1. 首页
  2. 问答
  3. Java SSL/TLS忽略过期证书? (java.security.cert.CertPathValidatorException:时间戳检查失败)

Java SSL/TLS忽略过期证书? (java.security.cert.CertPathValidatorException:时间戳检查失败)

2010-09-08 182 views
15

我遇到与通过SSL进行通信的api有关的问题。由于SSL证书已过期的事实,我认为这个例外即将到来。问题是我不管理API框。是否可以忽略过期的证书?Java SSL/TLS忽略过期证书? (java.security.cert.CertPathValidatorException:时间戳检查失败)

例外:

[ERROR,TaacWorkshop] Problem deleting user group from CADA: 
org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed 
    at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:156) 
    at company.oss.thrift.cada.CADABackend$Client.send_DeleteUserGroup(CADABackend.java:580) 
    at company.oss.thrift.cada.CADABackend$Client.DeleteUserGroup(CADABackend.java:568) 
    at com.cable.company.nse.cada.CadaDao.deleteUserGroup(CadaDao.java:72) 
    at com.cable.company.nse.taac.business.TaacWorkshop.deleteTaac(TaacWorkshop.java:127) 
    at com.cable.company.nse.taac.controller.RemoteVendorAccessController.processRequest(RemoteVendorAccessController.java:130) 
    at com.cable.company.nse.taac.controller.RemoteVendorAccessController$$FastClassByCGLIB$$63639bdf.invoke(<generated>) 
    at net.sf.cglib.proxy.MethodProxy.invoke(MethodProxy.java:191) 
    at org.springframework.aop.framework.Cglib2AopProxy$CglibMethodInvocation.invokeJoinpoint(Cglib2AopProxy.java:692) 
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) 
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:67) 
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) 
    at org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:625) 
    at com.cable.company.nse.taac.controller.RemoteVendorAccessController$$EnhancerByCGLIB$$bdd8aaad.processRequest(<generated>) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
    at java.lang.reflect.Method.invoke(Method.java:592) 
    at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.doInvokeMethod(HandlerMethodInvoker.java:710) 
    at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:167) 
    at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:414) 
    at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:402) 
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:771) 
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716) 
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647) 
    at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:563) 
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) 
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:343) 
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109) 
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:109) 
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355) 
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149) 
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) 
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) 
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852) 
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) 
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) 
    at java.lang.Thread.run(Thread.java:613) 
Caused by: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1232) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1244) 
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:43) 
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65) 
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123) 
    at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:154) 
    ... 66 more 
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed 
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584) 
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) 
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) 
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848) 
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) 
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) 
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:618) 
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59) 
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65) 
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123) 
    at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:154) 
    at company.oss.thrift.cada.CADABackend$Client.send_CreateUserGroup(CADABackend.java:546) 
    at company.oss.thrift.cada.CADABackend$Client.CreateUserGroup(CADABackend.java:534) 
    at com.cable.company.nse.cada.CadaDao.createUserGroup(CadaDao.java:93) 
    at com.cable.company.nse.taac.business.TaacWorkshop.createTaac(TaacWorkshop.java:210) 
    at com.cable.company.nse.taac.controller.RemoteVendorAccessController.processRequest(RemoteVendorAccessController.java:111) 
    ... 61 more 
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed 
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187) 
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:130) 
    at sun.security.validator.Validator.validate(Validator.java:203) 
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172) 
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320) 
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841) 
    ... 76 more 
Caused by: java.security.cert.CertPathValidatorException: timestamp check failed 
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139) 
    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316) 
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178) 
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206) 
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182) 
    ... 81 more 
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sat Jul 17 13:44:42 MDT 2010 
    at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256) 
    at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570) 
    at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:157) 
    at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:109) 
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117) 
    ... 85 more

当前的代码必须能够设置一个信任存储,因为有一个客户端证书身份验证。我已经尝试了以下建议,但仍遇到一些问题。下面是当前代码我使用:

 KeyStore identityStore = KeyStore.getInstance(KeyStore.getDefaultType()); 
     ClassPathResource keystore = new ClassPathResource(cadaBackendCertFile); 

     identityStore.load(keystore.getInputStream(), cadaBackendCertFilePassword.toCharArray()); 

     KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
     kmf.init(identityStore, cadaBackendCertFilePassword.toCharArray()); 

     TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); 
     tmf.init(identityStore); 

     SSLContext ctx = SSLContext.getInstance("TLS"); 
     ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); 

     SSLSocketFactory fac = ctx.getSocketFactory(); 
     Socket sslsock = fac.createSocket(cadaBackendEndpoint, cadaBackendPort); 
     TTransport transport = new TSocket(sslsock);

