SSL“Peer Not Authenticated” HttpClient 4.1出错 [英] SSL "Peer Not Authenticated" error with HttpClient 4.1
问题描述
我正在构建一个简单的应用监视器来轮询我们的一个API URL并向我们发送电子邮件,如果它无法从响应中获取HTTP 200状态代码(这表明我们的API因某种原因而关闭)。
I am building a simple app monitor to poll one of our API URLs and email us if it can't get a HTTP 200 status code from the response (this would indicate our API is down for some reason).
我正在使用HttpClient 4.1 (这很重要,因为它的API与3.x的非常。)
I am using HttpClient 4.1 (this is important because its API differs greatly from 3.x).
我们的API使用SSL是安全的,但输入:
Our API is secure with SSL, however entering:
进入网络浏览器会将您重定向到
into a web browser redirects you to
不会导致任何错误。
当HttpClient尝试点击此网址时( http://example.com/our-api ),它失败了一个 javax.net.ssl.SSLPeerUnverifiedException 异常,并带有一条消息说明:
When HttpClient attempts to hit this URL (http://example.com/our-api), it fails with a javax.net.ssl.SSLPeerUnverifiedException exception with a message stating:
peer not authenticated
peer not authenticated
我看到这种情况发生了很多其他人都可以通过这个帖子证明这一点(这也提供了一些规避这个的方法)问题 - 我今晚要尝试并实施的解决方案。)
I see this happening a lot for other people as is evidenced by this post (which also provides some ways of circumventing this problem - a solution that I am going to try and implement tonight in fact).
这个其他帖子(和其他类似的帖子)不做的是解释为什么会发生这种情况!所以,而不是问我该如何解决这个问题?我想我会问为什么会发生这种情况?在我提前解决其中一个建议的解决方案之前,我想知道我试图解决的问题是什么; - )
What this other post (and the other similar ones to it) do not do is explain why this is happening in the first place! So, rather than ask "how do I fix this?" I figured I would ask "why is this happening?" Before I go barging ahead with one of the proposed solutions, I'd like to know what the problem is that I'm attempting to fix ;-)
推荐答案
如果服务器的证书是自签名的,那么这是按设计工作的,你必须导入服务器的证书进入您的密钥库。
If the server's certificate is self-signed, then this is working as designed and you will have to import the server's certificate into your keystore.
假设服务器证书由知名CA签名,这种情况正在发生,因为现代浏览器可用的CA证书集远大于随JDK / JRE一起提供的有限集。
Assuming the server certificate is signed by a well-known CA, this is happening because the set of CA certificates available to a modern browser is much larger than the limited set that is shipped with the JDK/JRE.
您提到的其中一个帖子中给出的EasySSL解决方案只会掩盖错误,您不会知道是否服务器具有有效证书。
The EasySSL solution given in one of the posts you mention just buries the error, and you won't know if the server has a valid certificate.
您必须将正确的根CA导入密钥库以验证证书。有一个原因是你不能用股票SSL代码解决这个问题,那就是为了防止你编写那些表现得像是安全但不安全的程序。
You must import the proper Root CA into your keystore to validate the certificate. There's a reason you can't get around this with the stock SSL code, and that's to prevent you from writing programs that behave as if they are secure but are not.
这篇关于SSL“Peer Not Authenticated” HttpClient 4.1出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
