How to disable SSL certificate checking with Spring RestTemplate?
我正在尝试编写一个集成测试,其中我们的测试使用Simple启动一个嵌入式HTTPS服务器。我使用
但是,当我尝试使用Spring RestTemplate进行连接时,出现ResourceAccessException:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | org.springframework.web.client.ResourceAccessException: I/O error on GET request for"https://localhost:8088":sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:557) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:502) at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:444) at net.initech.DummySslServer.shouldConnect(DummySslServer.java:119) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27) at org.junit.runners.ParentRunner.run(ParentRunner.java:309) at org.junit.runner.JUnitCore.run(JUnitCore.java:160) at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:74) at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:211) at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1369) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:156) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925) at sun.security.ssl.Handshaker.process_record(Handshaker.java:860) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78) at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:52) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:541) ... 33 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1351) ... 47 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 53 more |
从其他问题和博客文章中,我已经看到了将
1 | private static final HostnameVerifier PROMISCUOUS_VERIFIER = ( s, sslSession ) -> true; |
我已经在全局和
1 | HttpsURLConnection.setDefaultHostnameVerifier( PROMISCUOUS_VERIFIER ); |
...以及
1 2 3 4 5 6 7 8 9 10 | final RestTemplate restTemplate = new RestTemplate(); restTemplate.setRequestFactory( new SimpleClientHttpRequestFactory() { @Override protected void prepareConnection(HttpURLConnection connection, String httpMethod) throws IOException { if(connection instanceof HttpsURLConnection ){ ((HttpsURLConnection) connection).setHostnameVerifier(PROMISCUOUS_VERIFIER); } super.prepareConnection(connection, httpMethod); } }); |
但是,我仍然遇到上述错误。我该如何解决?
我正在使用Java 8(但可以使用7)和Spring 4.0.3。
我希望我仍然有指向该方向的资源链接,但这是最终为我工作的代码。通过查看X509TrustManager的JavaDoc,看起来
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | import javax.net.ssl.*; import java.security.*; import java.security.cert.X509Certificate; public final class SSLUtil{ private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[]{ new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers(){ return null; } public void checkClientTrusted( X509Certificate[] certs, String authType ){} public void checkServerTrusted( X509Certificate[] certs, String authType ){} } }; public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException { // Install the all-trusting trust manager final SSLContext sc = SSLContext.getInstance("SSL"); sc.init( null, UNQUESTIONING_TRUST_MANAGER, null ); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } public static void turnOnSslChecking() throws KeyManagementException, NoSuchAlgorithmException { // Return it to the initial state (discovered by reflection, now hardcoded) SSLContext.getInstance("SSL").init( null, null, null ); } private SSLUtil(){ throw new UnsupportedOperationException("Do not instantiate libraries."); } } |
为了其他开发人员找到这个问题并需要另一种不仅适合单元测试的解决方案:
我在博客上找到了这个(不是我的解决方案!感谢博客的所有者)。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true; SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom() .loadTrustMaterial(null, acceptingTrustStrategy) .build(); SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext); CloseableHttpClient httpClient = HttpClients.custom() .setSSLSocketFactory(csf) .build(); HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(); requestFactory.setHttpClient(httpClient); RestTemplate restTemplate = new RestTemplate(requestFactory); |
您还可以注册您的密钥库:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | private void registerKeyStore(String keyStoreName) { try { ClassLoader classLoader = this.getClass().getClassLoader(); InputStream keyStoreInputStream = classLoader.getResourceAsStream(keyStoreName); if (keyStoreInputStream == null) { throw new FileNotFoundException("Could not find file named '" + keyStoreName +"' in the CLASSPATH"); } //load the keystore KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(keyStoreInputStream, null); //add to known keystore TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keystore); //default SSL connections are initialized with the keystore above TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustManagers, null); SSLContext.setDefault(sc); } catch (IOException | GeneralSecurityException e) { throw new RuntimeException(e); } } |
