如何让 Restlet 客户端忽略 SSL 证书问题 [英] How to make Restlet client ignore SSL Certificate problems

问题描述

我目前在服务器具有默认自签名 SSL 证书的测试环境中工作.我正在使用 Restlet 2.1-RC2 并像这样实例化客户端资源:

I am currently working in a test environment where the server has a default Self signed SSL certificate. I am using Restlet 2.1-RC2 and instantiating client resource like this:

Client client = new Client(new Context(), Protocol.HTTP);
cr = new ClientResource(String.format(itql_endpoint,riQuery));
cr.setNext(client);

并在每次调用时重用客户端.如何设置客户端以使其忽略有问题的证书.

and reusing client for each call I make. How can I set up client so that it ignores problematic certificates.

推荐答案

正确的方法是使用 keytool 将此自签名证书导入客户端的信任库中例如:

The right way is to import this self-signed certificate into the client's trust store, using keytool for example:

keytool -import -file server-cert.pem -alias myserver -keystore mytruststore.jks

您可以直接在 JRE 的信任库 (lib/security/cacerts) 中执行此操作，这可能缺乏一些灵活性，或者在您自己的此文件副本中执行此操作，然后进行设置作为信任存储(默认密码是 changeit 或 changeme 在 OSX 上).您可以使用通常的 javax.net.ssl.trustStore* 系统属性(例如 -Djavax.net.ssl.trustStore=mytruststore 系统属性(和 -Djavax.net.ssl.trustStorePassword) 或者您可以使用服务器上下文参数为 Restlet 中的特定连接器配置它，例如:

You can either do it directly in the JRE's trust store (lib/security/cacerts), which may lack some flexibility, or do it in your own copy of this file, which you then set as the trust store (the default password is changeit or changeme on OSX). You configure this truststore globally for your application using the usual javax.net.ssl.trustStore* system properties (e.g. -Djavax.net.ssl.trustStore=mytruststore system property (and -Djavax.net.ssl.trustStorePassword) or you can configure it for a specific connector in Restlet using the server context parameters, for example:

Series<Parameter> parameters = client.getContext().getParameters();
parameters.add("truststorePath", "/path/to/your/truststore.jks");
// parameters.add("truststorePassword", "password");
// parameters.add("trustPassword", "password");
// parameters.add("truststoreType", "JKS");

错误的方法是使用 TrustManager 将禁用任何验证并通过 SslContextFactory(在 SSL 扩展中).类似的东西.

The wrong way is to use a TrustManager that's going to disable any verification and pass it via an SslContextFactory (in the SSL extension). Something along these lines.

TrustManager tm = new X509TrustManager() {
    public void checkClientTrusted(X509Certificate[] chain,
                    String authType)
                    throws CertificateException {
    }

    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    public void checkServerTrusted(X509Certificate[] chain,
                    String authType)
                    throws CertificateException {
        // This will never throw an exception.
        // This doesn't check anything at all: it's insecure.
    }
};

final SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] {tm}, null);
Context context = client.getContext();
context.getAttributes().put("sslContextFactory", new SslContextFactory() {
    public void init(Series<Parameter> parameters) { }
    public SSLContext createSslContext() { return sslContext; }
});

虽然第一种方法似乎比第二种方法更乏味(因为您需要先获取服务器证书并复制文件)，但第二种方法只会通过不验证有关服务器证书的任何内容来消除错误消息，从而使其容易受到主动 MITM 攻击.这将适用于配置了此 SSLContext 的任何连接.(这个错误的方式并没有错，因为它使用了自定义的SSLContext，它是错误的，因为SSLContext 的这种特殊配置.)

While the first method may seem a bit more tedious than the second (since you need to obtain the server certificate first and copy files around), the second will simply make the error messages go away by not verifying anything about the server certificate, thereby making it vulnerable to active MITM attacks. This will apply to any connection where this SSLContext is configured. (This "wrong way isn't wrong because it uses a custom SSLContext, it's wrong because of this particular configuration of the SSLContext.)

这篇关于如何让 Restlet 客户端忽略 SSL 证书问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！