我有一个实用程序SSLSocketFactory类,基本上允许你切换,如果你想要信任所有证书和/或由于JDK错误而转向Deffie Hellman。我最近添加了提供自己的SSLSocketFactory的选项,但似乎忘记了一些东西
只需在创建套接字时添加一些代码,即可在工厂中轻松禁用Diffie Hellman。但是,为了信任所有证书,我用不同的
替换工厂 public UtilSSLSocketFactory trustAllCertificates() {
if (trustingAllCertificates)
//Already doing this, no need to do it again
return this;
trustingAllCertificates = true;
try {
TrustManager[] tm = new TrustManager[]{new TrustingX509TrustManager()};
SSLContext context = SSLContext.getInstance("SSL");
context.init(new KeyManager[0], tm, new SecureRandom());
wrappedFactory = (SSLSocketFactory) context.getSocketFactory();
} catch (Exception e) {
throw new RuntimeException("Can't recreate socket factory that trusts all certificates", e);
}
return this;
}
有没有办法告诉任意SSLSocketFactory信任所有证书而不替换它?
答案 0 :(得分:4)
除了盲目地信任所有证书通常是一个坏主意(如果你想使用SSL / TLS来保证通信),你使用的模式似乎很奇怪。
SSLContext是SSLSocketFactory的工厂,后者又是SSLSocket的工厂。
如果需要,您可以使用SSLContext设置默认SSLContext.setDefault(...)(从Java 6开始):这将影响默认SSLSocketFactory,但可能不会更具体。{/ p >
您无法更改现有SSLContext实例使用的SSLSocketFactory。
除非你现有的SSLSocketFactory与默认实现与特定设置不同(例如,在返回之前你会在创建的套接字上进行调整),你尝试做的事情似乎并没有在这里符合预期的设计模式。
答案 1 :(得分:2)
任意SSLSocketFactory信任所有证书而不用 替换它
没有。您拥有来设置自己的自定义“信任所有证书”管理器,否则将使用默认的“咨询”JDK安装中的cacerts的java默认信任库。
但从安全角度来看,如果您没有服务器身份验证,那么您可以使用普通TCP并避免SSL开销,因为您实际上并没有任何安全性。
答案 2 :(得分:-1)
尝试此代码....它是一个有效的代码,在您的代码中使用此类
HttpClient client = MySSLSocketFactory.getNewHttpClient();
这是代码
import java.io.IOException;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.HttpVersion;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.HttpParams;
import org.apache.http.params.HttpProtocolParams;
import org.apache.http.protocol.HTTP;
public class MySSLSocketFactory extends SSLSocketFactory {
SSLContext sslContext = SSLContext.getInstance("TLS");
public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
super(truststore);
TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
sslContext.init(null, new TrustManager[] { tm }, null);
}
@Override
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
}
@Override
public Socket createSocket() throws IOException {
return sslContext.getSocketFactory().createSocket();
}
public static HttpClient getNewHttpClient() {
try {
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);
SSLSocketFactory sf = new MySSLSocketFactory(trustStore);
sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
HttpParams params = new BasicHttpParams();
HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
registry.register(new Scheme("https", sf, 443));
ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry);
return new DefaultHttpClient(ccm, params);
} catch (Exception e) {
return new DefaultHttpClient();
}
}
}