Ignoring SSL certificate in Apache HttpClient 4.3
如何忽略Apache HttpClient 4.3的SSL证书(全部信任)?
我在SO上找到的所有答案都对待以前的版本,并且API更改了。
有关:
- 如何忽略Apache HttpClient 4.0中的SSL证书错误
- 如何使用Apache HttpClient处理无效的SSL证书?
- 使用Spring开发期间需要信任所有证书
- 忽略Java的SSL证书错误
编辑:
- 仅用于测试目的。 孩子们,不要在家(或在生产中)尝试
下面的代码用于信任自签名证书。创建客户端时,必须使用TrustSelfSignedStrategy:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | SSLContextBuilder builder = new SSLContextBuilder(); builder.loadTrustMaterial(null, new TrustSelfSignedStrategy()); SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory( builder.build()); CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory( sslsf).build(); HttpGet httpGet = new HttpGet("https://some-server"); CloseableHttpResponse response = httpclient.execute(httpGet); try { System.out.println(response.getStatusLine()); HttpEntity entity = response.getEntity(); EntityUtils.consume(entity); } finally { response.close(); } |
我没有故意包含
如果您使用上面的PoolingHttpClientConnectionManager过程不起作用,则将忽略自定义SSLContext。创建PoolingHttpClientConnectionManager时,必须在构造函数中传递socketFactoryRegistry。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | SSLContextBuilder builder = SSLContexts.custom(); builder.loadTrustMaterial(null, new TrustStrategy() { @Override public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException { return true; } }); SSLContext sslContext = builder.build(); SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory( sslContext, new X509HostnameVerifier() { @Override public void verify(String host, SSLSocket ssl) throws IOException { } @Override public void verify(String host, X509Certificate cert) throws SSLException { } @Override public void verify(String host, String[] cns, String[] subjectAlts) throws SSLException { } @Override public boolean verify(String s, SSLSession sslSession) { return true; } }); Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder .<ConnectionSocketFactory> create().register("https", sslsf) .build(); PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager( socketFactoryRegistry); CloseableHttpClient httpclient = HttpClients.custom() .setConnectionManager(cm).build(); |
除了@mavroprovato的答案之外,如果您想信任所有证书而不是仅是自签名的,则可以这样做(按照代码的样式)
1 2 3 4 5 6 | builder.loadTrustMaterial(null, new TrustStrategy(){ public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException { return true; } }); |
或(直接从我自己的代码中复制粘贴):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | import javax.net.ssl.SSLContext; import org.apache.http.ssl.TrustStrategy; import org.apache.http.ssl.SSLContexts; // ... SSLContext sslContext = SSLContexts .custom() //FIXME to contain real trust store .loadTrustMaterial(new TrustStrategy() { @Override public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException { return true; } }) .build(); |
而且,如果您也想跳过主机名验证,则需要设置
1 2 | CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory( sslsf).setSSLHostnameVerifier( NoopHostnameVerifier.INSTANCE).build(); |
也一样(不建议使用ALLOW_ALL_HOSTNAME_VERIFIER)。
强制性警告:您不应该这样做,接受所有证书是一件坏事。但是,在某些罕见的用例中,您想这样做。
作为前面给出的代码的注释,即使httpclient.execute()抛出异常,您也希望关闭响应
1 2 3 4 5 6 7 8 9 10 11 12 | CloseableHttpResponse response = null; try { response = httpclient.execute(httpGet); System.out.println(response.getStatusLine()); HttpEntity entity = response.getEntity(); EntityUtils.consume(entity); } finally { if (response != null) { response.close(); } } |
上面的代码已使用测试
1 2 3 4 5 | <dependency> <groupId>org.apache.httpcomponents</groupId> httpclient</artifactId> <version>4.5.3</version> </dependency> |
对于感兴趣的人,这是我完整的测试集:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 | import org.apache.http.HttpEntity; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.ssl.SSLContextBuilder; import org.apache.http.ssl.TrustStrategy; import org.apache.http.util.EntityUtils; import org.junit.Test; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLPeerUnverifiedException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; public class TrustAllCertificatesTest { final String expiredCertSite ="https://expired.badssl.com/"; final String selfSignedCertSite ="https://self-signed.badssl.com/"; final String wrongHostCertSite ="https://wrong.host.badssl.com/"; static final