SSL“对等方未认证"HttpClient 4.1 错误 [英] SSL "Peer Not Authenticated" error with HttpClient 4.1
问题描述
我正在构建一个简单的应用监视器来轮询我们的 API URL 之一,如果无法从响应中获取 HTTP 200 状态代码,则向我们发送电子邮件(这表明我们的 API 由于某种原因关闭).
I am building a simple app monitor to poll one of our API URLs and email us if it can't get a HTTP 200 status code from the response (this would indicate our API is down for some reason).
我使用的是 HttpClient 4.1(这很重要,因为它的 API 与 3.x 很大不同).
I am using HttpClient 4.1 (this is important because its API differs greatly from 3.x).
我们的 API 使用 SSL 是安全的,但是输入:
Our API is secure with SSL, however entering:
进入网络浏览器会将您重定向到
into a web browser redirects you to
不会造成任何错误.
当 HttpClient 尝试访问此 URL (http://example.com/our-api) 时,它会失败并出现 javax.net.ssl.SSLPeerUnverifiedException 异常有一条消息说明:
When HttpClient attempts to hit this URL (http://example.com/our-api), it fails with a javax.net.ssl.SSLPeerUnverifiedException exception with a message stating:
未通过身份验证的对等方
peer not authenticated
我看到其他人经常发生这种情况,正如这篇帖子所证明的那样还提供了一些规避此问题的方法 - 事实上我今晚将尝试实施的解决方案).
I see this happening a lot for other people as is evidenced by this post (which also provides some ways of circumventing this problem - a solution that I am going to try and implement tonight in fact).
其他帖子(以及其他类似的帖子)没有首先解释为什么会发生这种情况!所以,与其问我该如何解决这个问题?"我想我会问为什么会这样?"在我继续提出建议的解决方案之一之前,我想知道我正在尝试解决的问题是什么;-)
What this other post (and the other similar ones to it) do not do is explain why this is happening in the first place! So, rather than ask "how do I fix this?" I figured I would ask "why is this happening?" Before I go barging ahead with one of the proposed solutions, I'd like to know what the problem is that I'm attempting to fix ;-)
推荐答案
如果服务器的证书是自签名的,那么这将按设计工作,您必须将服务器的证书导入到您的密钥库中.
If the server's certificate is self-signed, then this is working as designed and you will have to import the server's certificate into your keystore.
假设服务器证书由知名 CA 签名,这是因为现代浏览器可用的 CA 证书集远大于 JDK/JRE 附带的有限集.
Assuming the server certificate is signed by a well-known CA, this is happening because the set of CA certificates available to a modern browser is much larger than the limited set that is shipped with the JDK/JRE.
您提到的其中一篇文章中给出的 EasySSL 解决方案只是掩盖了错误,您将不知道服务器是否具有有效证书.
The EasySSL solution given in one of the posts you mention just buries the error, and you won't know if the server has a valid certificate.
您必须将正确的根 CA 导入您的密钥库以验证证书.使用现有的 SSL 代码无法解决这个问题是有原因的,这是为了防止您编写看似安全但实际上并不安全的程序.
You must import the proper Root CA into your keystore to validate the certificate. There's a reason you can't get around this with the stock SSL code, and that's to prevent you from writing programs that behave as if they are secure but are not.
这篇关于SSL“对等方未认证"HttpClient 4.1 错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
