在这里,我们将给大家分享关于ApacheHTTP客户端javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证的知识,同时也会涉及到如何更有效地Activ
在这里,我们将给大家分享关于Apache HTTP客户端javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证的知识,同时也会涉及到如何更有效地ActiveMQ Apollo - 警告 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown、Android 2.3.x javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:找不到证书路径的信任锚、android – Glide – javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorExcept、Apache HTTPClient SSLPeerUnverifiedException的内容。
本文目录一览:- Apache HTTP客户端javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证
- ActiveMQ Apollo - 警告 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
- Android 2.3.x javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:找不到证书路径的信任锚
- android – Glide – javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorExcept
- Apache HTTPClient SSLPeerUnverifiedException
Apache HTTP客户端javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证
我们正在使用tomcat和jersey开发应用程序。
在这个web应用,我们需要连接到httpsWebsite同一个valid,没有过期certificate。如果我确实通过Chrome浏览器在本地连接到此网站,则一切正常!不幸的是,带有我们的Web应用程序的tomcat服务器抛出异常。我们正在使用ApacheHttpClient (4.0)连接到https站点:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticatedat sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371)at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)服务器证书是绝对有效的,来自thawte。三种不同的在线工具成功验证了证书。Openssl也有一个问题,向我显示了三个证书,但抛出一个简单错误:
Verify return code: 20 (unable to get local issuer certificate)openssl的问题似乎在于它使用了错误的路径/usr/lib/ssl而不是/etc/ssl/certs。如果我使用指向正确路径的CApath参数,则openssl可以正常工作,因此httpClient可能有问题吗?
因此,我们用于默认客户端的代码非常简单:
client = new DefaultHttpClient(); response = client.execute(url); //this throws the exception EntityUtils.consume(response.getEntity());通过实现自定义TrustedManager不允许任何证书!我还读到,有些CA不是JDK /
JRE的一部分,因此应该将其证书手动导入到keystore或使用自定义证书,但是thawte是众所周知的CA,它不应该在默认情况下工作吗?
编辑
我确实在catalina.sh中设置了javax.debug属性,以便获得有关该问题的更多信息:
http-bio-8080-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path我将不胜感激任何帮助!提前致谢!
答案1
小编典典好吧,我知道了!尽管thawte是众所周知的CA,但Java SSL似乎确实存在一些问题。通过下载ssl证书后openssl:
echo |\openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\sed -ne ''/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p''并将其保存到一个pem文件中,我将手工导入到Java密钥库中:
keytool -import -alias myAlias -file theCert.pem -keystore lib/security/cacerts我不知道为什么Java ssl无法正确验证thawte证书。
列出密钥库告诉我,标准密钥库中有7个thawte受信任证书,但是奇怪的是,直到我手动导入了pem文件,它才起作用
ActiveMQ Apollo - 警告 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
记录日期:2019年6月19日 17点32分
Apache apollo 已被弃用,如无必要推荐使用 Apache ActiveMQ 5。
1、下载 apollo 1.7.1 按照官方示例,创建broker,出现了如下警告:
Creating apollo instance at: testBroker
Generating ssl keystore...
Warning:
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12" 迁移到行业 标准格式 PKCS12。
You can now start the broker by executing:
"E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker" run
Or you can setup the broker as Windows service and run it in the background:
"E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker-service" install
"E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker-service" start
运行后出现如下警告。
WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
根据警告的内容,大概可以猜测出,需要升级 JKS 密钥库的使用格式。
找到创建 broker 时生成的 keystore,一般在 broker 目录下名为 etc 的文件夹中。
windows 打开命令提示符,进入 etc 目录,输入如下命令。
keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12提示输入源密钥库口令。
查看 apache-apollo 源码查找口令,在目录 apollo-broker\src\main\scala\org\apache\activemq\apollo\broker 下的 BrokerCreate.scala 文件中找到生成密钥库的地方,如下:
// Generate a keystore with a new key
val ssl = with_ssl && {
out.println("Generating ssl keystore...")
val rc = system(etc, Array(
"keytool", "-genkey",
"-storetype", "JKS",
"-storepass", "password",
"-keystore", "keystore",
"-keypass", "password",
"-alias", host,
"-keyalg", "RSA",
"-keysize", "4096",
"-dname", "cn=%s".format(host),
"-validity", "3650"))==0
if(!rc) {
out.println("WARNING: Could not generate the keystore, make sure the keytool command is in your PATH")
}
rc
}口令为 password,输入该口令,显示如下信息:
已成功导入别名 mybroker 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消
Warning:
已将 "keystore" 迁移到 Non JKS/JCEKS。将 JKS 密钥库作为 "keystore.old" 进行了备份。
运行broker,输出的内容中仍然存在如下警告信息,但是不影响基本使用。
WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
WARN | javax.net.ssl.SSLException: Inbound closed before receiving peer''s close_notify: possible truncation attack?
