Java 忽略证书验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6681969/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java ignore certificate validation
提问by Jay Sullivan
I'm trying to create some sample Java projects that connect to a self-signed HTTPS server. I can't seem to get Java to stop trying to validate the certificate. I don't want to have to trust this certificate, I just want to ignore all certificate validation altogether; this server is inside my network and I want to be able to run some test apps without worrying about whether the certificate is valid.
我正在尝试创建一些连接到自签名 HTTPS 服务器的示例 Java 项目。我似乎无法让 Java 停止尝试验证证书。我不想信任这个证书,我只想完全忽略所有证书验证;该服务器在我的网络内,我希望能够运行一些测试应用程序而不必担心证书是否有效。
java -Dcom.sun.net.ssl.checkRevocation=false HelloWorld
org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The -Dcom.sun.net.ssl.checkRevocation=falsedidn't help. I also tried adding the following code:
该-Dcom.sun.net.ssl.checkRevocation =假没有帮助。我还尝试添加以下代码:
public static void DisableCertificateValidation() {
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() { return null; }
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) { }
}
};
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}
}
But still have the same issue. What's going on here?
但仍然有同样的问题。这里发生了什么?
回答by Bruno
org.apache.axis2.AxisFaultindicates that you're using Axis 2, and Axis 2 doesn't use HttpsURLConnectionto make its HTTP(S) connections, but Apache HttpClient (3.x as far as I know), so HttpsURLConnection.setDefaultSSLSocketFactory(...)will have no effect there.
org.apache.axis2.AxisFault表示您正在使用 Axis 2,而 Axis 2 不用于HttpsURLConnection建立其 HTTP(S) 连接,而是使用 Apache HttpClient(据我所知为 3.x),因此HttpsURLConnection.setDefaultSSLSocketFactory(...)在那里不会产生任何影响。
You can have a look at this answerabout setting up an SSLContextfor Axis 2, more specifically, this document: http://axis.apache.org/axis2/java/core/docs/http-transport.html#httpsupport
你可以看看这个关于SSLContext为 Axis 2设置一个的答案,更具体地说,这个文档:http: //axis.apache.org/axis2/java/core/docs/http-transport.html#httpsupport
(Alternatively, you may be able to get away with setting the default SSLContextwith SSLContext.setDefault(...), introduced in Java 6. Disabling certificate verification for your default SSL context is obviously not a good idea in a real application.)
(或者,你可能能够逃脱设置默认SSLContext用SSLContext.setDefault(...),在Java 6禁用证书验证介绍了默认的SSL上下文显然不是在实际应用中是个好主意。)
回答by Martin
This is an older question but I stumbled upon it and it kinda psuhed me in the right diretion. I could access an https url in axis2 without a valid client certificate by setting the params:
这是一个较旧的问题,但我偶然发现了它,它使我朝着正确的方向前进。通过设置参数,我可以在没有有效客户端证书的情况下访问axis2中的https url:
import org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory;
import org.apache.commons.httpclient.protocol.Protocol;
EasySSLProtocolSocketFactory easySSLProtocolSocketFactory;
try {
easySSLProtocolSocketFactory = new EasySSLProtocolSocketFactory();
Protocol.unregisterProtocol("https");
Protocol.registerProtocol("https", new Protocol("https",
(ProtocolSocketFactory) easySSLProtocolSocketFactory, 443));
}
catch (GeneralSecurityException e) {
e.printStackTrace();
}
Just be sure to do this before calling the axis2 service client. This is nothing I would do in production, but as a fast hack for an unsecured server that did the trick for me.
请务必在调用axis2 服务客户端之前执行此操作。这不是我在生产中会做的事情,但作为对不安全服务器的快速破解,它为我做了伎俩。
