Java支持Let的加密证书吗? [英] Does Java support Let's Encrypt certificates?
问题描述
我正在开发一个Java应用程序,它通过HTTP查询远程服务器上的REST API。出于安全原因,此通信应切换为HTTPS。
I am developing a Java application that queries a REST API on a remote server over HTTP. For security reasons this communication should be switched to HTTPS.
现在让我们加密开始他们的公开测试版,我想知道Java目前是否正常工作(或者确认将来有效),并且默认使用他们的证书。
Now that Let's Encrypt started their public beta, I'd like to know if Java currently works (or is confirmed to be working in the future) with their certificates by default.
让我们的加密获得他们的中级由IdenTrust交叉签名,这应该是个好消息。但是,我在这个命令的输出中找不到这两个中的任何一个:
Let's Encrypt got their intermediate cross-signed by IdenTrust, which should be good news. However, I cannot find any of these two in the output of this command:
keytool -keystore "..\lib\security\cacerts" -storepass changeit -list
我知道可以手动添加可信任的CA每台机器,但由于我的应用程序应该可以免费下载和执行而无需任何进一步的配置,我正在寻找开箱即用的解决方案。你对我有好消息吗?
I know that trusted CAs can be added manually on each machine, but since my application should be free to download and executable without any further configuration, I am looking for solutions that work "out of the box". Do you have good news for me?
推荐答案
[更新2016-06-08 :根据 https://bugs.openjdk.java.net/browse/JDK-8154757 IdenTrust CA将包含在Oracle Java 8u101中。]
[Update 2016-06-08: According to https://bugs.openjdk.java.net/browse/JDK-8154757 the IdenTrust CA will be included in Oracle Java 8u101.]
[更新2016-08-05 :Java 8u101已经发布,确实已经发布包括IdenTrust CA:发行说明]
[Update 2016-08-05: Java 8u101 has been released and does indeed include the IdenTrust CA: release notes]
Java支持Let加密证书吗?
Does Java support Let's Encrypt certificates?
是的。 Let's Encrypt证书只是一个普通的公钥证书。 Java支持它(根据让加密证书兼容性,对于Java 7> = 7u111和Java 8) > = 8u101)。
Yes. The Let's Encrypt certificate is just a regular public key certificate. Java supports it (according to Let's Encrypt Certificate Compatibility, for Java 7 >= 7u111 and Java 8 >= 8u101).
Java信任让我们开箱即用加密证书吗?
Does Java trust Let's Encrypt certificates out of the box?
否/它取决于JVM。 Oracle JDK / JRE的信任库最高为8u66,既不包含Let的加密CA,也不包含交叉签名的IdenTrust CA. 新网址(https://letsencrypt.org/)。openConnection()。connect(); 例如 javax.net中的结果。 ssl.SSLHandshakeException:sun.security.validator.ValidatorException 。
No / it depends on the JVM. The truststore of Oracle JDK/JRE up to 8u66 contains neither the Let's Encrypt CA specifically nor the IdenTrust CA that cross signed it. new URL("https://letsencrypt.org/").openConnection().connect(); for example results in javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException.
但是,您可以提供自己的验证器/定义包含所需的自定义密钥库root CA或将证书导入JVM信任库。
You can however provide your own validator / define a custom keystore that contains the required root CA or import the certificate into the JVM truststore.
下面是一些示例代码,演示如何在运行时将证书添加到默认信任库。你只需要添加证书(从firefox导出为.der并放入类路径)
Here is some example code that shows how to add a certificate to the default truststore at runtime. You'll just need to add the certificate (exported from firefox as .der and put in classpath)
基于如何获取Java中受信任的根证书列表?和 http://developer.android.com/training/articles/security -ssl.html #UnknownCa
import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManagerFactory;
public class SSLExample {
// BEGIN ------- ADDME
static {
try {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
Path ksPath = Paths.get(System.getProperty("java.home"),
"lib", "security", "cacerts");
keyStore.load(Files.newInputStream(ksPath),
"changeit".toCharArray());
CertificateFactory cf = CertificateFactory.getInstance("X.509");
try (InputStream caInput = new BufferedInputStream(
// this files is shipped with the application
SSLExample.class.getResourceAsStream("DSTRootCAX3.der"))) {
Certificate crt = cf.generateCertificate(caInput);
System.out.println("Added Cert for " + ((X509Certificate) crt)
.getSubjectDN());
keyStore.setCertificateEntry("DSTRootCAX3", crt);
}
if (false) { // enable to see
System.out.println("Truststore now trusting: ");
PKIXParameters params = new PKIXParameters(keyStore);
params.getTrustAnchors().stream()
.map(TrustAnchor::getTrustedCert)
.map(X509Certificate::getSubjectDN)
.forEach(System.out::println);
System.out.println();
}
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
SSLContext.setDefault(sslContext);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
// END ---------- ADDME
public static void main(String[] args) throws IOException {
// signed by default trusted CAs.
testUrl(new URL("https://google.com"));
testUrl(new URL("https://www.thawte.com"));
// signed by letsencrypt
testUrl(new URL("https://helloworld.letsencrypt.org"));
// signed by LE's cross-sign CA
testUrl(new URL("https://letsencrypt.org"));
// expired
testUrl(new URL("https://tv.eurosport.com/"));
// self-signed
testUrl(new URL("https://www.pcwebshop.co.uk/"));
}
static void testUrl(URL url) throws IOException {
URLConnection connection = url.openConnection();
try {
connection.connect();
System.out.println("Headers of " + url + " => "
+ connection.getHeaderFields());
} catch (SSLHandshakeException e) {
System.out.println("Untrusted: " + url);
}
}
}
这篇关于Java支持Let的加密证书吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
