60

UPDATE 1/26/2015 -- It appears the most recent JRE/JDK for Java 8 (update >= 31) and JRE/JDK for Java 7 now include the Godaddy G2 CA server in the default trust store. If possible, it's urged you upgrade your JRE/JDK to the latest Java 8 update to resolve this issue.

2014 年 11 月 29 日更新——这仍然是一个问题,Godaddy 似乎并不关心,也不会对此做任何事情。几个月前,Godaddy 的安全产品副总裁在这里发表了一篇博文,称正在修复并提供临时解决方法,但截至今天,一切都没有改变。需要注意的是,Godaddy 的 G2 CA 服务器已经存在了至少 5 年,在此期间 Godaddy 还没有采取适当的步骤来解决这个已知问题。提供的解决方法只是一种解决方法,而不是解决方案。第三方服务的用户对证书在服务器上的安装方式具有零控制权。

It seems users should avoid purchasing Godaddy SSL certs until they get serious about being a CA.

如果您愿意致电,这是他们 SSL 团队的联系信息:

GoDaddy SSL Team Support Number: 1-480-505-8852 -- Email: ra@godaddy.com

2014 年 9 月 17 日更新——这仍然是一个问题,Godaddy 似乎不在乎,也不会对此做任何事情。到了 11 月,当 Google 弃用所有 SHA-1 证书时,这将成为一个主要问题。我强烈推荐任何可以联系 Godaddy 并将他们指向这里的人。

~

tl;dr; - final update with current solution/workaround at the bottom of this post (it is a GoDaddy problem and there is a workaround until they fix it)

我有一个邮件服务器,我正试图通过我的 Java 应用程序发送邮件。我可以在端口 25 上成功发送,所以我知道代码可以正常工作,但 25 不是加密会话。我需要在需要 SSL 证书的端口 587 上使用 TLS。我在服务器上有一个有效的 SSL 证书,该证书由 GoDaddy G2 CA 签名,并且已经存在了一段时间(没有问题)。

我的问题是,我PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target在尝试在 587 上连接和发送邮件时收到了著名的错误消息。

根据我对许多 SO 链接以及普通 google-fu 的理解,这通常是由于 Java 不信任证书或 CA 造成的——这对于自签名证书很常见。我已经使用了几个在线 SSL 证书检查器来确保链是有效的,等等。一切看起来都很正常......但是 java 不会自动使用证书。

我知道 Sun 的某个地方有一个类文件,它将在本地密钥库中下载并设置证书,因此 java 会信任它……但这对于将部署到多个系统的应用程序不仅不切实际,而且只是愚蠢的 Godaddy 签名证书。

这是怎么回事?如何让 java 使用服务器上的有效证书,不必让 java 接受所有证书?

编辑:我刚刚查看了我的 Windows Java 控制面板(jdk 7 的默认安装),果然,在Signer CAIssued By:The Go Daddy Group, Inc. Go Daddy Class 2 Certification Authority下列出了......所以给出了什么?我的证书是 Godaddy 证书...

UPDATE --

这是评论中推荐的从 openssl 命令看到的证书链:

~]# openssl s_client -connect smtp.somecompany.com:587 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=smtp.somecompany.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
---

在我看来还可以,我认为...

UPDATE 2 --

好的,感谢@Bruno,我能够确定我的链被搞砸了——我重新键入了服务器,现在我的链显示如下:

 ~]# openssl s_client -connect smtp.somecompany.com:587 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=smtp.somecompany.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
---

