HTTPSURLconnection和Apache(系统)DefaultHttpClient之间的证书链不同 [英] Certificate chain different between HTTPSURLconnection and Apache (System) DefaultHttpClient
问题描述
我面临着一个奇怪的问题,即Apache HTTPS客户端。我正在尝试连接到已启用基本身份验证的外部HTTPS网站(仅限SSL服务器身份验证)。以下是我的测试和结论的摘要。
I am facing a weird issue wrto Apache HTTPS client. I am trying to connect to an external HTTPS website which has basic authentication turned on (SSL server authenticaion only). Here is the summary of my tests and conclusions.
-
使用Chrome / Firefox / IE中的任何一个连接到网站 - >成功
Use a either of Chrome/Firefox/IE to connect to the website -> success
使用 javax.net.ssl.HttpsURLConnection - >成功
使用 DefaultHttpClient 或 SystemDefaultHttpClient - >失败
我尝试通过启用javax.net.debug到ssl进行调试。我注意到两个客户端都选择了相同的信任存储(默认的JDK信任存储)并使用相同的协议(TLSv1)。
但是,差异在这里
I tried to debug by enabling "javax.net.debug" to "ssl". I noticed that both the clients pick up the same trust store (default JDK trust store) and use the same protocol (TLSv1). However, the differences were here
我注意到JDK返回了以下扩展名
I noticed that the following extension was returned by the JDK
扩展服务器名称,server_name:[host_name:websitehostname]
Extension server_name, server_name: [host_name: websitehostname]
,而Apache中缺少上述扩展名Web客户端调试日志。
while the above extension was missing in the Apache web client debug log.
此外,我看到的另一个区别是在证书链中
Also, one more difference I saw was in the certficate chain
以下回复来自JDK native
The below response from JDK native
*证书链
chain [0] = [
[
版本:V3
主题:** CN = websitename ,OU =域控制验证 - RapidSSL(R),OU =参见www.rapidssl.com/resources/cps(c)13,OU = GT17702541 ,SERIALNUMBER = Q2La1fpFlFdNy4kUCIehYlMvw6bq64Ch
签名算法:SHA1withRSA,OID = 1.2.840.113549.1.1.5
* Certificate chain chain [0] = [ [ Version: V3 Subject: **CN=websitename, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)13, OU=GT17702541, SERIALNUMBER=Q2La1fpFlFdNy4kUCIehYlMvw6bq64Ch Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
在apache客户端中以下
while in apache client the following
chain [0] = [[版本:V3主题: EMAILADDRESS = root @ i4319,
CN = i4319 ,OU = SomeOrganizationalUnit,O = SomeOrganization,L = SomeCity,
ST = SomeState,C = - 签名算法:SHA1withRSA, OID =
1.2.840.113549.1.1.5
chain [0] = [ [ Version: V3 Subject: EMAILADDRESS=root@i4319, CN=i4319, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=-- Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
显然我用apache https客户端得到以下异常。
and obviously I get the following exception with apache https client.
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
在我回去重做我的工作以使用JDK本机客户端之前,我想知道发生了什么。
任何关于这种行为的见解都会受到赞赏。
Before I go back and redo my work to use the JDK native client, I would like to know what is happening. Any insight on this behaviour would be appreciated.
推荐答案
经过大量搜索看起来像这样奇怪的问题是因为Apache Client中缺乏SNI支持。以下是讨论问题和可能解决方案的JIRA
After a lot of searching looks like this weird issue is because of lack of SNI support in Apache Client. Here is the JIRA that discusses the problem and possible solution here
https://issues.apache.org/jira/browse/HTTPCLIENT-1119
以及可能的解决方法
https://wiki.apache.org/HttpComponents/ SNISupport
这篇关于HTTPSURLconnection和Apache(系统)DefaultHttpClient之间的证书链不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
