如何获取不受信任的SSL服务器证书以进行审核和信任? [英] How do I retrieve an untrusted SSL server certificate in order to review and trust it?
问题描述
我的问题:
我想连接到可能使用默认情况下Java不会信任的证书的服务器(不限于HTTPS协议-可以是LDAP-over-SSL,可以是SMTPS,可以是IMAPS等).因为它们是自签名的).
I want to connect to servers (not limited to the HTTPS protocol -- could be LDAP-over-SSL, could be SMTPS, could be IMAPS, etc.) that may be using certificates that Java will not trust by default (because they are self-signed).
所需的工作流程是尝试连接,检索证书信息,将其提供给用户,如果他接受,则将其添加到信任库中,以便将来继续受信任.
The desired workflow is to attempt the connection, retrieve the certificate info, present that to the user and if he accepts it, add it to to the truststore so it'll be trusted going forward.
我被困于获取证书.我有从这里以及在有关Java SSL问题的答案所指向的站点中抄写的代码(请参阅文章末尾).该代码仅创建一个 SSLSocket ,开始SSL握手,并向SSL会话询问 Certificate [] .当我使用已经可以信任的证书连接到服务器时,代码可以正常工作.但是,当我使用自签名证书连接到服务器时,会得到通常的信息:
I am stuck at retrieving the certificate. I have code (see at the end of the post) that I've cribbed from here and from sites pointed to by answers to questions about java SSL. The code simply creates an SSLSocket, starts the SSL handshake, and asks the SSL session for the Certificate[]. The code works fine when I'm connecting to a server using an already-trustable certificate. But when I connect to a server using a self-signed cert I get the usual:
Exception in thread "main" javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
[etc]
如果我使用 -Djavax.net.debug = all 运行,我会看到JVM确实检索到了自签名证书,但是在达到关键点之前,它将断开使用不可信证书的连接.它将返回证书的地方.
If I run with -Djavax.net.debug=all I see that the JVM does retrieve the self-signed cert but will blow up the connection for using an untrusted cert before getting to the point where it'll return the certificates.
好像是鸡和鸡蛋的问题.它不会让我看到证书,因为它们不受信任.但是我需要查看证书,以便能够将其添加到信任库中,以便它们将受到信任.您如何摆脱这种情况?
Seems like a chicken-and-egg problem. It will not let me see the certificates because they are not trusted. But I need to see the certificates to be able to add them to the truststore so they will be trusted. How do you break out of this?
例如,如果我以以下方式运行程序:
For example, if I run the program as:
java SSLTest www.google.com 443
我得到了Google正在使用的证书的打印输出.但是,如果我将其运行为
I get a printout of the certs Google is using. But if I run it as
java SSLTest my.imap.server 993
我得到了上面引用的异常.
I get the exception referenced above.
代码:
import java.io.InputStream;
import java.io.OutputStream;
import java.security.cert.*;
import javax.net.SocketFactory;
import javax.net.ssl.*;
public class SSLTest
{
public static void main(String[] args) throws Exception {
if (args.length != 2) {
System.err.println("Usage: SSLTest host port");
return;
}
String host = args[0];
int port = Integer.parseInt(args[1]);
SocketFactory factory = SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.startHandshake();
Certificate[] certs = socket.getSession().getPeerCertificates();
System.out.println("Certs retrieved: " + certs.length);
for (Certificate cert : certs) {
System.out.println("Certificate is: " + cert);
if(cert instanceof X509Certificate) {
try {
( (X509Certificate) cert).checkValidity();
System.out.println("Certificate is active for current date");
} catch(CertificateExpiredException cee) {
System.out.println("Certificate is expired");
}
}
}
}
}
推荐答案
请参阅此 查看全文
