JAX-WS,信任所有不起作用的 ssl 证书
JAX-WS, trusting all ssl certificates not working
是的,我知道,我不应该相信所有的 ssl 证书。但是由于有一个 VPN 隧道,并且根据暂存阶段需要请求不同的服务器(具有不同的 SSL 证书),我更喜欢 ignore-server-ssl-certificate(s) 方法。
我正在遵循
等建议
- How to disable certificate validation in JAX-WS Client?
- https://erikwramner.wordpress.com/2013/03/27/trust-self-signed-ssl-certificates-and-skip-host-name-verification-with-jax-ws/
- http://singletoninacrowd.blogspot.ch/2012/12/trusting-all-ssl-certificates-in-jax-ws.html
相关代码片段看起来很相似(来自“erikwramner”的想法)
final BindingProvider bp = (BindingProvider) tmpSoapService;
final Map<String, Object> requestContext = bp.getRequestContext();
requestContext.put( BindingProvider.ENDPOINT_ADDRESS_PROPERTY, serviceUrl );
requestContext.put( BindingProvider.USERNAME_PROPERTY, username );
requestContext.put( BindingProvider.PASSWORD_PROPERTY, ntlmPassword );
requestContext.put( com.sun.xml.internal.ws.developer.JAXWSProperties.SSL_SOCKET_FACTORY, getTrustingSSLSocketFactory());
requestContext.put( com.sun.xml.internal.ws.developer.JAXWSProperties.HOSTNAME_VERIFIER, new NaiveHostnameVerifier() );
...
public static SSLSocketFactory getTrustingSSLSocketFactory ()
{
return SSLSocketFactoryHolder.INSTANCE;
}
private static SSLSocketFactory createSSLSocketFactory ()
{
TrustManager[] trustManagers = new TrustManager[] { new NaiveTrustManager() };
SSLContext sslContext;
try
{
sslContext = SSLContext.getInstance( "SSL" );
sslContext.init( null, trustManagers, new java.security.SecureRandom() );
return sslContext.getSocketFactory();
}
catch ( GeneralSecurityException e )
{
return null;
}
}
private static interface SSLSocketFactoryHolder
{
public static final SSLSocketFactory INSTANCE = createSSLSocketFactory();
}
private static class NaiveHostnameVerifier implements HostnameVerifier
{
@Override
public boolean verify ( String hostName, SSLSession session )
{
return true;
}
}
private static class NaiveTrustManager implements X509TrustManager
{
@Override
public void checkClientTrusted ( X509Certificate[] certs, String authType ) throws CertificateException
{
}
@Override
public void checkServerTrusted ( X509Certificate[] certs, String authType ) throws CertificateException
{
}
@Override
public X509Certificate[] getAcceptedIssuers ()
{
return new X509Certificate[0];
}
}
不幸的是,我仍然得到
org.apache.cxf.interceptor.Fault: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_92]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_92]
at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_92]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_92]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_92]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_92]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_92]
...
这对我来说表示参考了默认的 sun.security.ssl.X509TrustManagerImpl。通过调试,我看到我的 SocketFactory/TrustManager 至少在 org.apache.cxf.endpoint.ClientImpl#invoke(...)
之前被“上交”
我的 TrustManager 没有下落的原因可能是什么?
您正在使用 CXF。您可以使用 client.getConduit().setTlsClientParameters() 设置 TrustManager
例如:
CXF RESTful Client - How to do trust all certs?
Client client = ClientProxy.getClient(service);
HTTPConduit conduit = client.getHttpConduit();
TLSClientParameters params = conduit.getTlsClientParameters();
if (params == null) {
params = new TLSClientParameters();
conduit.setTlsClientParameters(params);
}
params.setTrustManagers( new TrustManager[] { new NaiveTrustManager() });
params.setDisableCNCheck(true);
是的,我知道,我不应该相信所有的 ssl 证书。但是由于有一个 VPN 隧道,并且根据暂存阶段需要请求不同的服务器(具有不同的 SSL 证书),我更喜欢 ignore-server-ssl-certificate(s) 方法。
我正在遵循
等建议- How to disable certificate validation in JAX-WS Client?
- https://erikwramner.wordpress.com/2013/03/27/trust-self-signed-ssl-certificates-and-skip-host-name-verification-with-jax-ws/
- http://singletoninacrowd.blogspot.ch/2012/12/trusting-all-ssl-certificates-in-jax-ws.html
相关代码片段看起来很相似(来自“erikwramner”的想法)
final BindingProvider bp = (BindingProvider) tmpSoapService;
final Map<String, Object> requestContext = bp.getRequestContext();
requestContext.put( BindingProvider.ENDPOINT_ADDRESS_PROPERTY, serviceUrl );
requestContext.put( BindingProvider.USERNAME_PROPERTY, username );
requestContext.put( BindingProvider.PASSWORD_PROPERTY, ntlmPassword );
requestContext.put( com.sun.xml.internal.ws.developer.JAXWSProperties.SSL_SOCKET_FACTORY, getTrustingSSLSocketFactory());
requestContext.put( com.sun.xml.internal.ws.developer.JAXWSProperties.HOSTNAME_VERIFIER, new NaiveHostnameVerifier() );
...
public static SSLSocketFactory getTrustingSSLSocketFactory ()
{
return SSLSocketFactoryHolder.INSTANCE;
}
private static SSLSocketFactory createSSLSocketFactory ()
{
TrustManager[] trustManagers = new TrustManager[] { new NaiveTrustManager() };
SSLContext sslContext;
try
{
sslContext = SSLContext.getInstance( "SSL" );
sslContext.init( null, trustManagers, new java.security.SecureRandom() );
return sslContext.getSocketFactory();
}
catch ( GeneralSecurityException e )
{
return null;
}
}
private static interface SSLSocketFactoryHolder
{
public static final SSLSocketFactory INSTANCE = createSSLSocketFactory();
}
private static class NaiveHostnameVerifier implements HostnameVerifier
{
@Override
public boolean verify ( String hostName, SSLSession session )
{
return true;
}
}
private static class NaiveTrustManager implements X509TrustManager
{
@Override
public void checkClientTrusted ( X509Certificate[] certs, String authType ) throws CertificateException
{
}
@Override
public void checkServerTrusted ( X509Certificate[] certs, String authType ) throws CertificateException
{
}
@Override
public X509Certificate[] getAcceptedIssuers ()
{
return new X509Certificate[0];
}
}
不幸的是,我仍然得到
org.apache.cxf.interceptor.Fault: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_92]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_92]
at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_92]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_92]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[na:1.8.0_92]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[na:1.8.0_92]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[na:1.8.0_92]
...
这对我来说表示参考了默认的 sun.security.ssl.X509TrustManagerImpl。通过调试,我看到我的 SocketFactory/TrustManager 至少在 org.apache.cxf.endpoint.ClientImpl#invoke(...)
之前被“上交”我的 TrustManager 没有下落的原因可能是什么?
您正在使用 CXF。您可以使用 client.getConduit().setTlsClientParameters() 设置 TrustManager
例如: CXF RESTful Client - How to do trust all certs?
Client client = ClientProxy.getClient(service);
HTTPConduit conduit = client.getHttpConduit();
TLSClientParameters params = conduit.getTlsClientParameters();
if (params == null) {
params = new TLSClientParameters();
conduit.setTlsClientParameters(params);
}
params.setTrustManagers( new TrustManager[] { new NaiveTrustManager() });
params.setDisableCNCheck(true);