0
我已经测试了Apache HttpClinet的几个语法结构(HTTPS & TLS),以便忽略通常在“localhost”配置中使用的自签名证书的证书链。有一个自定义的HttpClient可以很好地适用于TLSv1.1,但是观察服务器跟踪,它不会触发使用TLSv1.2,这是所需的安全算法。如何在使用TLSv1.2的Apache HttpClient中忽略“localhost”?
下面您会发现尝试使用TLSv1.2配置HttpClient。
其他建筑的建议,欢迎。 “本地主机”场景仍然是开发点对点例程的常用机制。如果有一个可配置的例程,只接受本地主机访问的自签名证书,那就太好了。
TLSv1.1例子,使用自定义的HttpClient(工程确定为TLSv1.1但TLSv1.2工作不工作):
HttpClient client = HttpClients.custom().setSSLHostnameVerifier(new NoopHostnameVerifier()).setSslcontext(new SSLContextBuilder().loadTrustMaterial(null, (x509Certificates, s) -> true).build()).build();
服务器日志:
*** Finished
verify_data: { 251, 245, 220, 174, 235, 125, 248, 119, 220, 80, 38, 1 }
***
Thread-7, WRITE: TLSv1 Handshake, length = 48
%% Cached server session: [Session-23, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA]
Thread-7, WRITE: TLSv1 Application Data, length = 108
Thread-7, WRITE: TLSv1 Application Data, length = 1
Thread-7, WRITE: TLSv1 Application Data, length = 19
客户端 - 确定
Debug HTTP response: HttpResponseProxy{HTTP/1.1 200 OK [Date: Tue, 21 Feb 2017 21:16:02 GMT, Access-control-allow-origin: *, Content-length: 20] ResponseEntityProxy{[Content-Length: 20,Chunked: false]}}
*** end of debug ***
Service HTTP Response Code : 200
contentLength is: 20
serviceResponse : This is the response
测试与TLSv1.2工作和代码
SSLContext sslContext = SSLContexts.custom().build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1.2"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
HttpClient client = HttpClients.custom().setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).setConnectionManager(clientConnectionManager).build();
(*)的SSLContext类是过时
服务器日志:
-Djavax.net.debug=ssl
or
System.setProperty("javax.net.debug", "ssl");
JsseJCE: Using MAC HmacSHA256 from provider TBD via init
MAC: Using MessageDigest HmacSHA256 from provider IBMJCE version 1.8
*** Finished
verify_data: { 69, 241, 3, 42, 44, 222, 21, 174, 250, 83, 244, 25 }
***
Thread-7, WRITE: TLSv1.2 Handshake, length = 80
%% Cached server session: [Session-21, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
Thread-7, READ: TLSv1.2 Alert, length = 64
Thread-7, RECV TLSv1.2 ALERT: warning, close_notify
错误在客户端:
sh ./runit.sh
javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=My Name, OU=RED, O=RED Brazil, L=MYCITY, ST=SP, C=BR)