WARN | javax.net.ssl.SSLException: Inbound closed before receiving peer''s close_notify: possible truncation attack?
Android 2.3.x javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:找不到证书路径的信任锚
这是我的HTTPRequestController:
public class HttpRequestController {
private final static String TAG = "HttpRequestController";
private static HttpRequestController instance;
public enum Method {
PUT,POST,DELETE,GET
}
private HttpRequestController() {
}
public static HttpRequestController getInstance() {
if (instance == null)
instance = new HttpRequestController();
return instance;
}
public String doRequest(String url,HashMap<Object,Object> data,Method method,String token) throws Exception {
InputStream certificateInputStream = null;
if (MyApplication.PRODUCTION) {
certificateInputStream = MyApplication.context
.getResources().openRawResource(R.raw.production_cert);
LogUtils.log("using production SSL certificate");
} else {
certificateInputStream = MyApplication.context
.getResources().openRawResource(R.raw.staging_cert);
LogUtils.log("using staging SSL certificate");
}
KeyStore trustStore = KeyStore.getInstance("BKS");
try{
trustStore.load(certificateInputStream,"re3d6Exe5HBsdskad8efj8CxZwv".tochararray());
} finally {
certificateInputStream.close();
}
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);
LogUtils.log("SSL: did init TrustManagerFactory with trust keyStore");
SSLContext context = SSLContext.getInstance("TLS");
context.init(null,tmf.getTrustManagers(),null);
LogUtils.log("SSL: did init context with trust keyStore");
URL request = new URL(url);
HttpsURLConnection urlConnection = (HttpsURLConnection) request
.openConnection();
LogUtils.log("SSL: did open HttpsURLConnection");
urlConnection.setHostnameVerifier(new StrictHostnameVerifier());
urlConnection.setSSLSocketFactory(context.getSocketFactory());
urlConnection.setConnectTimeout(15000);
LogUtils.log("SSL: did set Factory and Timeout.");
if (method != Method.GET){
urlConnection.setDoOutput(true);
}
urlConnection.setDoInput(true);
urlConnection.setRequestProperty("Content-Type","application/json");
urlConnection.setRequestProperty("Accept","application/json");
LogUtils.log("SSL: urlConnection did set request properties.");
if (token != null) {
urlConnection.setRequestProperty("Authorization","Token " + token);
}
urlConnection.setRequestMethod(method.toString());
urlConnection.connect();
LogUtils.log("SSL: urlConnection did connect.");
if (method != Method.GET) {
ObjectMapper mapper = new ObjectMapper();
String jsonValue = mapper.writeValueAsstring(data);
OutputStream os = urlConnection.getoutputStream();
os.write(jsonValue.getBytes());
os.flush();
LogUtils.log(TAG,"Params: " + jsonValue);
}
LogUtils.log(TAG,method.toString() + ": " + url);
InputStream in = null;
if (urlConnection.getResponseCode() == 200) {
in = urlConnection.getInputStream();
} else {
in = urlConnection.getErrorStream();
}
String response = convertStreamToString(in);
LogUtils.log(TAG,"Got response : " + url);
LogUtils.log(TAG,"Response : " + response);
return response;
}
public String convertStreamToString(InputStream inputStream) {
BufferedReader buffReader = new BufferedReader(new InputStreamReader(
inputStream));
StringBuilder stringBuilder = new StringBuilder();
String line = null;
try {
while ((line = buffReader.readLine()) != null) {
stringBuilder.append(line + "\n");
}
} catch (IOException e) {
e.printstacktrace();
} finally {
try {
inputStream.close();
} catch (IOException e) {
e.printstacktrace();
}
}
return stringBuilder.toString();
}
public HttpClient retrieveHttpClient() {
return new MyHttpClient(MyApplication.context);
}
}
当我运行命令时:
openssl s_client -debug -connect www.mysitedomain.com:443
我收到了回复:
--
some key stuff
--
Certificate chain
0 s:/OU=Domain Control Validated/CN=www.mydomainname.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
some more certificate stuff
-----END CERTIFICATE-----
ubject=/OU=Domain Control Validated/CN=www.mydomainname.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 4091 bytes and written 328 bytes
---
New,TLSv1/SSLv3,Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 57C379C59483809A7FE1BF8E235C5BFA7789E62AAEBCA9BC14B5273F5D1304E7
Session-ID-ctx:
Master-Key: 6FCD498D1294415A42B57420F0C05AB903EF8E56CB6F1530390F73AF5E4CBC22B359D5CDA09811E075A5C598002C380D
Key-Arg : None
Start Time: 1390473282
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
所以它返回没问题…但它仍然给我测试的2.3.x设备的这个错误.
