在Java客户端中接受服务器的自签名ssl证书 [英] Accept server's self-signed ssl certificate in Java client

问题描述

它看起来像一个标准问题，但我无法在任何地方找到明确的指示。

It looks like a standard question, but I couldn't find clear directions anywhere.

我有java代码尝试连接到可能已签名的服务器（或过期）证书。该代码报告以下错误：

I have java code trying to connect to a server with probably self-signed (or expired) certificate. The code reports the following error :

[HttpMethodDirector] I/O exception (javax.net.ssl.SSLHandshakeException) caught 
when processing request: sun.security.validator.ValidatorException: PKIX path 
building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

根据我的理解，我必须使用 keytool 并告诉java允许这种连接是可以的。

As I understand it, I have to use keytool and tell java that it's OK to allow this connection.

解决此问题的所有说明都假设我完全熟练使用keytool，例如

All instructions to fix this problem assume I'm fully proficient with keytool, such as

为服务器生成私钥并将其导入密钥库

generate private key for server and import it into keystore

是否有人可以发布详细说明？

Is there anybody who could post detailed instructions?

我正在运行unix，所以bash脚本最好。

I'm running unix, so bash script would be best.

不确定它是否重要，但是在jboss中执行的代码。

Not sure if it's important, but code executed in jboss.

推荐答案

这里基本上有两个选项：将自签名证书添加到JVM信任库或配置客户端

You have basically two options here: add the self-signed certificate to your JVM truststore or configure your client to

从浏览器导出证书并将其导入JVM信任库（以建立信任链）：

Export the certificate from your browser and import it in your JVM truststore (to establish a chain of trust):

<JAVA_HOME>\bin\keytool -import -v -trustcacerts
-alias server-alias -file server.cer
-keystore cacerts.jks -keypass changeit
-storepass changeit 

选项2

禁用证书验证：

Option 2

Disable Certificate Validation:

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { 
    new X509TrustManager() {     
        public java.security.cert.X509Certificate[] getAcceptedIssuers() { 
            return new X509Certificate[0];
        } 
        public void checkClientTrusted( 
            java.security.cert.X509Certificate[] certs, String authType) {
            } 
        public void checkServerTrusted( 
            java.security.cert.X509Certificate[] certs, String authType) {
        }
    } 
}; 

// Install the all-trusting trust manager
try {
    SSLContext sc = SSLContext.getInstance("SSL"); 
    sc.init(null, trustAllCerts, new java.security.SecureRandom()); 
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (GeneralSecurityException e) {
} 
// Now you can access an https URL without having the certificate in the truststore
try { 
    URL url = new URL("https://hostname/index.html"); 
} catch (MalformedURLException e) {
} 

请注意我根本不推荐选项＃2 。禁用信任管理器会使SSL的某些部分失败，并使您在中间攻击中容易受到攻击。首选选项＃1，或者更好的是，让服务器使用由知名CA签名的真实证书。

Note that I do not recommend the Option #2 at all. Disabling the trust manager defeats some parts of SSL and makes you vulnerable to man in the middle attacks. Prefer Option #1 or, even better, have the server use a "real" certificate signed by a well known CA.

这篇关于在Java客户端中接受服务器的自签名ssl证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！