这看起来比以前更好。-- Java 仍然对证书路径等抛出相同的异常。因此,默认情况下,Java 7 的默认密钥库中似乎不信任 G2 证书链。

FINAL UPDATE FOR COMPLETENESS @ 1/14/2014

就像更新一样 - 这确实是一个 GoDaddy 问题(我已经收到了很长的支持电子邮件)。他们有 2 个 CA 服务器,一个被调用Class 2 CA,另一个被调用G2 CA。他们Class 2 CA签署所有SHA-1证书,而G2 CA签署所有SHA-2证书。这就是问题所在 - GoDaddy 没有将他们的新G2 CA服务器添加到默认的 java 信任库中 - 导致默认的 java 安装不信任它的权限,因此不信任您的链式证书。在 GoDaddy 将G2 CA服务器添加到默认信任库之前,解决方法是简单地使用 as- 重新加密您的证书SHA-1以获取由Class 2 CA服务器签名的证书。在您的证书到期之前(显然),GoDaddy 客户可以免费重新生成密钥。

4

11 回答 11

44

UPDATE 1/26/2015 -- It appears the most recent JRE/JDK for Java 8 (update >= 31) and JRE/JDK for Java 7 now include the Godaddy G2 CA server in the default trust store. If possible, it's urged you upgrade your JRE/JDK to the latest Java 8 update to resolve this issue.

2014 年 11 月 29 日更新——这仍然是一个问题,Godaddy 似乎并不关心,也不会对此做任何事情。[here][1]几个月前,Godaddy 的安全产品副总裁发表了一篇博文,称正在修复并提供临时解决方法,但截至今天,一切都没有改变。需要注意的是,Godaddy 的 G2 CA 服务器已经存在了至少 5 年,在此期间 Godaddy 还没有采取适当的步骤来解决这个已知问题。提供的解决方法只是一种解决方法,而不是解决方案。第三方服务的用户对证书在服务器上的安装方式具有零控制权。

It seems users should avoid purchasing Godaddy SSL certs until they get serious about being a CA.

如果您愿意致电,这是他们 SSL 团队的联系信息:

