为什么我会得到javax.net.ssl.SSLPeerUnverifiedException：peer只在生产环境中未经过身份验证？ [英] Why do I get javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated only in production?

问题描述

我有一个grails 1.3.7应用程序，它使用apache HttpClient对第三方进行https api调用。我正在点击的第三方网址有一个有效的证书。我创建并执行我的请求，如下所示：

  HttpClient client = new DefaultHttpClient（）
 
 List< BasicNameValuePair> queryParams = new ArrayList< BasicNameValuePair>（）
 queryParams.add（new BasicNameValuePair（a_parameter，a_parameter_value））
 
 URI uri = URIUtils.createURI（https，third .party.address，443，/ some / url / for / us，URLEncodedUtils.format（queryParams，UTF-8），null）
 HttpGet httpGet = new HttpGet（uri）
 
尝试{
 log.debug发送请求到$ {uri}
返回client.execute（httpGet）
} catch（HttpException e）{
 log。错误位置查找请求期间的HttpException：$ {e}
 return 
} catch（IOException e）{
 log.error位置查找请求期间的IOException：$ {e}
返回
} 
  

当我以开发模式运行我的项目时， 。我也可以直接从curl和我的浏览器调用相同的URL，没有任何错误。但是，一旦我的项目被构建到一个war文件中，并且放置了一个定义了证书/密钥库的tomcat实例，以便客户端可以使用https连接到US，那么我的请求会因以下IOException而失败：

  javax.net.ssl.SSLPeerUnverifiedException：peer not authenticated 
  

我试图弄清楚这里的失败点。

为什么从curl或我的开发模式发起https请求与从https配置的tomcat实例发出https请求不同？

tomcat实例不可公开访问，但从我的浏览器连接到它时没有证书问题（chrome认为证书没问题，就像一个详细的curl请求一样）。

我不是任何一个https / ssl专家，所以我在寻求帮助解释什么是错的，为什么错了，以及如何解决它。我可以提供任何其他需要的信息。

---更新---
我启用了 javax.net.debug 如下所示，输出包含以下错误：

  java.lang .RuntimeException：意外的错误：java.security.InvalidAlgorithmParameterException：trustAnchors参数必须是
非空
  

我的谷歌搜索让我觉得这个问题是因为我在启动tomcat时使用了以下java选项：

 <$ c $ 

<如果这是真的，我怎么能在myStore.jks中添加我需要的东西，而不是覆盖默认值，这样每个人都开心？ 对于我来说，解决方案最终是因为我们用java选择了我们自己的默认Java信任存储。这导致由第三方发送的证书似乎无效，因为我们在myStore.jks中没有任何默认的根证书。

通过添加我们的自签名证书到默认的java（/ lib / security / cacerts）并删除java opt，一切都很好。

另一种方法是将所有默认的java存储到你的自定义存储中，并仍然使用java opt。无论你发现哪种情况更容易维护。

I have a grails 1.3.7 application that makes an https api call to a third party using the apache HttpClient. The third party URL I'm hitting has a valid certificate. I create and execute my request like so:

HttpClient client = new DefaultHttpClient()

List<BasicNameValuePair> queryParams = new ArrayList<BasicNameValuePair>()
queryParams.add(new BasicNameValuePair("a_parameter", "a_parameter_value"))

URI uri = URIUtils.createURI("https", "third.party.address", 443, "/some/url/for/us", URLEncodedUtils.format(queryParams, "UTF-8"), null)
HttpGet httpGet = new HttpGet(uri)

try {
    log.debug "Sending request to ${uri}"
    return client.execute(httpGet)
} catch(HttpException e) {
    log.error "HttpException during location lookup request: ${e}"
    return
} catch(IOException e) {
    log.error "IOException during location lookup request: ${e}"
    return
}

This works fine when I'm running my project in dev mode. I'm also able to directly call the same URL from curl and my browser with no errors. However, once my project is built into a war file and put on a tomcat instance that has a certificate/keystore defined so that clients can connect to US using https, my requests start failing with the following IOException:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

I'm trying to figure out the point of failure here.

Why is making an https request from curl or my dev mode different than making an https request from an https configured tomcat instance?

The tomcat instance is not publicly accessible, but there are no certificate issues when I connect to it from my browser (chrome says the cert is fine, as does a verbose curl request).

I'm not an https/ssl expert by any stretch, so I'm looking for help explaining what is wrong, why it's wrong, and how I can fix it. I can provide any other needed info.

---Update--- I enabled the javax.net.debug as suggested below and the output included the following error:

java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be\
 non-empty

My googling has made me think that this issue is because I'm using the following java opt when starting tomcat:

-Djavax.net.ssl.trustStore=/path/to/tomcat/conf/myStore.jks

If that's true, how can I add the things I needed in myStore.jks and not override the defaults so everyone is happy?

解决方案

The solution for me ended up being that we were overriding the default java trust store with our own with the java opt. This caused the cert sent by the third party to appear to be invalid since we didn't have any of the default root certs in our myStore.jks.

By adding our self-signed cert into the default java one (/lib/security/cacerts) and removing the java opt, everything was fine.

An alternative would be to add everything in the default java store into your custom store and still use the java opt. Whichever you find more maintainable for your situation.

这篇关于为什么我会得到javax.net.ssl.SSLPeerUnverifiedException：peer只在生产环境中未经过身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！