1

我正在尝试使用 Apache HttpComponents 库对 JBoss 服务器进行 HTTP GET 调用。当我使用 http URL 执行此操作时,它工作得很好,但是当我使用 https URL 时,它不起作用。这是我的代码:

public static String HttpGET(String requestURL, Cookie cookie)
        throws HttpException {

    DefaultHttpClient httpClient = new DefaultHttpClient();

    if (cookie != null) {
        CookieStore store = new BasicCookieStore();
        store.addCookie(cookie);
        ((AbstractHttpClient) httpClient).setCookieStore(store);
    }

    HttpGet httpGet = new HttpGet(requestURL);

    HttpResponse response = null;
    HttpEntity responseEntity = null;
    String responseBody = null;
    try {
        response = httpClient.execute(httpGet);
        // Do some more stuff...

    } catch (SSLPeerUnverifiedException ex) {
        // Message "peer not authenticated" means the server presented
        // a certificate that was not found in the local truststore.
        throw new HttpException("HTTP GET request failed; possible"
                + " missing or invalid certificate: " + ex.getMessage());
    } catch (IOException e) {
        e.printStackTrace();
    } finally {
        // When HttpClient instance is no longer needed,
        // shut down the connection manager to ensure
        // immediate deallocation of all system resources
        httpClient.getConnectionManager().shutdown();
    }

    return responseBody;
}

SSLPeerUnverifiedException当我execute()的 GET 电话时,我得到了一个。错误信息是:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

在通过 StackOverflow 问题进行了一些广泛的谷歌搜索和搜索之后,我一直看到这个建议,所以我在我的 DefaultHttpClient 周围添加了这个包装器,如下所示:

private static HttpClient wrapClient(HttpClient httpClient) {       
    try {
        SSLContext ctx = SSLContext.getInstance("TLS");
        X509TrustManager tm = new X509TrustManager() {

            public void checkClientTrusted(X509Certificate[] xcs,
                    String string) {
            }

            public void checkServerTrusted(X509Certificate[] xcs,
                    String string) {
            }

            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };
        X509HostnameVerifier verifier = new X509HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession session) {
                return false;
            }

            @Override
            public void verify(String arg0, SSLSocket arg1)
                    throws IOException { }

            @Override
            public void verify(String arg0, X509Certificate arg1)
                    throws SSLException { }

            @Override
            public void verify(String arg0, String[] arg1, String[] arg2)
                    throws SSLException { }

        };

        ctx.init(null, new TrustManager[] { tm }, null);

        SSLSocketFactory socketFactory = new SSLSocketFactory(ctx);
        socketFactory.setHostnameVerifier(verifier);
        Scheme sch = new Scheme("https", 443, socketFactory);
        httpClient.getConnectionManager().getSchemeRegistry().register(sch);
        return httpClient;

    } catch (Exception ex) {
        ex.printStackTrace();
        return null;
    }
}

但是,这只会产生不同的错误:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

我相信证书设置正确,因为使用 Jersey 库编写的用于连接到该服务器的其他代码能够成功地做到这一点。但是,我没有看到我在使用 Apache HttpComponents 时做错了什么。有任何想法吗?如果我犯了明显的错误,我深表歉意,我是 SSL 新手,还没有完全了解我在做什么。谢谢你的帮助!

4

1 回答 1

0

这可能是由于您的服务器需要服务器名称指示。

由于 Apache HTTP Client 4.2.2 似乎不支持 SNI(它不发送server_name扩展,即使使用 Java 7 也是如此),您可能会获得与使用其他使用 SNI 的库获得的证书不同的证书。

似乎有一种方法可以让Apache HTTP Client 4.3 支持 SNI(但您至少仍然需要 Java 7)。

于 2013-09-17T20:04:48.447 回答