从 Java 连接到 HTTPS 服务器并忽略安全证书的有效性
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2752266/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Make a connection to a HTTPS server from Java and ignore the validity of the security certificate
提问by justinhj
I've been testing a system that accesses a group of https servers with different keys, some of which are invalid and all of them are not in the local key store for my JVM. I am really only testing things out, so I don't care about the security at this stage. Is there a good way to make POST calls to the server and tell Java not to worry about the security certificates?
我一直在测试一个系统,该系统使用不同的密钥访问一组 https 服务器,其中一些是无效的,并且所有这些都不在我的 JVM 的本地密钥存储中。我真的只是在测试一下,所以我不关心现阶段的安全性。有没有一种好方法可以对服务器进行 POST 调用并告诉 Java 不要担心安全证书?
My google searches for this have brought up some code examples that make a class to do the validation, that always works, but I cannot get it to connect to any of the servers.
我对此的谷歌搜索提出了一些代码示例,这些示例使类进行验证,这些示例始终有效,但我无法将其连接到任何服务器。
采纳答案by BalusC
As per the comments:
根据评论:
With Googled examples, you mean among others this one?
对于 Google 搜索的示例,您的意思是其中一个?
Update: the link broke, so here's an extract of relevance which I saved from the internet archive:
更新:链接断开了,所以这是我从互联网档案中保存的相关性摘录:
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}
// Now you can access an https URL without having the certificate in the truststore
try {
URL url = new URL("https://hostname/index.html");
} catch (MalformedURLException e) {
}
回答by shrisowdhaman
Add below static method code in class file
在类文件中添加以下静态方法代码
static {
静止的 {
// Create a trust manager that does not validate certificate chains
try {
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
} catch (Exception err ){
log.debug(err.getMessage());;
}
}
回答by ZZ Coder
You need to create a X509TrustManager which bypass all the security check. You can find an example in my answer to this question,
您需要创建一个绕过所有安全检查的 X509TrustManager。你可以在我对这个问题的回答中找到一个例子,
How to ignore SSL certificate errors in Apache HttpClient 4.0
