to where you should download charles proxy SSL. - 帮助> SSL代理>在移动设备或远程浏览器上安装Charles Root证书。此步骤提供代理IP和端口号,以及下载charles proxy SSL的链接。
On your phone:
在你的手机上:
-
Wifi Settings > Modify Network > Advanced Options
. Set Proxy toManual
and enter the IP and Port number you received from Charles intoProxy hostname
andProxy port
respectively.Wifi设置>修改网络>高级选项。将代理设置为Manual并将从Charles接收到的IP和端口号分别输入到代理主机名和代理端口。
-
(OPTIONAL) You may or may not be able to access the chls.pro/ssl link provided by Charles earlier. On my device, I was always notified that I had no network connection. I added the charlesproxy.com to the
Bypass proxy for
field.(可选)你可以或不可以进入卫生防护中心。由Charles早期提供的pro/ssl链接。在我的设备上,我总是被告知我没有网络连接。我将charlesproxy.com添加到旁路代理中。
-
On your browser, go to the link in step 3 and download whatever certificate necessary (if it doesn't work on Chrome, download Dolphin Browser).You can name your certificate with whatever name.
在你的浏览器上,进入步骤3的链接,并下载任何必要的证书(如果它不能在Chrome上运行,下载海豚浏览器)。您可以用任何名称命名您的证书。
Back on Charles Proxy:
回到查尔斯代理:
- You should get the prompt to either
Allow
orDeny
your phone to use the proxy if your settings is defaulted to prompt you for remote connections. - 如果您的设置默认为提示您进行远程连接,您应该得到允许或拒绝您的手机使用代理的提示。
You can now use Charles on Nougat 7.1.1.
现在可以在Nougat 7.1.1中使用Charles。