使用SSLSocketFactory绕过证书验证

时间:2016-07-18 21:00:29

标签: java ssl ssl-certificate jax-ws

我正在构建一个客户端应用程序,它将通过soap消息连接到第三方服务器。我正在使用在JBoss 4.2.3上运行的jax-ws 2.1.9和jdk 1.6_18。

问题本身是服务器(仅为测试目的而配置)返回过期的证书,因此,我的应用程序正在抛出以下异常。

13:43:26,738 ERROR [STDERR] Caused by: javax.xml.ws.WebServiceException: java.io.IOException: Could not transmit message
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientImpl.handleRemoteException(ClientImpl.java:404)
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:314)
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:172)
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:152)
13:43:26,739 ERROR [STDERR]     at $Proxy724.solicitarBaixaOperation(Unknown Source)
13:43:26,740 ERROR [STDERR]     at com.totvs.foundation.exchange.connector.ptu.implementation.v70_batch.InvoiceWriteOffConnector.process(InvoiceWriteOffConnector.java:91)
13:43:26,740 ERROR [STDERR]     ... 98 more
13:43:26,740 ERROR [STDERR] Caused by: java.io.IOException: Could not transmit message
13:43:26,740 ERROR [STDERR]     at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:255)
13:43:26,740 ERROR [STDERR]     at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:73)
13:43:26,741 ERROR [STDERR]     at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:339)
13:43:26,741 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:302)
13:43:26,741 ERROR [STDERR]     ... 102 more
13:43:26,741 ERROR [STDERR] Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker. java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 11 09:35:00 GMT-03:00 2014.
13:43:26,741 ERROR [STDERR]     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:348)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:137)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:122)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.Client.invoke(Client.java:1634)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.Client.invoke(Client.java:548)
13:43:26,742 ERROR [STDERR]     at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:233)
13:43:26,743 ERROR [STDERR]     ... 105 more
13:43:26,743 ERROR [STDERR] Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 11 09:35:00 GMT-03:00 2014
13:43:26,743 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
13:43:26,743 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
13:43:26,746 ERROR [STDERR]     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:277)
13:43:26,747 ERROR [STDERR]     ... 110 more
13:43:26,747 ERROR [STDERR] Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 11 09:35:00 GMT-03:00 2014
13:43:26,747 ERROR [STDERR]     at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
13:43:26,747 ERROR [STDERR]     at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570)
13:43:26,747 ERROR [STDERR]     at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:134)
13:43:26,748 ERROR [STDERR]     at sun.security.validator.Validator.validate(Validator.java:218)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
13:43:26,749 ERROR [STDERR]     ... 122 more

因此,出于测试目的,我试图绕过这些验证。我找到了一些博客和帖子,这些都引导我到下面的代码片段。

/**
Inner class for set a blind TrustManager
**/
public class BlindTrustManager implements X509TrustManager {
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
    public void checkClientTrusted(X509Certificate[] chain, String authType)
            throws CertificateException {
    }
    public void checkServerTrusted(X509Certificate[] chain, String authType)
            throws CertificateException {
    }
}

/*Get the port instance of the web service interface created by JAX-WS*/
SolicitarBaixaPortType port = InvoiceWriteOffWebService.getInstance(serviceName, wsdlLocation);

/*set the socket factory*/
SSLContext ctx = SSLContext.getInstance("TLSv1");
            ctx.init(null, new TrustManager[] { new BlindTrustManager() }, null);
            SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
            ((BindingProvider) port).getRequestContext().put(BindingProviderProperties.SSL_SOCKET_FACTORY, sslSocketFactory);
((BindingProvider) port).getRequestContext().put(com.sun.xml.internal.ws.client.BindingProviderProperties.SSL_SOCKET_FACTORY, sslSocketFactory);

/*message is the Object Jax generated*/
response = port.solicitarBaixaOperation(message);

虽然我设置了 SSLSocketFactory CertificateExpiredException 仍在抛出。所以它提出了以下问题:

  1. 我做得对吗?
  2. 如何确定连接是否可以看到我的 BlindTrustManager 类?因为我在日志中看不到任何提及它。
  3. 如何确定我需要传递给 BindingProvider 请求上下文的正确字符串,以便找到我的 SSLSocketFactory
  4. 我必须在JBoss中做一些其他配置吗?

    5. 由于

1 个答案:

答案 0 :(得分:0)

这是一个猜测,因为我不熟悉框架,但如果jboss使用url.openConnection(),那么我认为你需要设置JVM范围的默认值

javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);

n.b。这可能会产生更广泛的影响,如果可行,您可以将此证书专门列入白名单。

相关问题
最新问题