OkHttp 是否支持接受自签名 SSL 证书? [英] Does OkHttp support accepting self-signed SSL certs?

查看:43
本文介绍了OkHttp 是否支持接受自签名 SSL 证书?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我为一个拥有自签名 SSL 证书的服务器的客户工作.

I'm working for a customer who has a server with self-signed SSL cert.

我正在使用 Retrofit + CustomClient 使用包装好的 OkHttp 客户端:

I'm using Retrofit + CustomClient using wrapped OkHttp client:

RestAdapter restAdapter = new RestAdapter.Builder().setEndpoint(Config.BASE_URL + Config.API_VERSION)
    .setClient(new CustomClient(new OkClient(), context))
    .build();

OkHttp 是否默认支持调用自签名 SSL 证书服务器?

Does OkHttp support calling Self-Signed SSL cert server by default?

顺便说一下.哪个客户端默认使用 Retrofit?我以为是 OkHttp,但是当我进一步研究时,我意识到我需要导入 OkHttp 依赖项

By the way. Which client is using Retrofit by default? I thought it was OkHttp but when I researched a bit more I realized I needed to import OkHttp dependencies

推荐答案

是的,确实如此.

Retrofit 允许您设置自定义 HTTP 客户端,根据您的需要进行配置.

Retrofit allows you to set your custom HTTP client, that is configured to your needs.

至于自签名 SSL 证书,请在 此处 进行讨论.该链接包含代码示例,用于将自签名 SSL 添加到 Android 的 DefaultHttpClient 并将此客户端加载到 Retrofit.

As for self-signed SSL certs there is a discussion here. The link contains code samples to add self-signed SSL to Android's DefaultHttpClient and to load this client to Retrofit.

如果您需要 OkHttpClient 接受自签名 SSL,则需要通过 setSslSocketFactory(SSLSocketFactory sslSocketFactory) 传递自定义 javax.net.ssl.SSLSocketFactory 实例 方法.

If you need OkHttpClient to accept self signed SSL, you need to pass it custom javax.net.ssl.SSLSocketFactory instance via setSslSocketFactory(SSLSocketFactory sslSocketFactory) method.

获取套接字工厂的最简单方法是从 javax.net.ssl.SSLContext 获取一个,如此处.

The easiest method to get a socket factory is to get one from javax.net.ssl.SSLContext as discussed here.

这是配置 OkHttpClient 的示例:

Here is a sample for configuring OkHttpClient:

OkHttpClient client = new OkHttpClient();
KeyStore keyStore = readKeyStore(); //your method to obtain KeyStore
SSLContext sslContext = SSLContext.getInstance("SSL");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "keystore_pass".toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(),trustManagerFactory.getTrustManagers(), new SecureRandom());
client.setSslSocketFactory(sslContext.getSocketFactory());


更新了 okhttp3 的代码(使用构建器):

    OkHttpClient client = new OkHttpClient.Builder()
            .sslSocketFactory(sslContext.getSocketFactory())
            .build();


此处的 client 现在已配置为使用来自您的 KeyStore 的证书.但是,它只会信任您的 KeyStore 中的证书,而不会信任其他任何东西,即使您的系统默认信任它们.(如果您的 KeyStore 中只有自签名证书并尝试通过 HTTPS 连接到 Google 主页,您将收到 SSLHandshakeException.


the client here is now configured to use certificates from your KeyStore. However it will only trust the certificates in your KeyStore and will not trust anything else, even if your system trust them by default. (If you have only self signed certs in your KeyStore and try to connect to Google main page via HTTPS you will get SSLHandshakeException).

您可以从文件中获取 KeyStore 实例,如 文档:

You can obtain KeyStore instance from file as seen in docs:

KeyStore readKeyStore() {
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

    // get user password and file input stream
    char[] password = getPassword();

    java.io.FileInputStream fis = null;
    try {
        fis = new java.io.FileInputStream("keyStoreName");
        ks.load(fis, password);
    } finally {
        if (fis != null) {
            fis.close();
        }
    }
    return ks;
}

如果您使用的是 android,您可以将它放在 res/raw 文件夹中,并使用

If you are on android you can put it in res/raw folder and get it from a Context instance using

fis = context.getResources().openRawResource(R.raw.your_keystore_filename);

有几个关于如何创建密钥库的讨论.例如这里

There are several discussions on how to create your keystore. For example here

这篇关于OkHttp 是否支持接受自签名 SSL 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