我需要创建一个javax.net.ssl.SSLSocketFactory来建立TLS连接但忽略服务器证书的验证。不适用于HTTP协议。我知道这不是正确的事,但我需要它。我不想要或不喜欢它。
我做了一个有效的实现,但验证服务器证书(正如它所设想的那样)实现如下:
/**
* Provide a quick method to construct a SSLSocketFactory which is a TCP socket using TLS/SSL
* @param trustStore location of the trust store
* @param keyStore location of the key store
* @param trustStorePassword password to access the trust store
* @param keyStorePassword password to access the key store
* @return the SSLSocketFactory to create secure sockets with the provided certificates infrastructure
* @exception java.lang.Exception in case of something wrong happens
* */
static public SSLSocketFactory getSocketFactory ( final String trustStore, final String keyStore, final String trustStorePassword, final String keyStorePassword) throws Exception
{
// todo check if the CA needs or can use the password
final FileInputStream trustStoreStream = new FileInputStream(trustStore);
final FileInputStream keyStoreStream = new FileInputStream(keyStore);
// CA certificate is used to authenticate server
final KeyStore caKs = KeyStore.getInstance("JKS");
caKs.load(trustStoreStream, trustStorePassword.toCharArray());
final TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(caKs);
trustStoreStream.close();
// client key and certificates are sent to server so it can authenticate us
final KeyStore ks = KeyStore.getInstance("JKS");
ks.load(keyStoreStream, keyStorePassword.toCharArray());
final KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX");
kmf.init(ks, keyStorePassword.toCharArray());
keyStoreStream.close();
// finally, create SSL socket factory
final SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return context.getSocketFactory();
}
答案 0 :(得分:0)
我使用hack来阻止证书的验证,但它会为每个SSL连接执行此操作:
公共类SSLHack { private static final Logger LOG = Logger.getLogger(SSLHack.class);
public static void disableSslVerification() {
try {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
}
} };
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection
.setDefaultSSLSocketFactory(sc.getSocketFactory());
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
} catch (NoSuchAlgorithmException e) {
LOG.error(e.getMessage(), e);
} catch (KeyManagementException e) {
LOG.error(e.getMessage(), e);
}
}
答案 1 :(得分:0)
解决方案是创建一个虚拟 def matchLine(path, line_number, text):
"""
path = used for defining the file to be checked
line_number = used to identify the line that will be checked
text = string containing the text to match
"""
file = open(path)
line_file = file.readline()
line_file = line_file.rstrip()
line_no = 1
while line_file != "":
if line_no == line_number:
if line_file == text:
return True
else:
return False
line_no = line_no+1
line_file = file.readline()
line_file = line_file.rstrip()类,它基本上接受所有服务器证书而不进行检查。
然后创建一个实例并将其作为X509TrustManager调用中的第二个参数传递。
但严重的是,这是一个坏主意。如果您不打算检查CERT,那么使用SSL是没有意义的,或者更糟 1 。
1 - 这是我的理论。您的安全人员告诉您,在不安全的通道上使用MTTQ是危险的。或者他们已经阻止了端口1883.但是你有一个MTTQ / SSL服务器,你不能为获得适当的CERT而烦恼。所以你只是想把“工作”的东西放在一起。你猜怎么着。如果告诉你使用SSL的人发现了,他们会have your guts for garters!如果你因为这个原因不这样做,那么......好吧......你所做的事情毫无意义。即使是自签名服务器CERT也比这更好。您只需将其作为受信任的证书添加到客户端密钥库中。