如何绕过 Java Web 服务客户端中的证书检查 [英] How to bypass certificate checking in a Java web service client
问题描述
用例:有一个网络服务发布为 https://a.b.c.d/zz?wsdl
Use Case: There is a web service posted as https://a.b.c.d/zz?wsdl
我想要做的是查询这个 URI,如果我得到一个有效的 WSDL,我返回一个布尔值真",否则返回假".现在,如果我通过 Chrome 浏览器访问此 URL,则必须手动接受证书警告,然后下载 WSDL.但是如何通过 Java/HttpsURLConnection 做到这一点
What i would like to do is to query this URI and IF i get a VALID WSDL, i return a boolean "true" else "false. Now, if i go via Chrome browser to this URL, i would have to manually do an accept on the cert warning, and THEN the WSDL gets downloaded. But how can do this via Java / HttpsURLConnection
import java.net.URL;
import java.io.*;
import javax.net.ssl.HttpsURLConnection;
public class JavaHttpsExample
{
public static void main(String[] args)
throws Exception
{
String httpsURL = "https://a.b.c.d/zz/V2.0/api?wsdl";
URL myurl = new URL(httpsURL);
HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();
InputStream ins = con.getInputStream();
InputStreamReader isr = new InputStreamReader(ins);
BufferedReader in = new BufferedReader(isr);
String inputLine;
while ((inputLine = in.readLine()) != null)
{
System.out.println(inputLine);
}
in.close();
}
}
然后我得到一个错误:
线程main"中的异常javax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException:没有主题替代名称在以下位置找到匹配的 IP 地址 a.b.c.dcom.sun.net.ssl.internal.ssl.Alerts.getSSLException(来源不明)在 com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(来源不明)在 com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(来源不明)在 com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(来源不明)在com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(未知来源)在com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(未知来源)在com.sun.net.ssl.internal.ssl.Handshaker.processLoop(来源不明)在 com.sun.net.ssl.internal.ssl.Handshaker.process_record(未知来源)在com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(来源不明)在com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(未知来源)在com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(未知来源)在com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(未知来源)在sun.net.www.protocol.https.HttpsClient.afterConnect(来源不明)在sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(未知来源)在sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown来源)在sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown来源)在 JavaHttpsExample.main(JavaHttpsExample.java:14) 引起:java.security.cert.CertificateException:没有主题替代名称在以下位置找到匹配的 IP 地址 a.b.c.dsun.security.util.HostnameChecker.matchIP(Unknown Source) atsun.security.util.HostnameChecker.match(Unknown Source) atcom.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(未知来源)在com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(未知来源)
Exception in thread "main" javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address a.b.c.d found at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at JavaHttpsExample.main(JavaHttpsExample.java:14) Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address a.b.c.d found at sun.security.util.HostnameChecker.matchIP(Unknown Source) at sun.security.util.HostnameChecker.match(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
我已经用 a.b.c.d 替换了真实 IP(当然)
i have replaced the real IP with a.b.c.d (of course)
推荐答案
不要使用存根的 TrustManager,因为这会使您的应用程序信任每个人.我建议下载该站点提供的证书并将其添加到私有的、受信任的密钥库中.这让您可以为该站点设置例外,而无需为所有人开绿灯.
Don't use a stubbed out TrustManager as this makes your application trust everyone. I would recommend downloading the certificate presented by the site and adding it to a private, trusted keystore. This lets you make an exception for that one site without greenlighting everyone.
我也喜欢这种方法,因为它不需要更改代码.
I also like this approach because it requires no code changes.
在 Chrome 中,点击网址左侧的锁定图标.然后点击证书信息".转到详细信息"选项卡,然后单击复制到文件".将其作为base64 编码的 X.509 (.cer)"保存到SITENAME.cer".
In Chrome, click the lock icon to the left of the url. Then click "Certificate Information". Go to the "Details" tab and click "Copy to file". Save it as a "base64 encoded X.509 (.cer)" to "SITENAME.cer".
将 $JAVA_HOME/lib/security/cacerts 作为mykeystore.jks"复制到您的应用程序目录.
Copy $JAVA_HOME/lib/security/cacerts to your application's directory as "mykeystore.jks".
安装证书:
keytool -keystore mykeystore.jks -storepass changeit -importcert -alias SITENAME -trustcacerts -file SITE.cer
现在,当您运行应用程序时,告诉它使用私有证书存储:
Now, when you run your application, tell it to use the private certificate store:
java -Djavax.net.ssl.trustStore=mykeystore.jks ...
这篇关于如何绕过 Java Web 服务客户端中的证书检查的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
