我使用httpclient 4.5.6库用Java开发了一个小代码:
public class httpclient_test1_valid {
public static void main(String[] args) {
try {
System.setProperty("javax.net.debug", "all");
CloseableHttpClient httpClient = HttpClients.createDefault();
String urlOverHttps = "https://certpath_test_host";
HttpGet getMethod = new HttpGet(urlOverHttps);
HttpResponse response = httpClient.execute(getMethod);
System.out.println("Response Code : "
+ response.getStatusLine().getStatusCode());
} catch(IOException ex){
System.out.println("getmessage");
System.out.println(ex.getMessage());
System.out.println(" ");
System.out.println("toString");
System.out.println(ex.toString());
}
}
}
我希望默认信任策略将不接受certpath_test_host服务器的证书,因为这些证书不受信任/不是由我的默认信任库中的CA签名的,但是此代码的工作方式如您在下面的调试日志中所见(带有httpsurlconnection库,我也有相同的行为)
我尝试了各种代码来确保https连接的安全,但是我无法找到检查服务器证书有效性的方法
这是我的环境:
openjdk version "11" 2018-09-25
OpenJDK Runtime Environment (build 11+28-suse-2.1-x8664)
OpenJDK 64-Bit Server VM (build 11+28-suse-2.1-x8664, mixed mode)
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:06.933 CET|SSLCipher.java:437|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|WARNING|01|main|2018-11-07 13:26:08.054 CET|ServerNameExtension.java:255|Unable to indicate server name
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.060 CET|SSLExtensions.java:235|Ignore, context unavailable extension: server_name
javax.net.ssl|WARNING|01|main|2018-11-07 13:26:08.104 CET|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2018-11-07 13:26:08.107 CET|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|INFO|01|main|2018-11-07 13:26:08.154 CET|AlpnExtension.java:161|No available application protocols
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.156 CET|SSLExtensions.java:235|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.161 CET|SSLExtensions.java:235|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.184 CET|SSLExtensions.java:235|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.196 CET|PreSharedKeyExtension.java:606|No session to resume.
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.198 CET|SSLExtensions.java:235|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.246 CET|ClientHello.java:633|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" : "0E 1A 28 77 57 D3 BC E9 38 66 A2 D7 1D AB 6E 33 20 28 3A 8F 11 40 35 1F 0A 22 17 CB 1F A9 DA 98",
"session id" : "D8 DE AD 35 9B EA 60 83 C6 BF E0 D5 30 B3 A5 0C 8D B0 DB 00 EE 26 90 2E 0F E9 36 B2 59 71 42 3F",
"cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(0xC02E), TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(0xC032), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(0xC02D), TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(0xC031), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(0xC026), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(0xC02A), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(0xC025), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(0xC029), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id":
"request extensions": {
}
}
},
"supported_groups (10)": {
"versions": [secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id":
"request extensions": {
}
}
}
},
"extended_master_secret (23)": {
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"key_share (51)": {
"client_shares": [
{
"named group": secp256r1
"key_exchange": {
0000: 04 4E D5 4F B7 3D F9 50 68 F5 D2 07 AE 4A 67 D3 .N.O.=.Ph....Jg.
0010: 52 5A 91 24 1A 66 E7 4F 50 EC BD DE 19 C1 48 C0 RZ.$.f.OP.....H.
0020: F5 68 63 BF A0 EC 8A C7 E0 FF F6 85 CF B5 0F A1 .hc.............
