我目前正在使用Apache HttpClient向我的应用程序添加https下载功能,特别是版本4.2.3。
如果证书验证失败,我想抓住服务器证书链。被抛出的异常SSLPeerUnverifiedException
没有提供任何信息的字段。
try {
HttpResponse response = client.execute(get);
} catch (SSLPeerUnverifiedException e) {
// retrieve server certificate here
}
有一种方法是将TrustManager
(以捕获证书)注入SSLContext
并为每个SSLContext
,SSLSocketFactory
和HttpClient
重新创建请求。但是,我希望能够将这些实例重用于多个可能的并行请求。
答案 0 :(得分:1)
我在这个例子中使用了HC 4.3,但是对于HC 4.2应该使用完全相同的方式,尽管我建议升级
public static void main(final String[] args) throws Exception {
TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmfactory.init((KeyStore) null);
TrustManager[] tms = tmfactory.getTrustManagers();
if (tms != null) {
for (int i = 0; i < tms.length; i++) {
final TrustManager tm = tms[i];
if (tm instanceof X509TrustManager) {
tms[i] = new TrustManagerDelegate((X509TrustManager) tm);
}
}
}
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tms, null);
CloseableHttpClient httpClient = HttpClients.custom()
.setSslcontext(sslContext)
.build();
try {
CloseableHttpResponse response = httpClient.execute(new HttpGet("https://google.com/"));
try {
// do something usefull
} finally {
response.close();
}
} catch (SSLException ex) {
Throwable cause = ex.getCause();
if (cause instanceof MyCertificateException) {
X509Certificate[] chain = ((MyCertificateException) cause).getChain();
for (X509Certificate cert: chain) {
System.out.println(cert);
}
}
}
}
static class TrustManagerDelegate implements X509TrustManager {
private final X509TrustManager trustManager;
TrustManagerDelegate(final X509TrustManager trustManager) {
super();
this.trustManager = trustManager;
}
@Override
public void checkClientTrusted(
final X509Certificate[] chain, final String authType) throws CertificateException {
this.trustManager.checkClientTrusted(chain, authType);
}
@Override
public void checkServerTrusted(
final X509Certificate[] chain, final String authType) throws CertificateException {
try {
this.trustManager.checkServerTrusted(chain, authType);
} catch (CertificateException ex) {
throw new MyCertificateException(chain, ex);
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return this.trustManager.getAcceptedIssuers();
}
}
static class MyCertificateException extends CertificateException {
private final X509Certificate[] chain;
MyCertificateException(final X509Certificate[] chain, final CertificateException ex) {
super(ex);
this.chain = chain;
}
public X509Certificate[] getChain() {
return chain;
}
}