这是一个禁用安全检查的解决方案(例如,与localhost交谈)。此外,我看到的一些解决方案现在包含不赞成使用的方法等。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | /** * @param configFilePath * @param ipAddress * @param userId * @param password * @throws MalformedURLException */ public Upgrade(String aConfigFilePath, String ipAddress, String userId, String password) { configFilePath = aConfigFilePath; baseUri ="https://" + ipAddress +":" + PORT +"/"; restTemplate = new RestTemplate(createSecureTransport(userId, password, ipAddress, PORT)); restTemplate.getMessageConverters().add(new MappingJacksonHttpMessageConverter()); restTemplate.getMessageConverters().add(new StringHttpMessageConverter()); } ClientHttpRequestFactory createSecureTransport(String username, String password, String host, int port) { HostnameVerifier nullHostnameVerifier = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(username, password); CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); credentialsProvider.setCredentials( new AuthScope(AuthScope.ANY_HOST, AuthScope.ANY_PORT, AuthScope.ANY_REALM), credentials); HttpClient client = HttpClientBuilder.create() .setSSLHostnameVerifier(nullHostnameVerifier) .setSSLContext(createContext()) .setDefaultCredentialsProvider(credentialsProvider).build(); HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(client); return requestFactory; } private SSLContext createContext() { TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType) { } public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType) { } } }; try { SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, null); SSLContext.setDefault(sc); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }); return sc; } catch (Exception e) { } return null; } |
请参见下面的内容,以对上面显示的@Sled代码进行适度的改进,即打开方法丢失了一行,现在它通过了我的测试。在使用默认HTTP配置(未配置为使用Apache HTTP Client)的Spring-Boot版本2应用程序中使用RestTemplate时,这将禁用HTTPS证书和主机名欺骗。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | package org.my.little.spring-boot-v2.app; import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; /** * Disables and enables certificate and host-name checking in * HttpsURLConnection, the default JVM implementation of the HTTPS/TLS protocol. * Has no effect on implementations such as Apache Http Client, Ok Http. */ public final class SSLUtils { private static final HostnameVerifier jvmHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier(); private static final HostnameVerifier trivialHostnameVerifier = new HostnameVerifier() { public boolean verify(String hostname, SSLSession sslSession) { return true; } }; private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[] { new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } } }; public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException { HttpsURLConnection.setDefaultHostnameVerifier(trivialHostnameVerifier); // Install the all-trusting trust manager SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, UNQUESTIONING_TRUST_MANAGER, null); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } public static void turnOnSslChecking() throws KeyManagementException, NoSuchAlgorithmException { HttpsURLConnection.setDefaultHostnameVerifier(jvmHostnameVerifier); // Return it to the initial state (discovered by reflection, now hardcoded) SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, null, null); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } private SSLUtils() { throw new UnsupportedOperationException("Do not instantiate libraries."); } } |
我知道答案太老了,但是我找不到这样的解决方案。
适用于jersey客户端的代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 | import org.glassfish.jersey.client.ClientConfig; import org.glassfish.jersey.client.ClientProperties; import javax.net.ssl.*; import javax.ws.rs.client.Client; import javax.ws.rs.client.ClientBuilder; import javax.ws.rs.client.Entity; import javax.ws.rs.client.WebTarget; import javax.ws.rs.core.Form; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedHashMap; import java.security.KeyManagementException; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; public class Testi { static { disableSslVerification(); } private static void disableSslVerification() { // Create all-trusting host name verifier HostnameVerifier allHostsValid = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; // Install the all-trusting host verifier HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid); } public Testi() { MultivaluedHashMap<String, Object> headers = new MultivaluedHashMap<>(); //... initialize headers Form form = new Form(); Entity<Form> entity = Entity.entity(form, MediaType.APPLICATION_FORM_URLENCODED_TYPE); // initialize entity ... WebTarget target = getWebTarget(); Object responseResult = target.path("api/test/path...").request() .headers(headers).post(entity, Object.class); } public static void main(String args[]) { new Testi(); } private WebTarget getWebTarget() { ClientConfig clientConfig = new ClientConfig(); clientConfig.property(ClientProperties.CONNECT_TIMEOUT, 30000); clientConfig.property(ClientProperties.READ_TIMEOUT, 30000); SSLContext sc = getSSLContext(); Client client = ClientBuilder.newBuilder().sslContext(sc).withConfig(clientConfig).build(); WebTarget target = client.target("...url..."); return target; } private SSLContext getSSLContext() { try { // Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() { @Override public void checkClientTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) throws CertificateException { } @Override public void checkServerTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) throws CertificateException { } public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } } }; // Install the all-trusting trust manager SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); return sc; } catch (NoSuchAlgorithmException | KeyManagementException e) { e.printStackTrace(); } return null; } } |
禁用证书检查是错误的解决方案,并且完全不安全。
正确的解决方案是将自签名证书导入到您的信任库中。一个更正确的解决方案是获取由CA签名的证书。
如果"仅用于测试",则仍需要测试生产配置。测试其他东西根本不是测试,只是浪费时间。