Android 7.0之后抓包证书无效的解决方案

Charles
Gästebuch

背景

使用抓包软件(以 Charles 为例)抓取APP的 https 请求时,Android和Charles都正确安装了证书却出现抓包失败,报错:

Failure Client SSL handshake failed: An unknown issue occurred processing the certificate (certificate_unknown)

certunknow

解决方案

导出.pem

获取文件名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
openssl x509 -subject_hash -in  /Users/chenyulong01/Desktop/Untitled.pem 
07cc5b45
-----BEGIN CERTIFICATE-----
MIIFbDCCBFSgAwIBAgIGAV84nCXLMA0GCSqGSIb3DQEBCwUAMIG6MUswSQYDVQQD
DEJDaGFybGVzIFByb3h5IENBICgyMCDljYHmnIggMjAxNywgY2hlbnl1bG9uZzAx
ZGVNYWNCb29rLVByby5sb2NhbCkxJTAjBgNVBAsMHGh0dHBzOi8vY2hhcmxlc3By
b3h5LmNvbS9zc2wxETAPBgNVBAoMCFhLNzIgTHRkMREwDwYDVQQHDAhBdWNrbGFu
ZDERMA8GA1UECAwIQXVja2xhbmQxCzAJBgNVBAYTAk5aMB4XDTAwMDEwMTAwMDAw
MFoXDTQ2MTIxNzA3MDc1OFowgboxSzBJBgNVBAMMQkNoYXJsZXMgUHJveHkgQ0Eg
KDIwIOWNgeaciCAyMDE3LCBjaGVueXVsb25nMDFkZU1hY0Jvb2stUHJvLmxvY2Fs
KTElMCMGA1UECwwcaHR0cHM6Ly9jaGFybGVzcHJveHkuY29tL3NzbDERMA8GA1UE
CgwIWEs3MiBMdGQxETAPBgNVBAcMCEF1Y2tsYW5kMREwDwYDVQQIDAhBdWNrbGFu
ZDELMAkGA1UEBhMCTlowggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCU
i7FUgkLSIxIYcQWXNf4OkncxNZl1SWXExV8whjC3W+IWA3C3gJgYVY57j4uj+B1q
EGbqIYw4dok3ayB+Yrrcm0WVirb4IJVwUc/EfNnkqAluc/US01Mti6+PuUnya8ze
JZN8ZzJReIgiI7LlYlrPjD0hl4cTckpsdcGLqlfkjuXyeUU3b/qNyKsquAq42o8M
ngB7zbObsie/EpEsI3beqa7MForKeuq5Cc900IdMfTqeIATY7GTdtyXPXPzSionF
TcYMk3QQqLZz+hqF6v8sKB4NeZNFpjSzJF2l7xjUMApMeDppaBN8kTSgf8k8OSxe
HWk1lLhdJfh96O/nEbz9AgMBAAGjggF0MIIBcDAPBgNVHRMBAf8EBTADAQH/MIIB
LAYJYIZIAYb4QgENBIIBHROCARlUaGlzIFJvb3QgY2VydGlmaWNhdGUgd2FzIGdl
bmVyYXRlZCBieSBDaGFybGVzIFByb3h5IGZvciBTU0wgUHJveHlpbmcuIElmIHRo
aXMgY2VydGlmaWNhdGUgaXMgcGFydCBvZiBhIGNlcnRpZmljYXRlIGNoYWluLCB0
aGlzIG1lYW5zIHRoYXQgeW91J3JlIGJyb3dzaW5nIHRocm91Z2ggQ2hhcmxlcyBQ
cm94eSB3aXRoIFNTTCBQcm94eWluZyBlbmFibGVkIGZvciB0aGlzIHdlYnNpdGUu
IFBsZWFzZSBzZWUgaHR0cDovL2NoYXJsZXNwcm94eS5jb20vc3NsIGZvciBtb3Jl
IGluZm9ybWF0aW9uLjAOBgNVHQ8BAf8EBAMCAgQwHQYDVR0OBBYEFPDxZ1dwMgBq
AuPwBWMv/Lcd7GOGMA0GCSqGSIb3DQEBCwUAA4IBAQA3nLkJtVRUUX94BJbryczU
C0l5dqURDA6KKlNF3PtYvXxGGrdt7Ojkno9d2thUg1b+vKRwcY8tioJJHt01/QbH
BK3uSIsdoxR+FY9Q7+hJc7XE8d+D3h4KlUgRY8EhCvBZMMo45O4t7wZYRbiCZh3q
p4bayK99HZ8naYovYYK9oJiR8L41+YwuLZllkn5thJ+kvKw0NAgrP5YOsuxu+3DV
uoDEhQPOwmPSVWq1JRAKMi8Ck9dfRYxZklLGZ+ZiT1L2ShyNuCLRKFHaP880RWJF
uwuKep/FHqmCHWj5DumZF37jbsY56i13f723nSVZ56XJUq+yQ8KZzTqbEYBfC9Si
-----END CERTIFICATE-----

07cc5b45,就是我们获取到的文件名。

修改文件名

就是将我们从charles中导出的xxxxx.pem文件名改为07cc5b45.0

push到手机中(需要root)

/system/etc/security/cacerts/

放入的过程中,上述文件后缀名的数字是为了防止文件名冲突的,比如如果两个证书算出的Hash值是一样的话,那么一个证书的后缀名数字可以设置成0,而另一个证书的后缀名数字可以设置成1(07cc5b45.1)。

证书安装成功

此时你应该可以在 设置->安全->信任的凭据 的系统标签页看到你新加入的证书,将其启用即可顺利抓包。

certsuc

参考资料

Android 7.0 之后抓包 unknown 和证书无效的解决方案(无需改代码)