SSLProtocolException:handshake alert:unrecognized_name:客户端代码解决方法?

时间:2014-05-26 13:07:53

标签: java apache-httpclient-4.x sni

在自定义HTTP客户端检索XML数据时,我收到了unrecognized_name错误。不幸的是,类似问题的答案对我不起作用:

  • 我无法通过系统属性关闭SNI支持,因为我的代码在应用服务器内部运行,我无法控制
  • 我无法修复Web服务服务器配置(添加ServerName)

现在,我的代码使用的是公共httpclient 3.1,但我对替代方案持开放态度。这是我现在正在使用的删节代码:

HttpClient client = new HttpClient();
PostMethod method = new PostMethod(getEndpointUrl());
NameValuePair[] data = {
    new NameValuePair("username", getUsername()),
    new NameValuePair("password", getPassword()),
    new NameValuePair("email", email)
};
method.setRequestBody(data);
client.executeMethod(method);
return method.getResponseBodyAsStream();

我看过HttpClient,似乎我可以实现类似于https://stackoverflow.com/a/14884941/3676401中提到的解决方法,但似乎是很多与安全相关的潜在代码。

我很讨厌将大量代码转储到一个简单的客户端。还有其他建议吗?

2 个答案:

答案 0 :(得分:3)

您正在连接到配置错误的SNI的服务器。如果您无法控制该服务器并且无法修复该服务器,则必须禁用SNI。

1)如果您希望服务器在某个时刻得到修复,请使用运行时标志暂时禁用SNI,直到修复服务器。这样,您可以稍后删除此标志,甚至无需在修复服务器后重新编译。

java -Djsse.enableSNIExtension=false

2)如果您不希望修复服务器,请实施永久性解决方法,例如在应用程序中禁用SNI:

System.setProperty("jsse.enableSNIExtension", "false");

您链接的答案提到的解决方法最终会以更加繁琐的方式禁用SNI,因此除非您在应用程序的其他位置需要SNI,否则我将使用上述选项之一。

答案 1 :(得分:2)

所以这是我对该代码的尝试。我把它隐藏在我们可以在部署时调整的配置属性后面,所以希望我们可以在修复Web服务服务器配置后立即摆脱这个疣。

我没有检查此代码有任何安全隐患。我只使用我的应用程序对此进行了测试,它可能对您无效。其他JVM版本可能表现不同。如果您决定使用此代码,请不要对我负责!

更新2014-09-01 :不幸的是,此解决方法仅在您通过HTTPS代理连接到目标时才有效。如果你直接连接,你会得到一些不起眼的错误。

Caused by: java.net.SocketException: Unconnected sockets not implemented
  at javax.net.SocketFactory.createSocket(SocketFactory.java:125) ~[na:1.7.0_65]

由于我们的目标服务器已经修复了它的配置,我不再需要解决方法了。添加工作存根createSocket()方法要复杂得多,因为它需要在HTTPClients的SSLSocketFactory中完成。

import javax.net.ssl.SSLSocketFactory;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;

/**
 * When a TLS client sends the Server Name Indication extension in the Client Hello, the server might reply with an
 * alert that it does not know this particular server name.  Usually, this means that the server is misconfigured,
 * or that you're using the wrong hostname.  But as long as the server does get you to the correct web service or
 * site, it's harmless.
 * <p/>
 * Oracle in it's wisdom has decided that the warning should be treated as an error.  This cannot be changed.  This
 * class overrides all createSocket calls so that the hostname (for TLS purposes) is blanked-out.  In the
 * implementation in 1.7.0_51-b13, this makes SSL not issue the SNI extension in the hello,
 * thereby not triggering the problematic response.
 * <p/>
 * To use this with Apache HttpComponents' HttpClient, you need to create a ConnectionManager that uses a
 * SchemeManager, which in turn uses a custom https SchemeHandler using this socket factory.
 *
 * <pre>
 *   {@code
 *   SchemeRegistry schemeRegistry = new SchemeRegistry();
 *   schemeRegistry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));
 *   if (disableServerNameIndication) {
 *       schemeRegistry.register(new Scheme("https", 443, new SSLSocketFactory(new NoSNISSLSocketFactory
 *           (sslcontext.getSocketFactory()),
 *           SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)));
 *   } else {
 *       schemeRegistry.register(new Scheme("https", 443, new SSLSocketFactory(sslcontext)));
 *   }
 *   defaultHttpClient = new DefaultHttpClient(new PoolingClientConnectionManager(schemeRegistry));}
 * </pre>
 */
public class NoSNISSLSocketFactory extends SSLSocketFactory {

  private final SSLSocketFactory sslSocketFactory;

  protected NoSNISSLSocketFactory(SSLSocketFactory socketFactory) {
    this.sslSocketFactory = socketFactory;
  }

  @Override
  public String[] getDefaultCipherSuites() {
    return sslSocketFactory.getDefaultCipherSuites();
  }

  @Override
  public String[] getSupportedCipherSuites() {
    return sslSocketFactory.getSupportedCipherSuites();
  }

  @Override
  public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException {
    return sslSocketFactory.createSocket(socket, "", port, autoClose);
  }

  @Override
  public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
    return createSocket(new Socket(host, port), host, port, true);
  }

  @Override
  public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException,
      UnknownHostException {
    return createSocket(new Socket(host, port, localHost, localPort), host, port, true);
  }

  @Override
  public Socket createSocket(InetAddress host, int port) throws IOException {
    return sslSocketFactory.createSocket(host, port);
  }

  @Override
  public Socket createSocket(InetAddress host, int port, InetAddress localHost, int localPort) throws IOException {
    return createSocket(new Socket(host, port, localHost, localPort), host.getHostName(), port, true);
  }
}
相关问题
最新问题