Apache HttpClient使用自己的SSL证书 [英] Apache HttpClient use own SSL-certificates

问题描述

我正在尝试使用带有Java7的httpclient 4.0.3连接到https安全的restwebservice。
我的代码如下所示：

I am trying to connect to a https secured restwebservice using httpclient 4.0.3 with Java7. My code looks like this:

    public static void main(String[] args) throws Exception {

    ClientRequest req = new ClientRequest("https://127.0.0.16:8443/rest/lstgs/create", new ApacheHttpClient4Executor(doSSLBlackMagic()));

    // ... random stuff that has nothing to do with SSL

    ClientResponse<String> response = req.post(String.class);
    if (response.getStatus() != 201) {
        throw new RuntimeException("error, status: " + response.getStatus() + " / " + response.getEntity());
    } else {
        System.out.println(response.getEntity());
    }
}

public static KeyStore loadTrustStore() throws Exception {
    KeyStore trustStore = KeyStore.getInstance("jks");
    trustStore.load(new FileInputStream(new File("path-to-truststore")), "password".toCharArray());
    return trustStore;
}

protected static TrustManager[] getTrustManagers() throws Exception {
    KeyStore trustStore = loadTrustStore();
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(trustStore);
    return tmf.getTrustManagers();
}

public static HttpClient doSSLBlackMagic() throws Exception {
    SSLContext ctx = SSLContext.getInstance("TLS");
    TrustManager[] trustManagers = getTrustManagers();
    ctx.init(null, trustManagers, new SecureRandom());
    SSLSocketFactory factory = new SSLSocketFactory(ctx);

    HttpClient client = new DefaultHttpClient();
    ClientConnectionManager manager = client.getConnectionManager();
    manager.getSchemeRegistry().register(new Scheme("https", factory, 8443));

    return client;
}

据我所知，这应该会导致HttpClient使用我的Truststore来确保服务器的证书有效。这失败了。我一直得到这个例外：

As far as I understand this should result in the HttpClient to use my Truststore to ensure that the server's certificate is valid. This fails. I keep getting this exception:

javax.net.ssl.SSLPeerUnverifiedException：peer not authenticated

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

我是尝试了多个密钥库/信任库或普通的URLConnection Java解决方案。什么都行不通。有没有办法相互验证给定的密钥库和信任库？有没有其他方法来设置信任库？如何调试？

I've tried multiple keystore/truststores or a plain URLConnection Java-Solution. Nothing works. Is there any way to validate a given keystore and truststore with each other? Is there some other way to set the truststore? How can I debug this?

编辑：
完整Stacktrace：

Full Stacktrace:

Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:399)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:143)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:87)
at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:39)
at org.jboss.resteasy.plugins.interceptors.encoding.AcceptEncodingGZIPInterceptor.execute(AcceptEncodingGZIPInterceptor.java:40)
at org.jboss.resteasy.core.interception.ClientExecutionContextImpl.proceed(ClientExecutionContextImpl.java:45)
at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:473)
at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:704)
at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:595)
at org.jboss.resteasy.client.ClientRequest.post(ClientRequest.java:600)
at TestLstgCreation.main(TestLstgCreation.java:49)

EDIT2：
我在没有HttpClient的情况下尝试过这段纯代码：

I've tried this piece of pure Code without HttpClient:

    public static void main(String[] args) throws Exception {
    // Create a trust manager that does not validate certificate chains
    TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            System.err.println("foobar");
            return null;
        }

        public void checkClientTrusted(X509Certificate[] certs, String authType) {
            System.err.println("foobar");
        }

        public void checkServerTrusted(X509Certificate[] certs, String authType) {
            System.err.println("foobar");
        }
    } };

    // Install the all-trusting trust manager
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

    // Create all-trusting host name verifier
    HostnameVerifier allHostsValid = new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) {
            System.err.println("foobar");
            return true;
        }
    };

    // Install the all-trusting host verifier
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);

    URL url = new URL("https://127.0.0.16:8443/rest/lstgs/ofclient/23891");

    HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
    con.connect();
}

它失败并且根本不打印foobar：

It fails and does not print foobar at all:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1837)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1019)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1230)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1214)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133)
at ScrewYouApacheHttpClient.main(ScrewYouApacheHttpClient.java:48)

服务器使用的证书只有有效，直到2010年，这可能是个问题？昨天我确实尝试使用我为此测试创建的另一个证书并获得相同的结果。

The certifciate that the server is using was only "valid" until 2010, maybe that is a problem? Yesterday I did try to use another certificate that I created for this test and got the same results, though.

推荐答案

我刚发现解决方案：
我们刚刚切换到Java 7，我用于此测试的Eclipseprojekt仍然使用Java 6.我正在使用的服务器已经使用Java 7.使用Java 7运行上面的代码适用于两个片段。 ：）

I just found the solution: We just recently switched to Java 7 and the Eclipseprojekt I used for this test still used Java 6. The Server I am working against however already uses Java 7. Running the Code above with Java 7 works for both snippets. :)

糟糕的是，Exception没有提供任何关于此的信息，这让我花了几个小时的生命：/

Sucks that the Exception gives no information about this, it cost me a few hours of my life :/

这篇关于Apache HttpClient使用自己的SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！