使用https的async-http-client的CertificateException

时间:2014-01-08 06:11:08

标签: java ssl asynchttpclient

我几天前开始使用https://ws.plimus.com/访问async-http-client时遇到问题。我得到一个“常规SSLEngine问题”消息,并且在堆栈跟踪中我可以看到它是由

引起的 
java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

This SO question描述的基本相同。 Commenting out the line in java.security使错误消失,但我认为MD2有充分的理由被禁用。

使用Raman's answer提示,我发现确实是async-http-client库uses the X509TrustManager interface,但我无法做很多事情来改变它。

运行此:

openssl s_client -showcerts -connect ws.plimus.com:443 | grep -i md2

什么都没找到,所以我甚至不知道哪个证书导致了这个问题。

除了解决方法之外,我能做些什么吗?

我把演示代码重现问题on github

1 个答案:

答案 0 :(得分:3)

您提到的服务器确实使用了我在other answer中描述的md2WithRSAEncryption算法使用相同的Verisign Class 3证书:

openssl s_client -showcerts -no_ign_eof -connect ws.plimus.com:443
CONNECTED(00000003)
... [ stripped ] ...
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----

然后将该证书转换为文本格式:

openssl x509 -text -noout < cert.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
    Signature Algorithm: md2WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Validity
            Not Before: Jan 29 00:00:00 1996 GMT
            Not After : Aug  1 23:59:59 2028 GMT
        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
... [ stripped ] ...

仔细阅读async-http-client的javadocs,看起来在构建setSSLContext的实例时可以调用AsyncHttpClientConfig

https://github.com/AsyncHttpClient/async-http-client/blob/master/api/src/main/java/org/asynchttpclient/AsyncHttpClientConfig.java#L841

因此,您可以使用SSLContext创建自己的X509ExtendedTrustManager并配置异步http客户端库以使用它,而不是其内部默认值。这应该可以解决你的问题!

这是一个Gist,其中包含用于调试此问题的SSL测试代码。您可以轻松地从中提取创建自己的SSLContexthttps://gist.github.com/rocketraman/8312705

所需的内容
相关问题
最新问题