HTTPSURLconnection 和 Apache (System) DefaultHttpClient 之间的证书链不同 [英] Certificate chain different between HTTPSURLconnection and Apache (System) DefaultHttpClient
问题描述
我在 Apache HTTPS 客户端上遇到了一个奇怪的问题.我正在尝试连接到已打开基本身份验证的外部 HTTPS 网站(仅限 SSL 服务器身份验证).以下是我的测试总结和结论.
I am facing a weird issue wrto Apache HTTPS client. I am trying to connect to an external HTTPS website which has basic authentication turned on (SSL server authenticaion only). Here is the summary of my tests and conclusions.
使用 Chrome/Firefox/IE 之一连接到网站 -> 成功
Use a either of Chrome/Firefox/IE to connect to the website -> success
使用javax.net.ssl.HttpsURLConnection -> 成功
使用 DefaultHttpClient 或 SystemDefaultHttpClient -> 失败
Use either of DefaultHttpClient or SystemDefaultHttpClient -> failure
我尝试通过将javax.net.debug"启用为ssl"来进行调试.我注意到两个客户端都选择了相同的信任存储(默认 JDK 信任存储)并使用相同的协议 (TLSv1).然而,差异就在这里
I tried to debug by enabling "javax.net.debug" to "ssl". I noticed that both the clients pick up the same trust store (default JDK trust store) and use the same protocol (TLSv1). However, the differences were here
我注意到JDK返回了以下扩展
I noticed that the following extension was returned by the JDK
扩展 server_name, server_name: [host_name: websitehostname]
Extension server_name, server_name: [host_name: websitehostname]
虽然 Apache Web 客户端调试日志中缺少上述扩展.
while the above extension was missing in the Apache web client debug log.
另外,我看到的另一个区别是证书链
Also, one more difference I saw was in the certficate chain
来自 JDK native 的以下响应
The below response from JDK native
* 证书链链 [0] = [[版本:V3主题:**CN=网站名称,OU=域控制验证 - RapidSSL(R),OU=参见 www.rapidssl.com/resources/cps (c)13,OU=GT17702541,SERIALNUMBER=Q2La1fpFlFdNy4kUCIehYlMvw6签名算法:SHA1withRSA,OID = 1.2.840.113549.1.1.5
* Certificate chain chain [0] = [ [ Version: V3 Subject: **CN=websitename, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)13, OU=GT17702541, SERIALNUMBER=Q2La1fpFlFdNy4kUCIehYlMvw6bq64Ch Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
而在 apache 客户端以下
while in apache client the following
chain [0] = [ [ 版本:V3 主题:EMAILADDRESS=root@i4319,CN=i4319,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState, C=-- 签名算法:SHA1withRSA, OID =1.2.840.113549.1.1.5
chain [0] = [ [ Version: V3 Subject: EMAILADDRESS=root@i4319, CN=i4319, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, ST=SomeState, C=-- Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
显然我在使用 apache https 客户端时遇到以下异常.
and obviously I get the following exception with apache https client.
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
在我回去重做我的工作以使用 JDK 本机客户端之前,我想知道发生了什么.对此行为的任何见解将不胜感激.
Before I go back and redo my work to use the JDK native client, I would like to know what is happening. Any insight on this behaviour would be appreciated.
推荐答案
经过大量搜索看起来这个奇怪的问题是因为 Apache 客户端缺乏 SNI 支持.这是讨论问题和可能的解决方案的 JIRA
After a lot of searching looks like this weird issue is because of lack of SNI support in Apache Client. Here is the JIRA that discusses the problem and possible solution here
https://issues.apache.org/jira/browse/HTTPCLIENT-1119
以及可能的解决方法
https://wiki.apache.org/HttpComponents/SNISupport
这篇关于HTTPSURLconnection 和 Apache (System) DefaultHttpClient 之间的证书链不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
