虽然TrustAll
似乎是可能的解决方案,但它只有在没有给出 TrustStore和KeyStore 时才有效。然后您无法使用常规客户端进行连接,因为服务器在握手期间没有证书可提供。
要获得合理的 trustAll 模式,唯一的选择似乎是扩展SslContextFactory
:
package media.alu.jetty;
/**
* SslContextFactoryRelaxed is used to configure SSL connectors
* as well as HttpClient. It holds all SSL parameters and
* creates SSL context based on these parameters to be
* used by the SSL connectors.
*
* TrustAll really means trustAll!
*/
@ManagedObject
public class SslContextFactoryRelaxed extends SslContextFactory
{
private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
@Override
protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
{
TrustManager[] managers = null;
if (trustStore != null)
{
if (isTrustAll()) {
managers = TRUST_ALL_CERTS;
}
// Revocation checking is only supported for PKIX algorithm
else if (isValidatePeerCerts() && "PKIX".equalsIgnoreCase(getTrustManagerFactoryAlgorithm()))
{
PKIXBuilderParameters pbParams = newPKIXBuilderParameters(trustStore, crls);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
managers = trustManagerFactory.getTrustManagers();
}
else
{
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
trustManagerFactory.init(trustStore);
managers = trustManagerFactory.getTrustManagers();
}
}
return managers;
}
}
要使用:
- 按照 Jetty 文档使用客户端身份验证配置 SSL/TLS
- 针对 Jetty 9.x 编译上面的代码
- 在 `$jetty.home/lib/ext' 中安装 jar
编辑$jetty.home/etc/jetty-ssl-context.xml
一世。改变:
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
到:
<Configure id="sslContextFactory" class="media.alu.jetty.SslContextFactoryRelaxed">
ii. 添加<Set name="TrustAll">TRUE</Set>
为的孩子<Configure id="sslContextFactory">