1. 首页
  2. 问答
  3. 为什么找不到SSL握手的信任库?

为什么找不到SSL握手的信任库?

2009-11-12 33 views
13

我在客户端使用Spring REST模板来调用REST端点。在这种情况下,客户端是Spring应用程序,Tomcat是servlet容器。为什么找不到SSL握手的信任库?

我遇到了连接到HTTPS端点的问题。我收到一个错误,指出它找不到信任库的有效路径。我可以在哪里指定?这是在容器级还是应用程序配置(Spring)级完成的?

堆栈跟踪:

org.springframework.web.client.ResourceAccessException: I/O error: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target; 
nested exception is javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target 
org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:330) 
org.springframework.web.client.RestTemplate.execute(RestTemplate.java:292) 
org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:227)

来源

2009-11-12 nialloc

回答

10

您需要正确配置其做外部RESTTemplate中的SSLContext。这应该让你开始:

String keystoreType = "JKS"; 
    InputStream keystoreLocation = null; 
    char [] keystorePassword = null; 
    char [] keyPassword = null; 

    KeyStore keystore = KeyStore.getInstance(keystoreType); 
    keystore.load(keystoreLocation, keystorePassword); 
    KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
    kmfactory.init(keystore, keyPassword); 

    InputStream truststoreLocation = null; 
    char [] truststorePassword = null; 
    String truststoreType = "JKS"; 

    KeyStore truststore = KeyStore.getInstance(truststoreType); 
    truststore.load(truststoreLocation, truststorePassword); 
    TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); 

    KeyManager [] keymanagers = kmfactory.getKeyManagers(); 
    TrustManager [] trustmanagers = tmfactory.getTrustManagers(); 

    SSLContext sslContext = SSLContext.getInstance("TLS"); 
    sslContext.init(keymanagers, trustmanagers, new SecureRandom()); 
    SSLContext.setDefault(sslContext);

来源

2009-11-13 15:25:23 Kevin

32

更具体地说,调用此方法会做的伎俩,使任何后续的HttpClient调用不会在意SSL证书有效期:

public static void trustSelfSignedSSL() { 
    try { 
     SSLContext ctx = SSLContext.getInstance("TLS"); 
     X509TrustManager tm = new X509TrustManager() { 

      public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { 
      } 

      public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException { 
      } 

      public X509Certificate[] getAcceptedIssuers() { 
       return null; 
      } 
     }; 
     ctx.init(null, new TrustManager[]{tm}, null); 
     SSLContext.setDefault(ctx); 
    } catch (Exception ex) { 
     ex.printStackTrace(); 
    } 
}

来源

2011-09-16 15:47:31

+0

在哪里写代码? – kamaci 2011-11-11 12:26:45

+3

你可以在任何你喜欢的地方写下它,因为它在SSLContext类本身上进行静态调用。只要你在相同的类加载器上下文中调用它,并且在第一个HttpClient调用之前,那么你应该很好。 – 2011-12-06 15:47:57

+0

可以肯定的是:如上所述更改SSLContext的TrustManager不是一个持久行为,对吧?所以每次启动应用程序时都需要完成。 – ptikobj 2014-03-27 08:30:48

相关问题

 相关问题