如何使Restlet客户端忽略SSL证书问题 [英] How to make Restlet client ignore SSL Certificate problems
问题描述
我目前正在测试环境中工作,其中服务器具有默认的自签名SSL证书。我正在使用Restlet 2.1-RC2并实例化这样的客户端资源:
I am currently working in a test environment where the server has a default Self signed SSL certificate. I am using Restlet 2.1-RC2 and instantiating client resource like this:
Client client = new Client(new Context(), Protocol.HTTP);
cr = new ClientResource(String.format(itql_endpoint,riQuery));
cr.setNext(client);
并重复使用客户端进行每次通话。如何设置客户端以便忽略有问题的证书。
and reusing client for each call I make. How can I set up client so that it ignores problematic certificates.
推荐答案
正确的方式是使用 keytool 将此自签名证书导入客户的信任存储区,例如:
The right way is to import this self-signed certificate into the client's trust store, using keytool for example:
keytool -import -file server-cert.pem -alias myserver -keystore mytruststore.jks
您可以直接在JRE的信任存储区( lib / security / cacerts )中执行此操作,这可能缺乏一定的灵活性,或者在您自己的此文件副本中执行此操作,然后将其设置为信任存储(OSX上的默认密码为 changeit 或 changeme )。您可以使用通常的 javax.net.ssl.trustStore * 系统属性(例如 -Djavax.net.ssl.trustStore)为您的应用程序全局配置此信任库= mytruststore 系统属性(以及 -Djavax.net.ssl.trustStorePassword )或者您可以使用服务器上下文为Restlet中的特定连接器配置它参数,例如:
You can either do it directly in the JRE's trust store (lib/security/cacerts), which may lack some flexibility, or do it in your own copy of this file, which you then set as the trust store (the default password is changeit or changeme on OSX). You configure this truststore globally for your application using the usual javax.net.ssl.trustStore* system properties (e.g. -Djavax.net.ssl.trustStore=mytruststore system property (and -Djavax.net.ssl.trustStorePassword) or you can configure it for a specific connector in Restlet using the server context parameters, for example:
Series<Parameter> parameters = client.getContext().getParameters();
parameters.add("truststorePath", "/path/to/your/truststore.jks");
// parameters.add("truststorePassword", "password");
// parameters.add("trustPassword", "password");
// parameters.add("truststoreType", "JKS");
错误的方法是使用 TrustManager 这将禁用任何验证并通过 SslConte xtFactory (在SSL扩展中)。这些内容。
The wrong way is to use a TrustManager that's going to disable any verification and pass it via an SslContextFactory (in the SSL extension). Something along these lines.
TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain,
String authType)
throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
public void checkServerTrusted(X509Certificate[] chain,
String authType)
throws CertificateException {
// This will never throw an exception.
// This doesn't check anything at all: it's insecure.
}
};
final SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] {tm}, null);
Context context = client.getContext();
context.getAttributes().put("sslContextFactory", new SslContextFactory() {
public void init(Series<Parameter> parameters) { }
public SSLContext createSslContext() { return sslContext; }
});
虽然第一种方法看起来比第二种方法更乏味(因为你需要获取服务器)首先是证书并且复制文件),第二个只是通过不验证服务器证书的任何内容而使错误消息消失,从而使其容易受到活动的MITM攻击。这适用于配置了 SSLContext 的任何连接。 (这种错误的方式没有错,因为它使用自定义的 SSLContext ,这是错误的,因为 SSLContext的这种特殊配置。)
While the first method may seem a bit more tedious than the second (since you need to obtain the server certificate first and copy files around), the second will simply make the error messages go away by not verifying anything about the server certificate, thereby making it vulnerable to active MITM attacks. This will apply to any connection where this SSLContext is configured. (This "wrong way isn't wrong because it uses a custom SSLContext, it's wrong because of this particular configuration of the SSLContext.)
这篇关于如何使Restlet客户端忽略SSL证书问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
