遇到的問題
由於Android7以後google更改了安全策略,使用者新增的CA證照不能再用於安全連線,意思就是你自己安裝的Charles的證照也沒有卵用了。當我們抓HTTPS的包時候會出現下面的問題
裝置上伴隨會出現下面的log2019-02-11 14:27:12.232 8913-8954/? W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
2019-02-11 14:27:12.232 8913-8954/? W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
2019-02-11 14:27:12.232 8913-8954/? W/System.err: at com.android.okhttp.Connection.connectTls(Connection.java:235)
2019-02-11 14:27:12.232 8913-8954/? W/System.err: at com.android.okhttp.Connection.connectSocket(Connection.java:199)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.android.okhttp.Connection.connect(Connection.java:172)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:367)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.android.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:130)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:329)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:246)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:457)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:126)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.connect(DelegatingHttpsURLConnection.java:89)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.growingio.android.sdk.gtouch.http.HttpRequest.execute(HttpRequest.java:73)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at com.growingio.android.sdk.gtouch.http.HttpRequest$1.run(HttpRequest.java:110)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
2019-02-11 14:27:12.233 8913-8954/? W/System.err: at java.lang.Thread.run(Thread.java:761)
2019-02-11 14:27:12.235 8913-8954/? W/System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
2019-02-11 14:27:12.235 8913-8954/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:563)
2019-02-11 14:27:12.235 8913-8954/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:444)
2019-02-11 14:27:12.235 8913-8954/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:508)
2019-02-11 14:27:12.235 8913-8954/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:401)
2019-02-11 14:27:12.235 8913-8954/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:375)
2019-02-11 14:27:12.235 8913-8954/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:304)
2019-02-11 14:27:12.235 8913-8954/? W/System.err: at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
2019-02-11 14:27:12.235 8913-8954/? W/System.err: at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
2019-02-11 14:27:12.236 8913-8954/? W/System.err: at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:178)
2019-02-11 14:27:12.236 8913-8954/? W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596)
2019-02-11 14:27:12.236 8913-8954/? W/System.err: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
2019-02-11 14:27:12.236 8913-8954/? W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
2019-02-11 14:27:12.236 8913-8954/? W/System.err: ... 16 more
2019-02-11 14:27:12.236 8913-8954/? W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
2019-02-11 14:27:12.236 8913-8954/? W/System.err: ... 28 more
複製程式碼
解決辦法一
該方法針對未Root的裝置,直接參看Android官方的文件developer.android.com/training/ar… 但是這個辦法有個侷限就是隻能抓取自己APP的包,無法抓取第三方APP,而且操作麻煩。
解決辦法二
本文章主要講的是該方法,一個一勞永逸的方法,就是將Charles的證照安裝為系統證照。
1. 確保手機已經Root
至於Root的方法我就不再累述
2. 下載證照
根據Charles的help瀏覽chls.pro/ssl
下載證照,你可以在裝置上下載後adb pull
到電腦上,也可以直接用電腦瀏覽器下載。
3. 重新命名證照
系統證照在目錄/system/etc/security/cacerts/
下,我們看到
<Certificate_Hash>.<Number>
,檔名是一個Hash值,而字尾是一個數字。字尾名的數字是為了防止檔名衝突的,比如如果兩個證照算出的Hash值是一樣的話,那麼一個證照的字尾名數字可以設定成0,而另一個證照的字尾名數字可以設定成1.
我們用下面的命令計算出證照檔案的Hash值
openssl x509 -subject_hash_old -in <Certificate_File>
4. 上傳證照
我們將重新命名好的證照adb push
到/sdcard/Download
,然後將其複製到/system/etc/security/cacerts/
資料夾。
mount -o rw,remount /system
命令將system分割槽掛在為可讀寫。
複製好後將檔案許可權更改為644,並重啟裝置
5. 驗證結果
設定》安全》信任的憑證,我們可以看到
HTTPS抓包我們可以看到