0030: FE A3 C5 47 0E 2F 9A 74 A3 FC E8 80 FF 36 3C C9 ...G./.t.....6
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"extended_master_secret (23)": {
},
"renegotiation_info (65,281)": {
"renegotiated connection": []
}
]
}
)
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.263 CET|SSLExtensions.java:148|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.264 CET|ServerHello.java:962|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.274 CET|SSLExtensions.java:167|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.277 CET|SSLExtensions.java:148|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.278 CET|SSLExtensions.java:148|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.280 CET|SSLExtensions.java:167|Consumed extension: status_request
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.288 CET|SSLExtensions.java:167|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.290 CET|SSLExtensions.java:148|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.293 CET|SSLExtensions.java:167|Consumed extension: extended_master_secret
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.297 CET|SSLExtensions.java:138|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.302 CET|SSLExtensions.java:138|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.303 CET|SSLExtensions.java:167|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.303 CET|SSLExtensions.java:138|Ignore unsupported extension: pre_shared_key
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.306 CET|SSLExtensions.java:182|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.306 CET|SSLExtensions.java:182|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|01|main|2018-11-07 13:26:08.307 CET|SSLExtensions.java:190|Ignore impact of unsupported extension: status_request
javax.net.ssl|WARNING|01|main|2018-11-07 13:26:08.309 CET|SSLExtensions.java:190|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.309 CET|SSLExtensions.java:182|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.310 CET|SSLExtensions.java:182|Ignore unavailable extension: status_request_v2
javax.net.ssl|WARNING|01|main|2018-11-07 13:26:08.318 CET|SSLExtensions.java:190|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.318 CET|SSLExtensions.java:182|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.318 CET|SSLExtensions.java:182|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|01|main|2018-11-07 13:26:08.325 CET|SSLExtensions.java:190|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.326 CET|SSLExtensions.java:182|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.365 CET|CertificateMessage.java:358|Consuming server Certificate handshake message (
"Certificates": [
"certificate" : {
"version" : "v3",
"serial number" : "27 11",
"signature algorithm": "SHA256withRSA",
"issuer" : "C=DE, CN=Test Sub CA",
"not before" : "2018-10-31 03:53:22.000 CET",
"not after" : "2019-10-31 11:53:22.000 CET",
"subject" : "C=DE, CN=Test EE",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E9 EA 89 DC 37 33 9C AE BF 94 6A 14 4C E7 DC C2 ....73....j.L...
0010: 87 81 41 70 ..Ap
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen:2147483647
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
]
},
{
ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: certpath_test_host
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 23 26 D9 1B 50 2B 72 2E F5 08 EB 32 D1 88 A7 95 #&..P+r....2....
0010: 03 EC C8 06 ....
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "02",
"signature algorithm": "SHA256withRSA",
"issuer" : "C=DE, CN=Test Root",
"not before" : "2018-10-30 11:53:20.000 CET",
"not after" : "2021-10-31 11:53:20.000 CET",
"subject" : "C=DE, CN=Test Sub CA",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: EA A4 43 78 D9 2A 1E 05 C1 F8 C1 A7 70 EC 21 9D ..Cx.*......p.!.
0010: 15 BE FA A9 ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E9 EA 89 DC 37 33 9C AE BF 94 6A 14 4C E7 DC C2 ....73....j.L...
0010: 87 81 41 70 ..Ap
]
]
}
]},
"certificate" : {
"version" : "v3",
"serial number" : "01",
"signature algorithm": "SHA256withRSA",
"issuer" : "C=DE, CN=Test Root",
"not before" : "2018-10-28 11:53:19.000 CET",
"not after" : "2023-10-31 11:53:19.000 CET",
"subject" : "C=DE, CN=Test Root",
"subject public key" : "RSA",
"extensions" : [
{
ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: EA A4 43 78 D9 2A 1E 05 C1 F8 C1 A7 70 EC 21 9D ..Cx.*......p.!.
0010: 15 BE FA A9 ....
]
]
},
{
ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:1
]
},
{
ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
},
{
ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EA A4 43 78 D9 2A 1E 05 C1 F8 C1 A7 70 EC 21 9D ..Cx.*......p.!.
0010: 15 BE FA A9 ....
]
]
}
]}
]
)
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.405 CET|ECDHServerKeyExchange.java:538|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
"parameters": {
"named group": "secp256r1"
"ecdh public": {
0000: 04 9F 15 06 EF 4B C6 16 6E 9A 08 DE BB 1E 23 00 .....K..n.....#.
0010: 39 97 57 00 49 9D EF 11 40 02 65 17 4D E5 1C A9 9.W.I...@.e.M...
