一尘不染

允许Java使用不受信任的证书进行SSL / HTTPS连接

java

我一直在研究从动态Web应用程序中提取信息的程序,该程序运行良好,直到我将tomcat服务器设置为使用具有自签名(因此,不受信任)证书的SSL。错误的堆栈跟踪为:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1116)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1100)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:857)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
        at com.certicom.gls.glscs.nongui.URLReader$PostURL.setupURL(URLReader.java:34)
        at com.certicom.gls.glscs.nongui.URLReader.getLogin(URLReader.java:227)
        at com.certicom.gls.glscs.nongui.URLReader.testLogin(URLReader.java:436)
        at com.certicom.gls.glscs.nongui.Controller.loginMenu(Controller.java:384)
        at com.certicom.gls.glscs.nongui.Controller.menu(Controller.java:324)
        at com.certicom.gls.glscs.nongui.Controller.<init>(Controller.java:49)
        at com.certicom.gls.glscs.nongui.Controller.main(Controller.java:61)

在Web浏览器中,当用户使用不受信任的证书访问HTTPS站点时,系统会提示用户警告,并要求他设置是否愿意继续进行操作;我想为我的命令行应用程序实现类似的功能…我承认我是套接字编程和网络领域的新手。解决这个问题的任何建议都会很棒!


阅读 376

收藏
2020-03-19

共1个答案

一尘不染

这是一些相关的代码:

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }
        public void checkClientTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
        }
        public void checkServerTrusted(
            java.security.cert.X509Certificate[] certs, String authType) {
        }
    }
};

// Install the all-trusting trust manager
try {
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}

// Now you can access an https URL without having the certificate in the truststore
try {
    URL url = new URL("https://hostname/index.html");
} catch (MalformedURLException e) {
}

这将完全禁用SSL检查-只是不要从此类代码中学习异常处理!

要执行你想要的操作,你必须在TrustManager中实施提示用户的检查。

2020-03-19