3

我正在编写一个基于 JDK11 HttpClient 的简单 REST api 客户端,简单代码如下:

public class MyClass {

    private static final X509TrustManager TRUST_MANAGER = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] xcs, String string) {
        }

        public void checkServerTrusted(X509Certificate[] xcs, String string) {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };

    private static HttpClient getNewHttpClient() {
        int timeout = 600;
        try {

            HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true);

            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
            sslContext.init(null, new TrustManager[]{TRUST_MANAGER}, new SecureRandom());

            // Install the all-trusting host verifier
            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

            //Set SSL parameters
            SSLParameters parameters = new SSLParameters();
            parameters.setEndpointIdentificationAlgorithm("HTTPS");
                HttpClient httpClient = HttpClient.newBuilder()
                    .connectTimeout(Duration.ofMillis(timeout * 1000))
                    .sslContext(sslContext)
                    .sslParameters(parameters)
                    .build();
            return httpClient;
        } catch (Exception e) {
            logger.warn("Unable to create HttpClient with disabled SSL Certificate verifying, default client will be used", e);
            return HttpClient.newHttpClient();
        }
    }

    public static void main(String[] args) {
        HttpRequest requestBuilder = HttpRequest.newBuilder()
                .uri(URI.create("https://somehostname.xx.xxx.net"))
                .GET()
                .build();

        getNewHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
    }
}

问题是当我尝试打开一些 SSL 域时出现错误:

原因:java.security.cert.CertificateException:找不到与 somehostname.xx.xxx.net 匹配的主题备用 DNS 名称。

我怎么解决这个问题?

4

1 回答 1

1

虽然完全关闭主机名验证(即针对整个 VM)可能是一种选择,但它可能很危险。如果您从 javax.net.ssl.X509ExtendedTrustManager 派生 TRUST_MANAGER,您也可以禁用主机名验证。

    private static final TrustManager DUMMY_TRUST_MANAGER = new X509ExtendedTrustManager() {        
    @Override
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return new java.security.cert.X509Certificate[0];
    }
    @Override
    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }
    @Override
    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { }
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { }
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { }
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { }
};

当然,这也将完全禁用对提供给您的客户的证书的任何检查。

https://bugs.openjdk.java.net/browse/JDK-8213309上还有一个未解决的问题,用于向 JDK 添加 API 以专门关闭主机名验证。如果您也可以访问 openjdk 错误数据库,您可以为这个问题投票。

于 2021-05-21T06:54:40.887 回答