个人中心
gpt4 book ai didi

Java拒绝浏览器接受的证书

转载 作者:太空宇宙 更新时间:2023-11-03 13:52:43 25 4
gpt4 key购买 nike

我在 Wildfly 9 中配置有效证书(非自签名!)时遇到问题。我在 Wildfly 中配置了 HTTPS 连接器:

            <https-listener name="https" socket-binding="https" security-realm="UndertowRealm" />

安全领域:

        <security-realm name="UndertowRealm">
          <server-identities>
            <ssl>
              <keystore path="domain.p12" relative-to="jboss.server.config.dir" keystore-password="password"
                alias="appcert"  />
            </ssl>
          </server-identities>
        </security-realm>

并使用此命令生成 keystore :

openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.p12 -name appcert -CAfile cafile.crt -caname root

现在,当我在浏览器中打开应用程序时,一切正常。浏览器将该证书识别为有效证书,而不会像在自签名证书中那样提示异常。

但是,当我尝试通过 SSLPoke.java 连接到完全相同的 URL 时,出现以下异常:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)    at SSLPoke.main(SSLPoke.java:26)Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)    at sun.security.validator.Validator.validate(Validator.java:260)    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)    ... 9 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)    ... 15 more

如果我在客户端导入证书,这个错误就会消失,但我认为我不应该这样做,因为这是一个有效的证书。

测试代码如下:

import java.io.InputStream;import java.io.OutputStream;import javax.net.ssl.SSLSocket;import javax.net.ssl.SSLSocketFactory;/** Establish a SSL connection to a host and port, writes a byte and * prints the response. See * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services */public class SSLPoke {    public static void main(String[] args) {                if (args.length != 2) {                        System.out.println("Usage: "+SSLPoke.class.getName()+"  ");                        System.exit(1);                }                try {                        SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();                        SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));                        InputStream in = sslsocket.getInputStream();                        OutputStream out = sslsocket.getOutputStream();                        // Write a test byte to get a reaction :)                        out.write(1);                        while (in.available() > 0) {                                System.out.print(in.read());                        }                        System.out.println("Successfully connected");                } catch (Exception exception) {                        exception.printStackTrace();                }        }}

为什么会这样,设置 SSL 证书的正确方法是什么?

最佳答案

这里的问题是 Java 默认带有一组非常有限的根 CA 证书。与典型的浏览器相比,它“接受”的 CA 数量要少得多。解决这个问题最简单的方法是从 Chrome 或 Firefox 等浏览器中导出一组 CA 证书,然后使用 keytool 将它们导入到 Java 的 keystore 中。 .

关于Java拒绝浏览器接受的证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37334441/

25 4 0
文章推荐: c# - 如何使用 sqlserver 中的 C# 在 xaml 中绑定(bind)数据
文章推荐: python - raw_input() 在 python 3.1 中被弃用了吗?
文章推荐: c# - 从 dataGridView 到 TextBox,取 headername
文章推荐: python - 处理 App Engine 冷启动问题的最佳实践
太空宇宙
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com