改变了代码以下,和我获取服务器的问题,但它固定我的问题与安全性异常:

 KeyStore identityStore = KeyStore.getInstance(KeyStore.getDefaultType()); 
     ClassPathResource keystore = new ClassPathResource(cadaBackendCertFile); 

     identityStore.load(keystore.getInputStream(), cadaBackendCertFilePassword.toCharArray()); 

     KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
     kmf.init(identityStore, cadaBackendCertFilePassword.toCharArray()); 

     TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); 
     tmf.init(identityStore); 

     SSLContext ctx = SSLContext.getInstance("TLS"); 
     ctx.init(kmf.getKeyManagers(), new TrustManager[] {new X509TrustManager(){ 
      public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { 
      } 
      public void checkServerTrusted(X509Certificate[] chain,String authType) throws CertificateException {    
      } 
      public X509Certificate[] getAcceptedIssuers() { 
       return null; 
      }  
     }}, new SecureRandom()); 

     SSLSocketFactory fac = ctx.getSocketFactory(); 
     Socket sslsock = fac.createSocket(cadaBackendEndpoint, cadaBackendPort); 
     TTransport transport = new TSocket(sslsock); 

     TProtocol proto = new TBinaryProtocol(transport); 
     cadaBackendClient = new Client(proto);

其实 - 甚至以上代码抛出异常:

ERROR[com.cable.nse.cada.CadaDaoTest][main] - Error: 
org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate 
    at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:156) 
    at .oss.thrift.cada.CADABackend$Client.send_UserDetails(CADABackend.java:328) 
    at .oss.thrift.cada.CADABackend$Client.UserDetails(CADABackend.java:316) 
    at com.cable.nse.cada.CadaDao.getUserDetails(CadaDao.java:136) 
    at com.cable.nse.cada.CadaDaoTest.testCada(CadaDaoTest.java:73) 
    at com.cable.nse.cada.CadaDaoTest.test(CadaDaoTest.java:37) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
    at java.lang.reflect.Method.invoke(Method.java:592) 
    at junit.framework.TestCase.runTest(TestCase.java:154) 
    at junit.framework.TestCase.runBare(TestCase.java:127) 
    at junit.framework.TestResult$1.protect(TestResult.java:106) 
    at junit.framework.TestResult.runProtected(TestResult.java:124) 
    at junit.framework.TestResult.run(TestResult.java:109) 
    at junit.framework.TestCase.run(TestCase.java:118) 
    at junit.framework.TestSuite.runTest(TestSuite.java:208) 
    at junit.framework.TestSuite.run(TestSuite.java:203) 
    at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:130) 
    at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38) 
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467) 
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683) 
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390) 
    at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197) 
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate 
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) 
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1650) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089) 
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:618) 
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59) 
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65) 
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123) 
    at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:154) 
    ... 23 more

来源

2010-09-08 wuntee

+0

在你编辑的版本,你对keymanager和trustmanager使用相同的密钥库(可能有意,不确定)。如果你没有使用客户端证书认证,你不需要它,使用'null'作为'SSLContext.init(...)'的第一个参数。如果服务器可选地请求客户端证书身份验证,并且客户端发送服务器不接受的证书,则会出现此类错误。 – Bruno 2010-09-08 22:48:00

+0

我确实有客户端认证授权。密钥库包含客户端证书以及端点的自签名证书。那么,错误很可能是因为服务器不接受证书? – wuntee 2010-09-09 14:56:17

回答

8

改变默认SSLContext是不安全的,因为它会影响整个过程。这将不加区别地降低每个连接的安全设置。尽管我不确定,但它也可能不是线程安全的。

我建议将这些操作委托给单独的进程每个请求。

String content = new HttpsNoVerify.fetch(URL.create(myURL));

上市COM /例子/ HttpsNoVerify.java

上市 
package com.example; 

import org.apache.commons.io.IOUtils; 

import javax.net.ssl.HttpsURLConnection; 
import javax.net.ssl.SSLContext; 
import javax.net.ssl.TrustManager; 
import javax.net.ssl.X509TrustManager; 
import java.net.URL; 

public class HttpsNoVerify { 
    public static void main(String... args) throws Exception { 
     URL url = new URL(args[0]); 

     TrustManager[] trustAllCerts = new TrustManager[]{ 
      new X509TrustManager() { 
       public java.security.cert.X509Certificate[] getAcceptedIssuers() {return null;} 
       public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType){} 
       public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType){} 
      } 
     }; 

     SSLContext sc = SSLContext.getInstance("SSL"); 
     sc.init(null, trustAllCerts, new java.security.SecureRandom()); 
     HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); 

