java Apache HttpClient 使用自己的 SSL 证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16698462/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Apache HttpClient use own SSL-certificates
提问by Cola Colin
I am trying to connect to a https secured restwebservice using httpclient 4.0.3 with Java7. My code looks like this:
我正在尝试使用带有 Java7 的 httpclient 4.0.3 连接到 https 安全的 restwebservice。我的代码如下所示:
public static void main(String[] args) throws Exception {
ClientRequest req = new ClientRequest("https://127.0.0.16:8443/rest/lstgs/create", new ApacheHttpClient4Executor(doSSLBlackMagic()));
// ... random stuff that has nothing to do with SSL
ClientResponse<String> response = req.post(String.class);
if (response.getStatus() != 201) {
throw new RuntimeException("error, status: " + response.getStatus() + " / " + response.getEntity());
} else {
System.out.println(response.getEntity());
}
}
public static KeyStore loadTrustStore() throws Exception {
KeyStore trustStore = KeyStore.getInstance("jks");
trustStore.load(new FileInputStream(new File("path-to-truststore")), "password".toCharArray());
return trustStore;
}
protected static TrustManager[] getTrustManagers() throws Exception {
KeyStore trustStore = loadTrustStore();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
return tmf.getTrustManagers();
}
public static HttpClient doSSLBlackMagic() throws Exception {
SSLContext ctx = SSLContext.getInstance("TLS");
TrustManager[] trustManagers = getTrustManagers();
ctx.init(null, trustManagers, new SecureRandom());
SSLSocketFactory factory = new SSLSocketFactory(ctx);
HttpClient client = new DefaultHttpClient();
ClientConnectionManager manager = client.getConnectionManager();
manager.getSchemeRegistry().register(new Scheme("https", factory, 8443));
return client;
}
As far as I understand this should result in the HttpClient to use my Truststore to ensure that the server's certificate is valid. This fails. I keep getting this exception:
据我了解,这应该会导致 HttpClient 使用我的 Truststore 来确保服务器的证书有效。这失败了。我不断收到此异常:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证
I've tried multiple keystore/truststores or a plain URLConnection Java-Solution. Nothing works. Is there any way to validate a given keystore and truststore with each other? Is there some other way to set the truststore? How can I debug this?
我已经尝试了多个密钥库/信任库或一个普通的 URLConnection Java 解决方案。没有任何作用。有什么方法可以相互验证给定的密钥库和信任库?还有其他方法可以设置信任库吗?我该如何调试?
EDIT: Full Stacktrace:
编辑:完整的堆栈跟踪:
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:399)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:143)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:87)
at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39)
at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40)
at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45)
at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:473)
at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:704)
at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:595)
at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:600)
at TestLstgCreation.main(TestLstgCreation.java:49)
EDIT2: I've tried this piece of pure Code without HttpClient:
EDIT2:我试过这段没有 HttpClient 的纯代码:
public static void main(String[] args) throws Exception {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
System.err.println("foobar");
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
System.err.println("foobar");
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
System.err.println("foobar");
}
} };
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
System.err.println("foobar");
return true;
}
};
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
URL url = new URL("https://127.0.0.16:8443/rest/lstgs/ofclient/23891");
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
con.connect();
}
It fails and does not print foobar at all:
它失败并且根本不打印 foobar:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1837)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1019)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1230)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1214)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
at ScrewYouApacheHttpClient.main(ScrewYouApacheHttpClient.java:48)
The certifciate that the server is using was only "valid" until 2010, maybe that is a problem? Yesterday I did try to use another certificate that I created for this test and got the same results, though.
服务器使用的证书直到 2010 年才“有效”,也许这是一个问题?昨天我确实尝试使用我为此测试创建的另一个证书,但得到了相同的结果。
回答by Cola Colin
I just found the solution: We just recently switched to Java 7 and the Eclipseprojekt I used for this test still used Java 6. The Server I am working against however already uses Java 7. Running the Code above with Java 7 works for both snippets. :)
我刚刚找到了解决方案:我们最近才切换到 Java 7,而我用于此测试的 Eclipseprojekt 仍然使用 Java 6。但我正在使用的服务器已经使用 Java 7。使用 Java 7 运行上面的代码适用于这两个片段。:)
Sucks that the Exception gives no information about this, it cost me a few hours of my life :/
很糟糕,异常没有提供有关此的信息,它花费了我几个小时的生命:/
回答by Robert Tupelo-Schneck
It may be that your TrustManageris validating the certificate, but HTTPS hostname verification is failing. Consider adding
可能是您TrustManager正在验证证书,但 HTTPS 主机名验证失败。考虑添加
factory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