GoDaddy SSL Team Support Number: 1-480-505-8852 -- Email: ra@godaddy.com

2014 年 9 月 17 日更新——这仍然是一个问题,Godaddy 似乎不在乎,也不会对此做任何事情。到了 11 月,当 Google 弃用所有 SHA-1 证书时,这将成为一个主要问题。我强烈推荐任何可以联系 Godaddy 并将他们指向这里的人。

~~~~

我最初的帖子/问题是关于为什么我的连锁店不工作。很明显我的设置很糟糕(通过@Bruno 和其他人的一些建议很快就解决了这个问题 - 谢谢)。然而,当我修正的链仍然不能与 Java 一起工作时,很明显还有一个更大的问题潜伏着。花了一段时间,但问题实际上出在 GoDaddy 上。

这实际上确实是一个 GoDaddy 问题(我与他们有很长的支持电子邮件)。

他们有 2 个 CA 服务器,一个被调用Class 2 CA,另一个被调用G2 CA。他们Class 2 CA签署所有SHA-1证书,而G2 CA签署所有SHA-2证书。

这就是问题所在 - GoDaddy 尚未将其较新G2 CA的服务器添加到默认服务器中Java truststore/keystore- 导致默认 Java 安装不信任它的权限,因此不信任您的链式证书。

在 GoDaddy 将G2 CA服务器添加到默认信任库/密钥库之前,解决方法是简单地使用 as- 重新加密您的证书SHA-1以获取由Class 2 CA服务器签名的证书。在您的证书到期之前(显然),GoDaddy 客户可以免费重新生成密钥。

一旦您获得了服务器SHA-1签署的证书Class 2 CA,您的信任链应该会按预期工作,并且不需要自定义信任库/密钥库导入和/或设置。

我必须使用“较弱”的证书才能使其正常工作并不让我高兴,到目前为止,通过电子邮件支持与 GoDaddy 的讨论表明他们目前没有计划将G2 CA服务器添加到默认的信任库/密钥库. SHA-1 Class 2 CA我想在他们添加它之前,如果您打算使用 Java ,请确保您获得服务器签名证书。

于 2014-01-14T16:00:04.580 回答
19

Mr. Fixer and Wayne Thayer's answers have been downvoted, but they are actually advocating the correct work-arounds. In fact, Wayne Thayer leads GoDaddy's SSL business, so he probably knows. You should install the "GoDaddy G1 to G2 Cross" certificate in your certificate chain along with the intermediate certificate.

Downgrading to SHA1 is not an ideal option since it's being deprecated and will cause you more work in the future. Fortunately, GoDaddy has provided a crossover certificate that solves this problem. They posted instructions, which Wayne has duplicated, and they're buried in the comments here.

I have personally tested this solution with a SHA2 cert, and it works well. It's a far superior solution vs. re-keying and downgrading to SHA1. When SHA2 becomes required, this option won't be available anyway, and there might still be Java toolchains out there without the new certificate.

According to GoDaddy support, as of July 2014, the correct root certificate was included in recent versions of Java 8, and in September 2014, Wayne Thayer of GoDaddy also said that the certificate "is scheduled to be added to Java in the next few months". I have checked the cacerts file in Java 8 for Mac OS downloaded from here, and it does indeed contain the SHA2 root certificate.

So instead of your chain looking like this:

  • Go Daddy Root Certificate Authority – G2: (SHA-2) – Hash 47 BE AB C9 22 EA E8 0E 78 78 34 62 A7 9F 45 C2 54 FD E6 8B. This is the root certificate that’s built into some systems (e.g. Chrome). SnakeDoc claims that "it's not built into Java, Windows CE, Microsoft Exchange, and more platforms".
  • Go Daddy Secure Certificate Authority – G2: (SHA-2) – Hash 27 AC 93 69 FA F2 52 07 BB 26 27 CE FA CC BE 4E F9 C3 19 B8
  • Your SHA2 certificate

It should look like this:

  • Go Daddy Class 2 Certification Authority: (SHA-1) – Hash 27 96 BA E6 3F 18 01 E2 77 26 1B A0 D7 77 70 02 8F 20 EE E4. This is the old root certificate that’s built into most systems, including java.
  • Go Daddy Root Certificate Authority – G2: (SHA-2) – Hash 34 0B 28 80 F4 46 FC C0 4E 59 ED 33 F5 2B 3D 08 D6 24 29 64. This is the so-called “GoDaddy G1 to G2 Cross Certificate”.
  • Go Daddy Secure Certificate Authority – G2: (SHA-2) – Hash 27 AC 93 69 FA F2 52 07 BB 26 27 CE FA CC BE 4E F9 C3 19 B8
  • Your SHA-2 Certificate

See also - my blog post summarizing this issue with work-arounds.

于 2014-11-28T19:35:32.617 回答
13

要让 Godaddy 证书在 Java 中与 SHA2 一起使用,您需要在链中使用他们的交叉证书将 G2(SHA2) 根链接到 G1(SHA1) 根,直到 Java 决定更新他们的存储库。可以在此处下载交叉证书包:

https://certs.godaddy.com/anonymous/repository.pki

GoDaddy 证书捆绑包 - G2 与 G1 交叉,包括根

[gd_bundle-g2-g1.crt][1]
于 2014-09-19T01:02:05.097 回答
11

Fixer 先生是对的。在证书捆绑文件中安装“GoDaddy G1 to G2 Cross”证书以及中间证书。这允许识别 SHA-1 根的任何客户端(包括 Java)信任 GoDaddy SHA-2 证书。您可以从https://certs.godaddy.com/repository获取此文件安装此文件后,Java 将构建从您的证书到“GoDaddy 安全服务器证书(中间证书)”到“GoDaddy G1 到 G2”的证书链交叉证书”到 GoDaddy SHA-1 根。您还可以在我们的存储库中找到包含交叉证书的捆绑文件。关于此选项的最后一点说明:即使您依赖 SHA-1 根,也不会检查根证书上的签名,

于 2014-10-08T00:25:35.717 回答
4

以下评论和openssl s_client -connect the.server.name:587 -starttls smtp.

在证书链中,证书 n 应由列表中的证书 n+1 颁发:证书 n 的颁发者 (i) 应为证书 n+1 的主题。

 0 s:/OU=Domain Control Validated/CN=smtp.somecompany.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

在这里,cert 0 是由 cert 1 (fine) 颁发的,cert 1 是由 cert 2 (fine) 颁发的,cert 2 是自签名的(也可以,这是根 CA)。

但是,证书 2 不是由证书 3 颁发的。证书 3 放错了位置(可能与证书 1 相同)。这可能会导致问题,因为这会使链无效。

您至少应该从配置中删除 cert 3。此外,您还可以删除 cert 2,因为不需要拥有根 CA(无论如何,这取决于客户端)。

于 2013-09-12T17:54:07.977 回答
3