在此之后我得到一个例外:
LogUtils.log("SSL: urlConnection did set request properties.");
这是例外:
01-23 10:20:28.459: W/System.err(1623): javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 01-23 10:20:28.459: W/System.err(1623): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:477) 01-23 10:20:28.459: W/System.err(1623): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:328) 01-23 10:20:28.459: W/System.err(1623): at org.apache.harmony.luni.internal.net.www.protocol.http.httpconnection.setupSecureSocket(httpconnection.java:185) 01-23 10:20:28.459: W/System.err(1623): at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl$HttpsEngine.makeSslConnection(HttpsURLConnectionImpl.java:433) 01-23 10:20:28.459: W/System.err(1623): at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl$HttpsEngine.makeConnection(HttpsURLConnectionImpl.java:378) 01-23 10:20:28.459: W/System.err(1623): at org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:205) 01-23 10:20:28.459: W/System.err(1623): at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:152)
我称之为的方式是:
String response = HttpRequestController
.getInstance()
.doRequest(ApiUrls.LOGIN,params,Method.POST,null);
它适用于运行2.3.x以上Android版本的任何其他设备(根据我的测试).
Android文档似乎没有关于2.3兼容性的主题.
解决方法
我建议你在Android文档上做:
// Load CAs from an InputStream
// (Could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null,null);
keyStore.setCertificateEntry("ca",ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null,null);
// Tell the URLConnection to use a SocketFactory from our SSLContext
URL url = new URL("https://certs.cac.washington.edu/CAtest/");
HttpsURLConnection urlConnection =
(HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in,System.out);
我也在做同样的事情,它在每台设备上运行正常,使用Android 2.3及以下版本,我的网站证书是私有的.
试试吧,告诉我它现在是否正常工作.
希望它能帮到你!
android – Glide – javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorExcept
我将服务器从HTTP迁移到HTTPS我已经使用自签名证书来发送带有HttpUrlConnection的网络请求并且它工作但是对于图像加载它不起作用,因为我使用Glide进行图像加载.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.while loading images from https URL through glide library
Glide.with(mContext).load(currentItem.getimage_path().replace(" ", "%20"))
.listener(new RequestListener<String, GlideDrawable>() {
@Override
public boolean onException(Exception e, String model, Target<GlideDrawable> target, boolean isFirstResource) {
genericViewHolder.imageView_1.setimageResource(R.drawable.image_thumbnail);
genericViewHolder.progressBar.setVisibility(View.GONE);
return false;
}
@Override
public boolean onResourceReady(GlideDrawable resource, String model, Target<GlideDrawable> target, boolean isFromMemoryCache, boolean isFirstResource) {
genericViewHolder.progressBar.setVisibility(View.GONE);
return false;
}
}).into(genericViewHolder.imageView_1);
我尝试使用this链接并使用GlideModule但它似乎不起作用.请帮忙.
解决方法:
问题是关于证书请按照此链接-https://stackoverflow.com/a/39032433/4741746
这将绕过证书并允许您进入系统
看到这个链接也是-https://futurestud.io/tutorials/glide-module-example-accepting-self-signed-https-certificates
创建您的自定义GlideModule类,OkHttpUrlLoader类并附上Glide,如上所述
你必须把
<Meta-data
android:name="io.futurestud.tutorials.glide.glidemodule.CustomImageSizeGlideModule"
android:value="GlideModule" />
AndroidMainifiest文件https://github.com/fs-opensource/android-tutorials-glide/blob/master/app/src/main/AndroidManifest.xml的内部应用程序标记
Apache HTTPClient SSLPeerUnverifiedException
使用Apache HttpClient 4.2.1。使用从基于表单的登录示例复制的代码
http://hc.apache.org/httpcomponents-client-
ga/examples.html
访问受SSL保护的登录表单时出现异常:
Getting library items from https://appserver.gtportalbase.com/agileBase/AppController.servlet?return=blankjavax.net.ssl.SSLPeerUnverifiedException: peer not authenticatedClosing http connectionat sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)据我所知,该证书很好(请参阅堆栈跟踪之前的URL),并且不会过期-浏览器不会抱怨。
我尝试将证书导入到我的密钥库中
如何使用Apache
HttpClient处理无效的SSL证书?
没有变化。我相信您可以创建一个自定义SSLContext来强制Java忽略该错误,但是我宁愿解决根本原因,因为我不想打开任何安全漏洞。
有任何想法吗?