TrustStrategy trustSelfSignedStrategy = new TrustSelfSignedStrategy(); static final TrustStrategy trustAllStrategy = new TrustStrategy(){ public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException { return true; } }; @Test public void testSelfSignedOnSelfSignedUsingCode() throws Exception { doGet(selfSignedCertSite, trustSelfSignedStrategy); } @Test(expected = SSLHandshakeException.class) public void testExpiredOnSelfSignedUsingCode() throws Exception { doGet(expiredCertSite, trustSelfSignedStrategy); } @Test(expected = SSLPeerUnverifiedException.class) public void testWrongHostOnSelfSignedUsingCode() throws Exception { doGet(wrongHostCertSite, trustSelfSignedStrategy); } @Test public void testSelfSignedOnTrustAllUsingCode() throws Exception { doGet(selfSignedCertSite, trustAllStrategy); } @Test public void testExpiredOnTrustAllUsingCode() throws Exception { doGet(expiredCertSite, trustAllStrategy); } @Test(expected = SSLPeerUnverifiedException.class) public void testWrongHostOnTrustAllUsingCode() throws Exception { doGet(wrongHostCertSite, trustAllStrategy); } @Test public void testSelfSignedOnAllowAllUsingCode() throws Exception { doGet(selfSignedCertSite, trustAllStrategy, NoopHostnameVerifier.INSTANCE); } @Test public void testExpiredOnAllowAllUsingCode() throws Exception { doGet(expiredCertSite, trustAllStrategy, NoopHostnameVerifier.INSTANCE); } @Test public void testWrongHostOnAllowAllUsingCode() throws Exception { doGet(expiredCertSite, trustAllStrategy, NoopHostnameVerifier.INSTANCE); } public void doGet(String url, TrustStrategy trustStrategy, HostnameVerifier hostnameVerifier) throws Exception { SSLContextBuilder builder = new SSLContextBuilder(); builder.loadTrustMaterial(trustStrategy); SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory( builder.build()); CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory( sslsf).setSSLHostnameVerifier(hostnameVerifier).build(); HttpGet httpGet = new HttpGet(url); CloseableHttpResponse response = httpclient.execute(httpGet); try { System.out.println(response.getStatusLine()); HttpEntity entity = response.getEntity(); EntityUtils.consume(entity); } finally { response.close(); } } public void doGet(String url, TrustStrategy trustStrategy) throws Exception { SSLContextBuilder builder = new SSLContextBuilder(); builder.loadTrustMaterial(trustStrategy); SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory( builder.build()); CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory( sslsf).build(); HttpGet httpGet = new HttpGet(url); CloseableHttpResponse response = httpclient.execute(httpGet); try { System.out.println(response.getStatusLine()); HttpEntity entity = response.getEntity(); EntityUtils.consume(entity); } finally { response.close(); } } } |
(在github上工作的测试项目)
花瓶的答案的一个小补充:
使用PoolingHttpClientConnectionManager时,SocketFactoryRegistry提供的解决方案可以工作。
但是,通过纯http的连接将不再起作用。您还必须为http协议添加一个PlainConnectionSocketFactory,以使它们再次运行:
1 2 3 4 | Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory> create() .register("https", sslsf) .register("http", new PlainConnectionSocketFactory()).build(); |
尝试各种选项后,以下配置可同时用于http和https
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | SSLContextBuilder builder = new SSLContextBuilder(); builder.loadTrustMaterial(null, new TrustSelfSignedStrategy()); SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(builder.build(),SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create() .register("http", new PlainConnectionSocketFactory()) .register("https", sslsf) .build(); PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(registry); cm.setMaxTotal(2000);//max connection //System.setProperty("jsse.enableSNIExtension","false"); //"" CloseableHttpClient httpClient = HttpClients.custom() .setSSLSocketFactory(sslsf) .setConnectionManager(cm) .build(); |
我正在使用http-client 4.3.3-
更简单,更短的工作代码:
We are using HTTPClient 4.3.5 and we tried almost all solutions exist on the stackoverflow but nothing,
After thinking and figuring out the problem, we come to the following code which works perfectly,
just add it before creating HttpClient instance.some method which you use to make post request...