如果您将 de GoDady G2 捆绑包导入 java 密钥库可以解决问题:

export JAVA_HOME=/usr/lib/jvm/java-8-oracle/
wget https://certs.godaddy.com/repository/gd_bundle-g2.crt
$JAVA_HOME/bin/keytool -import -alias root -file ./gd_bundle-g2.crt -storepass changeit -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts
于 2016-08-04T15:25:43.697 回答
1

听起来您的邮件服务器不是由 签名的Go Daddy Class 2 Certification Authority,但实际上是由其中一个中间证书颁发机构签名的。您需要自己验证这一点。假设是这种情况...

理论上,您的软件应该可以工作 - 因为中间证书是由 2 类授权签署的,并且您在默认 JDK 证书存储中拥有 2 类授权。但是,我发现除非您还将中间证书添加到证书存储中,否则它不起作用。这是描述类似体验的博客文章的链接:

http://drcs.ca/blog/adding-godaddy-intermediate-certificates-to-java-jdk/

这是更多 GoDaddy 中间证书的直接链接: https ://certs.godaddy.com/anonymous/repository.pki

我无法确切建议您必须添加哪个证书 - 这取决于您的邮件服务器中使用的 CA。

[更新]

is there a way to do this programmically?

也许。取决于你想做什么。我已经使用java.security.KeyStore该类直接从 Java 代码自动更新私有密钥库,而无需使用keytool. 它在概念上很简单 - 从文件加载密钥库,读取新证书,将其添加到密钥库,然后将密钥库写入新文件。然而,获得正确的细节需要一段时间,而且仅仅导入一个证书可能不值得麻烦。

不过,尝试一下还是很有趣的。检查KeyStore JavaDoc并阅读load,storesetCertificateEntry方法。

于 2013-09-11T17:27:42.033 回答
1

在“Java 控制面板”中,我刚刚将 GD 根证书添加到“安全站点 CA”,使用 Java 时不再出现证书错误。我添加的证书是: Go Daddy Class 2 Certification Authority Root Certificate - G2

于 2014-05-25T07:34:32.420 回答
0

Update - this "solution" is no longer valid (see my above accepted answer) - keeping this answer because it did help alleviate the problem so long as the side-effects are tolerable.

好的,我可能已经为我的情况找到了解决方法。

props.put("mail.smtp.ssl.trust", "smtp.somecompany.com");

我将此添加到我的会话构造中,现在它可以工作了。这是一种解决方法,而不是修复恕我直言,因为我仍然不知道为什么我的 Godaddy SSL 证书不是默认受信任的......它不是自签名证书。

任何人都请随时插话,因为我真的很想了解这个问题。

于 2013-09-11T16:57:01.727 回答
0

这是您可以尝试的。在运行时将 GoDaddy 根证书和中间证书添加到信任管理器。即如果应用程序启动。

static final String GD_CERT1 = //"-----BEGIN CERTIFICATE-----" "MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx" +"EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT" +"EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp" +"ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3" +"MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH" +"EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE" +"CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD" +" EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi" +"MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD" +"BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv" +"K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e" +"cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY" +"pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n" +"eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB" +"AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV" +"HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv" +"9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v" +"b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n" +"b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG" +"CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv" +"MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz" +"91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2" +"RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi" +"DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11" +"GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x" +"LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB"; //+"-----END CERTIFICATE-----";RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi" +"DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11" +"GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x" +"LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB"; //+"-----END CERTIFICATE---- -";RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi" +"DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11" +"GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x" +"LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB"; //+"-----END CERTIFICATE---- -";

static final String GD_CERT2 =
//"-----BEGIN CERTIFICATE-----"
"MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT"
+"MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv"
+"IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx"
+"MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT"
+"B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku"
+"Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1"
+"dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi"
+"CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H"
+"Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/"
+"3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+"