答案1
小编典典编辑 我知道这个答案很久以前就被接受了,并且也被投票了3次,但这是(至少部分是)错误的,所以这里有更多关于此异常的信息。不便之处敬请原谅。
javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证
当远程服务器根本不发送证书时, 通常会 抛出此异常。但是,由于在此版本sun.security.ssl.SSLSocketImpl.getSession()中实现的方式以及实现的方式,因此在使用Apache HTTP
Client时会遇到一些极端情况。
当使用Apache HTTP Client时,当不信任远程证书时也会抛出该异常,这通常会抛出“sun.security.validator.ValidatorException: PKIX path building failed”。
发生这种情况的原因是因为Apache HTTP Client SSLSession在执行其他操作之前会尝试获取和对等证书。
提醒一下,有3种方法可以通过发起握手SSLSocket:
- 调用开始显式开始握手的startHandshake,或
- 尝试在此套接字上读取或写入应用程序数据会导致隐式握手,或者
- 如果当前没有有效的会话,则对getSession的调用尝试建立会话,并且隐式握手已完成。
这是3个示例,所有示例均针对具有不可信证书的主机(使用javax.net.ssl.SSLSocketFactory,而不是Apache)。
范例1:
SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory(); SSLSocket sslSocket = (SSLSocket) ssf.createSocket("untrusted.host.example", 443); sslSocket.startHandshake();这将引发“ javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed”(如预期)。
范例2:
SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory(); SSLSocket sslSocket = (SSLSocket) ssf.createSocket("untrusted.host.example", 443); sslSocket.getInputStream().read();这也会引发“ javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed”(如预期)。
范例3:
SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory(); SSLSocket sslSocket = (SSLSocket) ssf.createSocket("untrusted.host.example", 443); SSLSession sslSession = sslSocket.getSession(); sslSession.getPeerCertificates();但是,这引发了javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated。
这是Apache
HTTP客户端AbstractVerifierorg.apache.http.conn.ssl.SSLSocketFactory在4.2.1版中使用的逻辑。更高版本基于发出的HTTPCLIENT-1346报告显式调用startHandshake()。
最终,这似乎来自的实现sun.security.ssl.SSLSocketImpl.getSession(),该实现捕获了IOException在调用startHandshake(false)(内部方法)时抛出的潜在s
,而没有进一步抛出它。这可能是一个错误,尽管这不会对安全产生重大影响,因为SSLSocket无论如何仍将关闭。
范例4:
SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory(); SSLSocket sslSocket = (SSLSocket) ssf.createSocket("untrusted.host.example", 443); SSLSession sslSession = sslSocket.getSession(); // sslSession.getPeerCertificates(); sslSocket.getInputStream().read();值得庆幸的是,javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path buildingfailed每当您实际尝试使用它时,它仍然会抛出“ ” SSLSocket(在没有获得对等证书的情况下获得会话不会造成漏洞)。
如何解决这个问题
像其他任何不信任的证书问题一样,确保您使用的信任库包含必要的信任锚(例如,颁发要尝试验证的链的CA证书,或者可能是实际服务器)特殊情况证书)。
要解决此问题,您应该将CA证书(或者可能是服务器证书本身)导入到信任库中。你可以这样做:
- 在您的JRE信任库中,通常是
cacerts文件(不一定是最好的文件,因为这会影响使用该JRE的所有应用程序), - 在您的信任库的本地副本中(您可以使用
-Djavax.net.ssl.trustStore=...选项进行配置), - 通过
SSLContext为该连接创建一个特定对象。(有人建议使用不执行任何操作的信任管理器,但这会使您的连接容易受到MITM攻击。)
初步答案
javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证
这与信任证书无关,或者您必须创建一个自定义SSLContext:这是由于服务器根本不发送任何证书。
显然,该服务器未配置为正确支持TLS。这将失败(您将不会获得远程证书):
openssl s_client -tls1 -showcerts -connectappserver.gtportalbase.com:443
但是,SSLv3似乎可以工作:
openssl s_client -ssl3 -showcerts -connectappserver.gtportalbase.com:443
如果您知道谁在运行此服务器,则值得与他们联系以解决此问题。至少现在,服务器应该真正支持TLSv1。
同时,解决此问题的一种方法是创建您自己的问题并将org.apache.http.conn.ssl.SSLSocketFactory其用于与Apache
Http客户端的此连接。
该工厂需要创建一个SSLSocket照常使用的方法sslSocket.setEnabledProtocols(new String[]{"SSLv3"});,以在返回该套接字之前使用它来禁用TLS,否则默认情况下将启用它。
关于Apache HTTP客户端javax.net.ssl.SSLPeerUnverifiedException:对等方未通过身份验证的介绍已经告一段落,感谢您的耐心阅读,如果想了解更多关于ActiveMQ Apollo - 警告 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown、Android 2.3.x javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:找不到证书路径的信任锚、android – Glide – javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorExcept、Apache HTTPClient SSLPeerUnverifiedException的相关信息,请在本站寻找。
本文标签:
