个人中心
gpt4 book ai didi

java - 在识别和修复 SSLPeerUnverifiedException 方面需要帮助

转载 作者:搜寻专家 更新时间:2023-11-01 02:58:27 25 4
gpt4 key购买 nike

我正在尝试为默认和自定义 keystore 向 TLS 服务器发送一个帖子。在执行执行时获得 CloseableHttpClient 实例后

CloseableHttpResponse response1 = client.execute(postMethod);

这是给我 javax.net.ssl.SSLPeerUnverifiedException: Certificate for <hostname.domain.com> doesn't match any of the subject alternative names: []上面一行的异常。

下面是我准备客户端实例的类

public class ClientelUtil {

    public static CloseableHttpClient getHttpClient(String scheme,SSLContext sslContext) {
        HttpClientBuilder clientBuilder = HttpClients.custom();
        CloseableHttpClient client = null;
        if ("https".equalsIgnoreCase(scheme)) {
            SSLConnectionSocketFactory sFactory = new SSLConnectionSocketFactory(sslContext);
            final Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
                    .register("http", new PlainConnectionSocketFactory()).register("https", sFactory).build();

            final PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(registry);

            clientBuilder = HttpClients.custom().setSSLSocketFactory(sFactory)
                    .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
                    .setConnectionManager(cm);
        }
        client = clientBuilder.build();
        return client;

    }

    public static CloseableHttpClient getHttpClient(String scheme) {
        return getHttpClient(scheme, getSSLContext());

    }

    public static CloseableHttpClient getHttpClientWithoutTLSValidation(String scheme) {
        return getHttpClient(scheme, getSSLContextWithoutValidation());

    }

    public static SSLContext getSSLContextWithoutValidation() {
        SSLContext sslContext=null;
        try {
            sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
                public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
                    return true;
                }
            }).build();
        } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) {
            e.printStackTrace();
        }
        return sslContext;
    }

    public static SSLContext getSSLContext() {
        SSLContext sslContext=null;
        try {
            JKSInfo jksInfo = JKSUtil.getTrustStoreInfo();
            sslContext = HttpSSLUtil.getSSLContext(jksInfo.getJksPath(), jksInfo.getJksPassword());
        } catch (HttpSSLException e) {
            e.printStackTrace();
        }
        return sslContext;
    }

}

这是我在我的程序中使用上述类的地方

public String post(String host,int port,Map<String,String> data) {

    CloseableHttpClient client = null;
    String response = null;
    String protocol = HTTP;
    try{
        if( isServerSSLEnabled() ){ //returns a boolean tru or false. In this case it is true
            protocol = HTTPS;
        }
        client = ClientelUtil.getHttpClient(protocol);
        //RequestConfig requestConfig = RequestConfig.custom().setCircularRedirectsAllowed(true).build();
        URIBuilder builder = new URIBuilder()
                    .setScheme(protocol)
                    .setHost(host).setPort(port)
                    .setPath(CONNECT_URI);

        URI uri = builder.build();

        HttpPost postMethod = new HttpPost(uri);
        //postMethod.setConfig(requestConfig);
        logger.debug("Sending request on host [" + host +"], port ["+ port+"], Protocol ["+ protocol + "] connectURI ["+CONNECT_URI+"]");


        addRequestHeaders(postMethod);
        ArrayList<NameValuePair> postParameters = new ArrayList<NameValuePair>();
        try {
            for(Map.Entry<String,String> entry : data.entrySet()) {
                postParameters.add(new BasicNameValuePair(entry.getKey(),entry.getValue()));
            }
            postMethod.setEntity(new UrlEncodedFormEntity(postParameters));
            CloseableHttpResponse response1 = client.execute(postMethod);       // <-- SSLPeerUnverifiedException at this point
            response = EntityUtils.toString(response1.getEntity());
        } catch (IOException e) {
            logger.error("Error while running the scenario on node host [" + host+"]",e);
        } finally{
            postMethod.releaseConnection();
        }
    } catch (URISyntaxException e1) {
        e1.printStackTrace();
    }finally {
        if(client!=null)
            try {
                client.close();
            } catch (IOException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
    }
    return response;
}

我为此使用 apache http client 4.5,请帮助确定这里有什么问题。

也是CN=FQDNgetSSLContext 中使用的 keystore 中需要我使用的方法 NoopHostnameVerifier.INSTANCE创建HttpClientBuilder

谢谢

更新

我用 Common Name (e.g. server FQDN or YOUR name) []: 创建了一个新的信任库文件作为我的主机名,之后上面的代码开始工作(现在我使用 hostname 来访问我的服务器代码,而不是上面我的问题中提到的 hostname.domain.com )。

现在我的问题是,如果 CN | Common Name不存在于信任库文件中,可以使用上面代码中的一些修改来验证吗?请建议。再次感谢。

更新

发布完整的堆栈跟踪。在主机名 validator 的情况下返回 true 也是一个好习惯,这样它就可以忽略主机名验证并在生产中没有提供 CN 或 SAN 的情况下工作(请让我知道何时可以使用,否则)?

javax.net.ssl.SSLPeerUnverifiedException: Certificate for <hostname.domain.com> doesn't match any of the subject alternative names: []
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:467)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at com.code.app.myapp.utils.HttpUtil.post(HttpUtil.java:102)
    at com.code.app.myapp2.RequestDispatcher.dispatchRequest(RequestDispatcher.java:61)
    at com.code.app.chain.commands.FetchDiagnosticsInfo.executeOperation(FetchDiagnosticsInfo.java:82)
    at com.informatica.tools.ui.isomorphic.DSCommand.execute(DSCommand.java:45)
    at com.code.app.chain.commands.BaseDSCommand.execute(BaseDSCommand.java:59)
    at com.informatica.tools.ui.isomorphic.RPCCommand.execute(RPCCommand.java:43)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166)
    at com.informatica.tools.ui.isomorphic.RPCController.execute(RPCController.java:97)
    at com.code.app.ui.IsomorphicController.execute(IsomorphicController.java:115)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166)
    at org.apache.struts.chain.commands.ExecuteCommand.execute(ExecuteCommand.java:70)
    at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166)
    at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:175)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166)
    at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
    at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.code.app.ui.security.UserIdentifierFilter.doFilter(UserIdentifierFilter.java:352)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.code.app.ui.i18n.InfEncodingFilter.doFilter(InfEncodingFilter.java:156)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.code.app.config.InfSessionTimeoutManagerFilter.doFilter(InfSessionTimeoutManagerFilter.java:79)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.code.app.ui.security.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:26)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:615)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

最佳答案

这是服务器证书或 DNS 映射的问题,而不是您的代码。您连接的服务器名称不在它提供的 SSL 证书中。

您不应寻找不安全的解决方法,例如空 HTTPS 主机名验证程序。

关于java - 在识别和修复 SSLPeerUnverifiedException 方面需要帮助,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44962305/

25 4 0
文章推荐: java - 为什么有些API实现了Serializable接口(interface)却没有声明serialVersionUID?
文章推荐: javascript - 跨多个标签的 getSelection 和 surroundContents
文章推荐: javascript - 在 Javascript 中访问内部函数变量
文章推荐: java - Java DateTime 中的 Duration.between() 返回负值时
搜寻专家
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com