OkHttp是否支持接受自签名SSL证书? [英] Does OkHttp support accepting self-signed SSL certs?
问题描述
我正在为拥有自签名SSL证书的服务器的客户工作。
I'm working for a customer who has a server with self-signed SSL cert.
我正在使用包装的OkHttp客户端使用Retrofit + CustomClient:
I'm using Retrofit + CustomClient using wrapped OkHttp client:
RestAdapter restAdapter = new RestAdapter.Builder().setEndpoint(Config.BASE_URL + Config.API_VERSION)
.setClient(new CustomClient(new OkClient(), context))
.build();
OkHttp是否支持默认调用自签名SSL证书服务器?
Does OkHttp support calling Self-Signed SSL cert server by default?
顺便说一下。哪个客户端默认使用Retrofit?我认为这是OkHttp,但当我研究了一点时,我意识到我需要导入OkHttp依赖项
By the way. Which client is using Retrofit by default? I thought it was OkHttp but when I researched a bit more I realized I needed to import OkHttp dependencies
推荐答案
是的,确实如此。
Retrofit允许您设置自定义HTTP客户端,根据您的需要进行配置。
Retrofit allows you to set your custom HTTP client, that is configured to your needs.
至于自我已签署SSL证书有此处的讨论。该链接包含代码示例,用于将自签名SLL添加到Android的 DefaultHttpClient 并将此客户端加载到Retrofit。
As for self signed SSL certs there is a discussion here. The link contains code samples to add self signed SLL to Android's DefaultHttpClient and to load this client to Retrofit.
如果你需要 OkHttpClient 接受自签名SSL,你需要传递它自定义 javax.net.ssl.SSLSocketFactory 实例通过 setSslSocketFactory(SSLSocketFactory sslSocketFactory)方法。
If you need OkHttpClient to accept self signed SSL, you need to pass it custom javax.net.ssl.SSLSocketFactory instance via setSslSocketFactory(SSLSocketFactory sslSocketFactory) method.
获得套接字工厂的最简单方法是从<$获取一个c $ c> javax.net.ssl.SSLContext 如此处所述。
The easiest method to get a socket factory is to get one from javax.net.ssl.SSLContext as discussed here.
以下是配置OkHttpClient的示例:
Here is a sample for configuring OkHttpClient:
OkHttpClient client = new OkHttpClient();
KeyStore keyStore = readKeyStore(); //your method to obtain KeyStore
SSLContext sslContext = SSLContext.getInstance("SSL");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "keystore_pass".toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(),trustManagerFactory.getTrustManagers(), new SecureRandom());
client.setSslSocketFactory(sslContext.getSocketFactory());
更新了okhttp3的代码(使用构建器):
Updated code for okhttp3 (using builder):
OkHttpClient client = new OkHttpClient.Builder()
.sslSocketFactory(sslContext.getSocketFactory())
.build();
客户现在配置为使用 KeyStore 中的证书。但是它只会信任 KeyStore 中的证书,并且不会信任其他任何内容,即使您的系统默认信任它们。 (如果您的 KeyStore 中只有自签名证书,并尝试通过HTTPS连接到Google主页,您将获得 SSLHandshakeException )。
the client here is now configured to use certificates from your KeyStore. However it will only trust the certificates in your KeyStore and will not trust anything else, even if your system trust them by default. (If you have only self signed certs in your KeyStore and try to connect to Google main page via HTTPS you will get SSLHandshakeException).
您可以从文件中获取 KeyStore 实例,如 docs :
You can obtain KeyStore instance from file as seen in docs:
KeyStore readKeyStore() {
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// get user password and file input stream
char[] password = getPassword();
java.io.FileInputStream fis = null;
try {
fis = new java.io.FileInputStream("keyStoreName");
ks.load(fis, password);
} finally {
if (fis != null) {
fis.close();
}
}
return ks;
}
如果你在Android上,你可以把它放在 res / raw 文件夹并使用
从 Context 实例获取
If you are on android you can put it in res/raw folder and get it from a Context instance using
fis = context.getResources().openRawResource(R.raw.your_keystore_filename);
有几个关于如何创建密钥库的讨论。例如 here
There are several discussions on how to create your keystore. For example here
这篇关于OkHttp是否支持接受自签名SSL证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