     IOUtils.copy(url.openStream(), System.out); 
    } 

    public String fetch(URL url) throws Exception { 
     return new SubProcess(HttpsNoVerify.class).run(url.toString()); 
    } 
}

COM /例子/ SubProcess.java

package com.example; 

import org.apache.commons.io.IOUtils; 

import java.util.Arrays; 

public class SubProcess { 
    private final Class<?> classToRun; 

    public SubProcess(Class<?> classToRun) { 
     this.classToRun = classToRun; 
    } 

    public String run(String... args) throws Exception { 
     ProcessBuilder processBuilder = new ProcessBuilder("java", 
       "-Djava.library.path=" + System.getProperty("java.library.path"), 
       "-classpath", System.getProperty("java.class.path"), 
       classToRun.getCanonicalName()); 

     for (String arg : args) processBuilder.command().add(arg); 

     processBuilder.redirectErrorStream(); 

     Process process = processBuilder.start(); 

     String output = IOUtils.toString(process.getInputStream()); 

     process.waitFor(); 

     if (process.exitValue() != 0) 
      throw new IllegalStateException(
        String.format("Running %s with %s failed", classToRun, Arrays.toString(args))); 

     return output; 
    } 
}

来源

2010-09-08 19:40:36

+0

我想你的意思是“改变* default * SSLContext不安全”,我同意这一点。 – Bruno 2010-09-08 20:05:34

+0

我添加了我使用的代码 - 我试图创建新的信任管理器,但得到了“javax.net.ssl.SSLHandshakeException:收到致命警报:certificate_unknown”异常... – wuntee 2010-09-08 20:26:19

+0

对不起,我想这个例外是来自服务器。具体来说,它是:org.apache.thrift.transport.TTransportException:javax.net.ssl.SSLHandshakeException:收到致命警报:certificate_unknown – wuntee 2010-09-08 20:45:42

-5

我认为你可以下载证书并将其添加到你的商店。然后,使用环境属性配置您的jvm以指示商店的位置。

来源

2010-09-08 17:48:25 hvgotcodes

+1

这已经是我正在做的事情。问题是证书已过期,并导致异常。我希望有一些属性可以设置为忽略过期的密钥。 – wuntee 2010-09-08 18:27:28

+0

添加此证书不会解决问题,因为此证书已过期(已过期)。那么它不会通过验证。 – Znik 2016-07-14 14:01:47

2

我不知道一个属性会让您忽略远程证书上的默认X509TrustManager s的时间有效性检查,但如果您有权访问客户端代码,则可以使用您的帐户配置不同的SSLContext自己的X509TrustManager,你可以在其中找到这个例外。

如果你想使用类似jSSLutils及其SSLContextFactory,你可以写沿着这些路线的包装:

PKIXSSLContextFactory sslContextFactory = new PKIXSSLContextFactory(); 
sslContextFactory.setTrustManagerWrapper(new X509TrustManagerWrapper() { 
    @Override 
    public X509TrustManager wrapTrustManager(final X509TrustManager origManager) { 
     return new X509TrustManager() { 
      @Override 
      public X509Certificate[] getAcceptedIssuers() { 
       return origManager.getAcceptedIssuers(); 
      } 

      @Override 
      public void checkServerTrusted(X509Certificate[] chain, 
                String authType) 
        throws CertificateException { 
       try { 
        origManager.checkServerTrusted(chain, authType); 
       } catch (CertificateExpiredException e) { 
        // TODO log or do something else to rethrow 
            // the exception if chain[0] isn't the certificate 
            // for which you want to make this special case. 
       } 
      } 

      @Override 
      public void checkClientTrusted(X509Certificate[] chain, 
                String authType) 
        throws CertificateException { 
       origManager.checkClientTrusted(chain, authType); 
      } 
     }; 
    } 
}); 
SSLContext sslContext = sslContextFactory.buildSSLContext();

利用这个SSLContext的那么真的取决于你的应用程序使用SSL。在最坏的情况下,您可以使用SSLContext.setDefault(sslContext)以及Java 6及更高版本在全局进行配置。否则,有些库会让你配置SSLContext

来源

2010-09-08 19:21:38 Bruno

+1

这不是非常脆弱吗?如果在日期/时间检查后再次进行检查,它会被默认跳过? – dascandy 2013-02-19 09:23:18

+0

@dascandy,你是对的。我已经完全忘记了这个答案,但我在[这个类似的答案]中提到了这些行中的一些内容(http://stackoverflow.com/a/13742250/372643)。 – Bruno 2013-02-19 09:47:48

相关问题

 相关问题