1 2 3 4 5 6 7 8 9 10 11 12 13 | SSLContextBuilder builder = new SSLContextBuilder(); builder.loadTrustMaterial(null, new TrustStrategy() { @Override public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException { return true; } }); SSLConnectionSocketFactory sslSF = new SSLConnectionSocketFactory(builder.build(), SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslSF).build(); HttpPost postRequest = new HttpPost(url); |
continue calling and using HttpPost instance in the normal form
这是上述技术的有效提要,等同于" curl --insecure":
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | HttpClient getInsecureHttpClient() throws GeneralSecurityException { TrustStrategy trustStrategy = new TrustStrategy() { @Override public boolean isTrusted(X509Certificate[] chain, String authType) { return true; } }; HostnameVerifier hostnameVerifier = new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { return true; } }; return HttpClients.custom() .setSSLSocketFactory(new SSLConnectionSocketFactory( new SSLContextBuilder().loadTrustMaterial(trustStrategy).build(), hostnameVerifier)) .build(); } |
使用http客户端4.5时,我必须使用javasx.net.ssl.HostnameVerifier允许任何主机名(出于测试目的)。这是我最终要做的事情:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | CloseableHttpClient httpClient = null; try { SSLContextBuilder sslContextBuilder = new SSLContextBuilder(); sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy()); HostnameVerifier hostnameVerifierAllowAll = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContextBuilder.build(), hostnameVerifierAllowAll); CredentialsProvider credsProvider = new BasicCredentialsProvider(); credsProvider.setCredentials( new AuthScope("192.168.30.34", 8443), new UsernamePasswordCredentials("root","password")); httpClient = HttpClients.custom() .setSSLSocketFactory(sslSocketFactory) .setDefaultCredentialsProvider(credsProvider) .build(); HttpGet httpGet = new HttpGet("https://192.168.30.34:8443/axis/services/getStuff?firstResult=0&maxResults=1000"); CloseableHttpResponse response = httpClient.execute(httpGet); int httpStatus = response.getStatusLine().getStatusCode(); if (httpStatus >= 200 && httpStatus < 300) { [...] } else { throw new ClientProtocolException("Unexpected response status:" + httpStatus); } } catch (Exception ex) { ex.printStackTrace(); } finally { try { httpClient.close(); } catch (IOException ex) { logger.error("Error while closing the HTTP client:", ex); } } |
在
如果要使用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | SSLContextBuilder builder = SSLContexts.custom(); builder.loadTrustMaterial(null, new TrustStrategy() { @Override public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException { return true; } }); SSLContext sslContext = builder.build(); SchemeIOSessionStrategy sslioSessionStrategy = new SSLIOSessionStrategy(sslContext, new HostnameVerifier(){ @Override public boolean verify(String hostname, SSLSession session) { return true;// TODO as of now allow all hostnames } }); Registry<SchemeIOSessionStrategy> sslioSessionRegistry = RegistryBuilder.<SchemeIOSessionStrategy>create().register("https", sslioSessionStrategy).build(); PoolingNHttpClientConnectionManager ncm = new PoolingNHttpClientConnectionManager(new DefaultConnectingIOReactor(),sslioSessionRegistry); CloseableHttpAsyncClient asyncHttpClient = HttpAsyncClients.custom().setConnectionManager(ncm).build(); asyncHttpClient.start(); |
如果您使用的是
1 2 3 4 5 6 7 8 9 | SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, TrustSelfSignedStrategy.INSTANCE).build(); SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory( sslContext, NoopHostnameVerifier.INSTANCE); HttpClient httpClient = HttpClients.custom() .setDefaultCookieStore(new BasicCookieStore()) .setSSLSocketFactory(sslSocketFactory) .build(); |
