爪哇 - 忽略到期的SSL证书 [英] java - ignore expired ssl certificate
问题描述
URL myUrl = new URL("https://www.....");
网站的SSL证书已过期。如何避免它,使URL()的工作?
SSL Certificate of website is expired. How to avoid it and make URL() work ?
推荐答案
您应该建立一个的TrustManager 封装了默认的信任管理器,捕捉的 CertificiateExpiredException 并忽略它。
You should build a TrustManager that wraps the default trust manager, catches the CertificiateExpiredException and ignores it.
注意:详见这个答案,这是否是安全的是非常依赖于实现。特别是,它依赖的日期确认正在做最后一次,以后一切已检查正常。
Note: as detailed in this answer, whether or not this is secure is very much implementation dependent. In particular, it relies on the date validation being done last, after everything else has been checked properly.
这些方针的东西应该工作:
Something along these lines should work:
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
// Initialise the TMF as you normally would, for example:
tmf.init((KeyStore)null);
TrustManager[] trustManagers = tmf.getTrustManagers();
final X509TrustManager origTrustmanager = (X509TrustManager)trustManagers[0];
TrustManager[] wrappedTrustManagers = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return origTrustmanager.getAcceptedIssuers();
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
origTrustmanager.checkClientTrusted(certs, authType);
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
try {
origTrustmanager.checkServerTrusted(certs, authType);
} catch (CertificateExpiredException e) {}
}
}
};
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, wrappedTrustManagers, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
该信托经理抛出 CertificateException 秒(见子类的详细信息)时,什么是错了证书。要具体想要什么捕捉/忽略。你真的想验证一切都必须检查之前,你赶上什么是潜在的抛出,或者你必须手动验证这一点。什么比这更轻松的(特别是没有做任何事情,因此没有引发任何异常)将忽略证书验证和确认干脆,这大约与使用匿名密码套件或忽略验证。这将破坏使用SSL / TLS(而不是作为唯一的多一点灵活的到期日)的安全目的。
The trust managers throw CertificateExceptions (see subclasses for details) when something is wrong with a certificate. Be specific in what you want to catch/ignore. Everything you really want validated has to be checked before what you catch is potentially thrown, or you'll have to validate it manually too. Anything more relaxed than this (in particular, not doing anything and therefore not throwing any exception) will ignore the certificate verification and validation altogether, which is about the same as using anonymous cipher suites or ignoring authentication. This would defeat the security purpose of using SSL/TLS (as opposed to being only a bit more flexible on the expiry date).
这篇关于爪哇 - 忽略到期的SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