+"6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI"
+"gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E"
+"GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV"
+"HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud"
+"IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr"
+"BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al"
+"oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9"
+"MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv"
+"bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d"
+"H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg"
+"OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq"
+"9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO"
+"KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3"
+"qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm"
+"rw==";
//+"-----END CERTIFICATE-----";

static final String GD_CERT3 =
//"-----BEGIN CERTIFICATE-----"
"MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh"
+"MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE"
+"YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3"
+"MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo"
+"ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg"
+"MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN"
+"ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA"
+"PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w"
+"wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi"
+"EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY"
+"avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+"
+"YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE"
+"sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h"
+"/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5"
+"IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj"
+"YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD"
+"ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy"
+"OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P"
+"TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ"
+"HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER"
+"dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf"
+"ReYNnyicsbkqWletNw+vHX/bvZ8=";
//+"-----END CERTIFICATE-----";

公共静态 void main(String[] args) 抛出异常 {

    TrustManagerFactory dtmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    dtmf.init((KeyStore) null); // gets you the default trust manager


    X509TrustManager defaultTm = null;
    for (TrustManager tm : dtmf.getTrustManagers()) 
    {
        if (tm instanceof X509TrustManager) 
        {
            defaultTm = (X509TrustManager) tm;
            break;
        }
    }


    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    byte [] decoded = Base64.getDecoder().decode(GD_CERT1);
    ByteArrayInputStream in = new ByteArrayInputStream(decoded);
    Certificate ca1 = cf.generateCertificate(in);
    in.close();

    decoded = Base64.getDecoder().decode(GD_CERT2);
    in = new ByteArrayInputStream(decoded);
    Certificate ca2 = cf.generateCertificate(in);
    in.close();

    decoded = Base64.getDecoder().decode(GD_CERT3);
    in = new ByteArrayInputStream(decoded);
    Certificate ca3 = cf.generateCertificate(in);
    in.close();

    String keyStoreType = KeyStore.getDefaultType();
    KeyStore ks = KeyStore.getInstance(keyStoreType);
    ks.load(null, null);
    ks.setCertificateEntry("cert1", ca1);
    ks.setCertificateEntry("cert2", ca2);
    ks.setCertificateEntry("cert3", ca3);


    TrustManagerFactory gdtmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    gdtmf.init(ks);

    X509TrustManager gdTm = null;
    for (TrustManager tm : gdtmf.getTrustManagers()) 
    {
        if (tm instanceof X509TrustManager) 
        {
            gdTm = (X509TrustManager) tm;
            break;
        }
    }

    TrustManager tms[] = new TrustManager[2];
    tms[0] = gdTm;
    tms[1] = defaultTm;


    try 
    {
         SSLContext sslCtx = SSLContext.getInstance("TLS");
        sslCtx.init(null, tms, new SecureRandom());
    } 
    catch (java.security.GeneralSecurityException e) 
    {
        e.printStackTrace();
        throw e;
    }

     HttpsURLConnection.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
}

我从我的工作版本中复制了代码。所以可能会出现并发症错误。你只需要解决这些问题。

于 2018-12-10T02:11:16.437 回答
-2

如果您在发送邮件时使用以下属性,请发表评论。这对我有用。但这可能会导致安全问题。

props.put("mail.smtp.starttls.enable","true");
于 2014-10-22T07:26:00.307 回答