信任Apache HTTP客户端中的所有证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType) { } public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType) { } } }; try { SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory( sc); httpclient = HttpClients.custom().setSSLSocketFactory( sslsf).build(); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 | class ApacheHttpClient { /*** * This is a https get request that bypasses certificate checking and hostname verifier. * It uses basis authentication method. * It is tested with Apache httpclient-4.4. * It dumps the contents of a https page on the console output. * It is very similar to http get request, but with the additional customization of * - credential provider, and * - SSLConnectionSocketFactory to bypass certification checking and hostname verifier. * @param path String * @param username String * @param password String * @throws IOException */ public void get(String path, String username, String password) throws IOException { final CloseableHttpClient httpClient = HttpClients.custom() .setDefaultCredentialsProvider(createCredsProvider(username, password)) .setSSLSocketFactory(createGenerousSSLSocketFactory()) .build(); final CloseableHttpResponse response = httpClient.execute(new HttpGet(path)); try { HttpEntity entity = response.getEntity(); if (entity == null) return; System.out.println(EntityUtils.toString(entity)); } finally { response.close(); httpClient.close(); } } private CredentialsProvider createCredsProvider(String username, String password) { CredentialsProvider credsProvider = new BasicCredentialsProvider(); credsProvider.setCredentials( AuthScope.ANY, new UsernamePasswordCredentials(username, password)); return credsProvider; } /*** * * @return SSLConnectionSocketFactory that bypass certificate check and bypass HostnameVerifier */ private SSLConnectionSocketFactory createGenerousSSLSocketFactory() { SSLContext sslContext; try { sslContext = SSLContext.getInstance("SSL"); sslContext.init(null, new TrustManager[]{createGenerousTrustManager()}, new SecureRandom()); } catch (KeyManagementException | NoSuchAlgorithmException e) { e.printStackTrace(); return null; } return new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE); } private X509TrustManager createGenerousTrustManager() { return new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] cert, String s) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] cert, String s) throws CertificateException { } @Override public X509Certificate[] getAcceptedIssuers() { return null; } }; } } |
(我本来可以直接在vasekt的答案中添加评论,但我的信誉点不足(不确定那里的逻辑)
无论如何...我想说的是,即使您没有显式创建/请求PoolingConnection,也不意味着您没有得到。
我发疯了,试图弄清楚为什么原始解决方案对我不起作用,但是我忽略了vasekt的回答,因为它"不适用于我的情况"-错误!
我低头盯着我的堆栈跟踪,发现中间有一个PoolingConnection。邦-我讨厌他的加入和成功!! (我们的演示是明天,我感到绝望):-)
您可以使用以下代码片段来获取HttpClient实例,而无需进行ssl认证检查。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | private HttpClient getSSLHttpClient() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException { LogLoader.serverLog.trace("In getSSLHttpClient()"); SSLContext context = SSLContext.getInstance("SSL"); TrustManager tm = new X509TrustManager() { public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } public X509Certificate[] getAcceptedIssuers() { return null; } }; context.init(null, new TrustManager[] { tm }, null); HttpClientBuilder builder = HttpClientBuilder.create(); SSLConnectionSocketFactory sslConnectionFactory = new SSLConnectionSocketFactory(context); builder.setSSLSocketFactory(sslConnectionFactory); PlainConnectionSocketFactory plainConnectionSocketFactory = new PlainConnectionSocketFactory(); Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create() .register("https", sslConnectionFactory).register("http", plainConnectionSocketFactory).build(); PoolingHttpClientConnectionManager ccm = new PoolingHttpClientConnectionManager(registry); ccm.setMaxTotal(BaseConstant.CONNECTION_POOL_SIZE); ccm.setDefaultMaxPerRoute(BaseConstant.CONNECTION_POOL_SIZE); builder.setConnectionManager((HttpClientConnectionManager) ccm); builder.disableRedirectHandling(); LogLoader.serverLog.trace("Out getSSLHttpClient()"); return builder.build(); } |