使用HttpClient 4.2从失败的连接尝试中获取服务器证书

时间:2015-01-20 18:12:06

标签: java ssl certificate httpclient apache-httpclient-4.x

我目前正在使用Apache HttpClient向我的应用程序添加https下载功能,特别是版本4.2.3。

如果证书验证失败,我想抓住服务器证书链。被抛出的异常SSLPeerUnverifiedException没有提供任何信息的字段。

try {
    HttpResponse response = client.execute(get);
} catch (SSLPeerUnverifiedException e) {
    // retrieve server certificate here
}

有一种方法是将TrustManager(以捕获证书)注入SSLContext并为每个SSLContextSSLSocketFactoryHttpClient重新创建请求。但是,我希望能够将这些实例重用于多个可能的并行请求。

1 个答案:

答案 0 :(得分:1)

我在这个例子中使用了HC 4.3,但是对于HC 4.2应该使用完全相同的方式,尽管我建议升级

public static void main(final String[] args) throws Exception {

    TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmfactory.init((KeyStore) null);
    TrustManager[] tms = tmfactory.getTrustManagers();
    if (tms != null) {
        for (int i = 0; i < tms.length; i++) {
            final TrustManager tm = tms[i];
            if (tm instanceof X509TrustManager) {
                tms[i] = new TrustManagerDelegate((X509TrustManager) tm);
            }
        }
    }
    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(null, tms, null);

    CloseableHttpClient httpClient = HttpClients.custom()
            .setSslcontext(sslContext)
            .build();
    try {
        CloseableHttpResponse response = httpClient.execute(new HttpGet("https://google.com/"));
        try {
            // do something usefull
        } finally {
            response.close();
        }
    } catch (SSLException ex) {
        Throwable cause = ex.getCause();
        if (cause instanceof MyCertificateException) {
            X509Certificate[] chain = ((MyCertificateException) cause).getChain();
            for (X509Certificate cert: chain) {
                System.out.println(cert);
            }
        }
    }
}

static class TrustManagerDelegate implements X509TrustManager {

    private final X509TrustManager trustManager;

    TrustManagerDelegate(final X509TrustManager trustManager) {
        super();
        this.trustManager = trustManager;
    }

    @Override
    public void checkClientTrusted(
            final X509Certificate[] chain, final String authType) throws CertificateException {
        this.trustManager.checkClientTrusted(chain, authType);
    }

    @Override
    public void checkServerTrusted(
            final X509Certificate[] chain, final String authType) throws CertificateException {
        try {
            this.trustManager.checkServerTrusted(chain, authType);
        } catch (CertificateException ex) {
            throw new MyCertificateException(chain, ex);
        }
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return this.trustManager.getAcceptedIssuers();
    }

}

static class MyCertificateException extends CertificateException {

    private final X509Certificate[] chain;

    MyCertificateException(final X509Certificate[] chain, final CertificateException ex) {
        super(ex);
        this.chain = chain;
    }

    public X509Certificate[] getChain() {
        return chain;
    }

}