为什么HttpUrlConnection在移动数据连接上抛出SSLException?
When using Android's HttpUrlConnection library to make an HTTPS request, I sometimes see the following exception being thrown:
当使用Android的HttpUrlConnection库发出HTTPS请求时,我有时会看到抛出以下异常:
javax.net.ssl.SSLException: SSL handshake aborted: ssl=0x5c1b18a0: I/O error during system call, Connection reset by peer
at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:395)
...
After digging into the issue a bit, I've learned that
在深入研究这个问题之后,我已经了解到了这一点
- Everything works fine on wifi
- 在wifi上一切正常
- The exception is only thrown when the device is on a mobile data connection
- 仅当设备处于移动数据连接时才会抛出异常
- After making an HTTPS over wifi first, connecting over mobile data tends to work fine for a while
- 在首先通过wifi进行HTTPS之后,通过移动数据进行连接往往会在一段时间内正常工作
- The problem appears to happen on a small number of specific mobile carriers
- 问题似乎发生在少数特定的移动运营商身上
What could be happening? Are some mobile carriers interfering with HTTPS traffic?
可能会发生什么?某些移动运营商是否会干扰HTTPS流量?
1 个解决方案
#1
19
Short answer:
简短回答:
It turns out that some mobile carriers will return an IP address for DNS lookups that should have failed as non-existent. The server that the app was connecting to would fail to resolve sometimes, and the carrier would try to assist by providing a page of similar sites.
事实证明,一些移动运营商将为DNS查找返回一个IP地址,该地址应该已经失败,因为它不存在。应用程序连接的服务器有时无法解决,运营商会尝试通过提供类似网站的页面来提供帮助。
Longer answer:
更长的答案:
The hostname for the server that my app was connecting to would sometimes fail to resolve. This would normally throw an UnknownHostException to indicate the DNS failure. I expect this to happen occasionally, and the app handles it. The SSLException was an anomaly.
我的应用程序连接到的服务器的主机名有时无法解析。这通常会抛出UnknownHostException来指示DNS失败。我希望偶尔会发生这种情况,应用程序会处理它。 SSLException是一个异常现象。
On carriers that intercept failed DNS lookups, navigating a Web browser to a non-existent host will show a page of "search results" that aim to help you find what you were looking for. (Some DLS/cable ISPs do this, too.) For an app making an HTTPS request, though, this breaks the SSL handshake because the remote host is different from what the app is expecting.
在拦截失败的DNS查找的运营商上,将Web浏览器导航到不存在的主机将显示一个“搜索结果”页面,旨在帮助您找到所需内容。 (一些DLS /有线ISP也这样做。)但是,对于发出HTTPS请求的应用程序,这会破坏SSL握手,因为远程主机与应用程序的期望不同。
The root cause was a misbehaving DNS server that would return a non-existent host error for one of the servers that my app was using. Connecting over wifi seemed to be more reliable (due to another quirk of the same DNS server). Connecting over wifi would allow the DNS entry to be cached, thus temporarily masking the problem when we would subsequently connect over a mobile data connection. Most of the time, though, the mobile carrier would intercept the failed DNS lookup and redirect us to an unexpected hostname, which resulted in a failed SSL handshake.
根本原因是一个行为不当的DNS服务器,它会为我的应用程序正在使用的其中一个服务器返回一个不存在的主机错误。通过wifi连接似乎更可靠(由于同一DNS服务器的另一个怪癖)。通过wifi连接将允许缓存DNS条目,从而在我们随后通过移动数据连接进行连接时暂时屏蔽该问题。但是,大多数情况下,移动运营商会拦截失败的DNS查找并将我们重定向到意外的主机名,从而导致SSL握手失败。
更多相关文章
- POST json和图像到服务器android
- 阿里云服务器上部署java项目(安装jdk,tomcat)
- 基于Java的应用程序的GUI测试工具
- 为内存密集型应用程序增加JVM最大堆大小
- vue、react等单页面项目部署到服务器的方法及vue和react的区别
- java与ASP.NET网络应用程序在生命期开始时的比较。
- 如何获得嵌入式Jetty Web服务器来转储其JSP的临时Java代码
- java操作ftp实现文件的上传下载(适用于图片文档服务器)
- 在tomcat服务器中部署war文件