0020: 0D 9B 39 32 FE 45 3E 5D 00 F6 37 A6 15 72 48 6B ..92.E>]..7..rHk
0030: 3B 76 8B B9 2C 3F 8D A2 17 74 0B 6A E8 C2 36 82 ;v..,?...t.j..6.
0040: 78 x
},
},
"digital signature": {
"signature algorithm": "rsa_pkcs1_sha512"
"signature": {
0000: 18 1B 09 6B 68 00 85 84 38 C8 DA DA 80 A5 89 64 ...kh...8......d
0010: 6F 4E D8 2F 83 F3 07 0E EB 01 59 A8 7F B4 6D B8 oN./......Y...m.
0020: F7 E0 ED F0 4F 3F 1B C1 BD AF 3D 8D EB C5 51 EA ....O?....=...Q.
0030: E9 BF 9D A8 EA 88 10 B9 7E 46 F3 A5 B3 0C F0 DF .........F......
0040: 43 1B E0 09 71 21 85 35 94 46 E0 DB 51 21 9D 6C C...q!.5.F..Q!.l
0050: 63 BE 38 50 9D 3D 39 70 06 76 B7 3E 91 3D E2 F7 c.8P.=9p.v.>.=..
0060: C5 9D 3B 4D D9 95 7E F6 E5 BC DB 33 11 FD 73 12 ..;M.......3..s.
0070: 61 01 A8 BF 48 50 F7 10 A3 DA 44 B4 79 D4 2E 38 a...HP....D.y..8
0080: 1D D5 8D 0B B4 C3 BB 22 7F 4F D4 8C 95 47 0D 73 .......".O...G.s
0090: DF DC 1D A6 A9 A0 C9 B9 25 AB C1 85 F1 A2 BC 3B ........%......;
00A0: C8 25 95 2B 4D 49 51 69 59 9D 67 08 A0 DE 1E 62 .%.+MIQiY.g....b
00B0: D8 BD 1B 45 85 80 15 A5 48 C2 8F C4 94 34 9A D3 ...E....H....4..
00C0: 1B F6 F1 87 E3 73 9C 40 E1 63 75 5A F4 96 DA BC .....s.@.cuZ....
00D0: 58 6B 50 F8 FF 9F D0 BA BF 9E F5 83 F6 29 40 54 XkP..........)@T
00E0: 52 B2 69 9B 36 AF F0 E5 E0 D9 C5 F3 A4 5B A3 37 R.i.6........[.7
00F0: 68 4A 5E AE FA 43 3D A7 89 9C 05 61 BA 43 81 B6 hJ^..C=....a.C..
},
}
}
)
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.408 CET|ServerHelloDone.java:142|Consuming ServerHelloDone handshake message (
)
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.422 CET|ECDHClientKeyExchange.java:401|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
0000: 04 C6 56 99 7A 72 0A 64 37 08 6F 17 D9 69 97 95 ..V.zr.d7.o..i..
0010: 06 CA 49 A9 F8 49 23 A0 B0 38 08 CC 70 93 F0 54 ..I..I#..8..p..T
0020: 24 C0 ED BA 3A F7 B6 0C F1 DA 5F 50 8F 4F 6A 81 $...:....._P.Oj.
0030: 92 6B 2C 19 03 B7 79 B1 A9 B4 C7 A2 93 94 07 A7 .k,...y.........
0040: DB .
},
}
)
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.463 CET|ChangeCipherSpec.java:109|Produced ChangeCipherSpec message
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.464 CET|Finished.java:395|Produced client Finished handshake message (
"Finished": {
"verify data": {
0000: D5 ED 3D FD 5C 1A C9 37 BE 5F 1A 35
}'}
)
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.482 CET|ChangeCipherSpec.java:143|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|01|main|2018-11-07 13:26:08.487 CET|Finished.java:532|Consuming server Finished handshake message (
"Finished": {
"verify data": {
0000: 76 D5 B8 AD 40 F7 EA A1 6A 4B F0 0A
}'}
)