在java中打开自签名HTTPS SSL URL的直接方法? [英] A straight forward way to open self-signed HTTPS SSL URLs in java?
问题描述
我正在构建一个需要在java中打开自签名HTTPS SSL URL的应用程序。我已经了解到你可以通过添加对HttpsURLConnection.setDefaultHostnameVerifier()的调用来绕过SSL问题,你可以在其中说明允许的主机名。
I'm building an application that needs to open self-signed HTTPS SSL URLs in java. I've learned that you can bypass the SSL problems by adding a call to HttpsURLConnection.setDefaultHostnameVerifier() where you say what hostnames are allowed.
但是,我有一秒钟我的服务器运行自签名证书的问题。因此,即使主机名绕过,我也会遇到以下异常:
However, I have a second problem where my servers are running self-signed certs. So even with the hostname bypass I'm getting exceptions like:
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败:sun .security.provider.certpath.SunCertPathBuilderException:无法找到所请求目标的有效证书路径
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我环顾四周,我发现的唯一解决方案是添加证书到java密钥库,但这对我来说是个问题,因为我无法控制他们何时或如何更新java,而且我已经读过更新之间没有保留密钥库,而且我无法访问系统在JVM之外。
I've looked around and the only solutions I've found is to add the certificate to the java key store, but this is a problem for me because I have no control over when or how they update java, and I've read that the keystore isn't preserved between updates, and I have no access to the system outside of the JVM.
我的应用程序只会调用单个服务器,所以如果有办法绕过自签名限制,从不咨询密钥库,那么这不是一个安全问题,但是有办法做到这一点吗?
My application will only make calls to a single server so if there was a way to bypass the self-signed restrictions, and never consult keystores, it wouldn't be a security problem, but is there a way to do this?
推荐答案
I正在构建一个需要打开的应用程序java中的自签名HTTPS SSL
URL。我已经了解到你可以绕过SSL问题
添加对HttpsURLConnection.setDefaultHostnameVerifier()的调用,其中
你说的是允许的主机名。
I'm building an application that needs to open self-signed HTTPS SSL URLs in java. I've learned that you can bypass the SSL problems by adding a call to HttpsURLConnection.setDefaultHostnameVerifier() where you say what hostnames are allowed.
您的问题存在一些误解:
主机名验证与证书是否自签无关。
这是一个与您尝试使用证书信息(CN或主题Alt名称)访问的域匹配的验证。
There are some misconceptions from your question:
Hostname verification is unrelated to whether the certificate is self-signed or not.
It is a verification that matches the domain you are trying to access with the certificate info (CN or Subject Alt Name).
如果你需要接受与网址不匹配的证书(根本不推荐!!!),你需要配置验证者。
You would need to configure the verifier if you needed to accept a certificate that did not match the url (not recommended at all!!!)
关于自签名。
这是无关紧要的。
您可以配置您的应用程序以加载您的自定义信任库,其中包括您的应用程序的证书会信任。事实上,这是最好的方法(比使用Java的cacerts)。
您所要做的就是在密钥库(JKS或PKCS12)中导入证书并将其加载到您的自定义您的应用程序中的TrustManagers 。
只是google arround,很多例子例如 self-signed-ssl
这篇关于在java中打开自签名HTTPS SSL URL的直接方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
