我正在尝试编写一个使用javax.mail API发送邮件的SSL客户端.我遇到的问题是服务器请求我使用SSL,但服务器也配置了非标准的SSL证书.我发现的网页说我需要将证书安装到信任库中.我不想这样做(我没有必要的权限.)
有没有办法让Java忽略证书错误并接受它?
如果失败了,有没有办法让信任存储对我的程序来说是本地的,而不是为整个JVM安装?
so_mv.. 31
#1的工作代码(在jdk1.6.0_23中).
进口
import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import java.security.cert.X509Certificate;
实际信任所有TrustManager代码.
TrustManager trm = new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, new TrustManager[] { trm }, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
如果主机名与证书不匹配,也可能需要这样做:HostnameVerifier nullVerifier = new HostnameVerifier(){@ Overver public boolean verify(String hostname,SSLSession session){return true; }}; HttpsURLConnection.setDefaultHostnameVerifier(nullVerifier); (5认同)
Zed.. 18
您需要创建一个接受所有证书的假TrustManager,并将其注册为管理器.像这样的东西:
public class MyManager implements com.sun.net.ssl.X509TrustManager {
public boolean isClientTrusted(X509Certificate[] chain) { return true; }
public boolean isHostTrusted(X509Certificate[] chain) { return true; }
...
}
com.sun.net.ssl.TrustManager[] managers =
new com.sun.net.ssl.TrustManager[] {new MyManager()};
com.sun.net.ssl.SSLContext.getInstance("SSL").
.init(null, managers, new SecureRandom());
所有这一切都应该使用JSSE公共API完成,而不是调整隐藏的`com.sun.*`类.(见so_mv答案.) (8认同)
H Marcelo Mo.. 7
试试这个(回答问题2):
System.setProperty("javax.net.ssl.trustStore", "/path/to/truststore");
您还可以将其指定为附加命令行参数:
java -Djavax.net.ssl.trustStore=/path/to/truststore
在Fedora上,这可能是系统范围的Java信任存储 /etc/pki/java/cacerts
#1的工作代码(在jdk1.6.0_23中).
进口
import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import java.security.cert.X509Certificate;
实际信任所有TrustManager代码.
TrustManager trm = new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, new TrustManager[] { trm }, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
您需要创建一个接受所有证书的假TrustManager,并将其注册为管理器.像这样的东西:
public class MyManager implements com.sun.net.ssl.X509TrustManager {
public boolean isClientTrusted(X509Certificate[] chain) { return true; }
public boolean isHostTrusted(X509Certificate[] chain) { return true; }
...
}
com.sun.net.ssl.TrustManager[] managers =
new com.sun.net.ssl.TrustManager[] {new MyManager()};
com.sun.net.ssl.SSLContext.getInstance("SSL").
.init(null, managers, new SecureRandom());
试试这个(回答问题2):
System.setProperty("javax.net.ssl.trustStore", "/path/to/truststore");
您还可以将其指定为附加命令行参数:
java -Djavax.net.ssl.trustStore=/path/to/truststore
在Fedora上,这可能是系统范围的Java信任存储 /etc/pki/java/cacerts
京公网安备 11010802040832号 | 京ICP备19059560号-6 