Trusting all certificates using HttpClient over HTTPS

后端 未结 21 2290
北恋
北恋 2020-11-21 04:50

Recently posted a question regarding the HttpClient over Https (found here). I\'ve made some headway, but I\'ve run into new issues. As with my last problem, I

相关标签:
21条回答
  • 2020-11-21 05:22

    Here is a much simple version using 4.1.2 httpclient code. This can then be modified to any trust algorithm you see fit.

    public static HttpClient getTestHttpClient() {
        try {
            SSLSocketFactory sf = new SSLSocketFactory(new TrustStrategy(){
                @Override
                public boolean isTrusted(X509Certificate[] chain,
                        String authType) throws CertificateException {
                    return true;
                }
            });
            SchemeRegistry registry = new SchemeRegistry();
            registry.register(new Scheme("https", 443, sf));
            ClientConnectionManager ccm = new ThreadSafeClientConnManager(registry);
            return new DefaultHttpClient(ccm);
        } catch (Exception e) {
            return new DefaultHttpClient();
        }
    }
    
    0 讨论(0)
  • 2020-11-21 05:24

    This is a bad idea. Trusting any certificate is only (very) slightly better than using no SSL at all. When you say "I want my client to accept any certificate (because I'm only ever pointing to one server)" you are assuming this means that somehow pointing to "one server" is safe, which it's not on a public network.

    You are completely open to a man-in-the-middle attack by trusting any certificate. Anyone can proxy your connection by establishing a separate SSL connection with you and with the end server. The MITM then has access to your entire request and response. Unless you didn't really need SSL in the first place (your message has nothing sensitive, and doesn't do authentication) you shouldn't trust all certificates blindly.

    You should consider adding the public cert to a jks using keytool, and using that to build your socket factory, such as this:

        KeyStore ks = KeyStore.getInstance("JKS");
    
        // get user password and file input stream
        char[] password = ("mykspassword")).toCharArray();
        ClassLoader cl = this.getClass().getClassLoader();
        InputStream stream = cl.getResourceAsStream("myjks.jks");
        ks.load(stream, password);
        stream.close();
    
        SSLContext sc = SSLContext.getInstance("TLS");
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
    
        kmf.init(ks, password);
        tmf.init(ks);
    
        sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(),null);
    
        return sc.getSocketFactory();
    

    This has one caveat to watch out for. The certificate will expire eventually, and the code will stop working at that time. You can easily determine when this will happen by looking at the cert.

    0 讨论(0)
  • 2020-11-21 05:25

    For those who would like to allow all certificates to work (for testing purposes) over OAuth, follow these steps:

    1) Download the source code of the Android OAuth API here: https://github.com/kaeppler/signpost

    2) Find the file "CommonsHttpOAuthProvider" class

    3) Change it as below:

    public class CommonsHttpOAuthProvider extends AbstractOAuthProvider {
    
    private static final long serialVersionUID = 1L;
    
    private transient HttpClient httpClient;
    
    public CommonsHttpOAuthProvider(String requestTokenEndpointUrl, String accessTokenEndpointUrl,
            String authorizationWebsiteUrl) {
        super(requestTokenEndpointUrl, accessTokenEndpointUrl, authorizationWebsiteUrl);
    
    
        //this.httpClient = new DefaultHttpClient();//Version implemented and that throws the famous "javax.net.ssl.SSLException: Not trusted server certificate" if the certificate is not signed with a CA
        this.httpClient = MySSLSocketFactory.getNewHttpClient();//This will work with all certificates (for testing purposes only)
    }
    

    The "MySSLSocketFactory" above is based on the accepted answer. To make it even easier, here goes the complete class:

    package com.netcomps.oauth_example;
    
    import java.io.IOException;
    import java.net.Socket;
    import java.net.UnknownHostException;
    import java.security.KeyManagementException;
    import java.security.KeyStore;
    import java.security.KeyStoreException;
    import java.security.NoSuchAlgorithmException;
    import java.security.UnrecoverableKeyException;
    import java.security.cert.CertificateException;
    import java.security.cert.X509Certificate;
    
    import javax.net.ssl.SSLContext;
    import javax.net.ssl.TrustManager;
    import javax.net.ssl.X509TrustManager;
    
    import org.apache.http.HttpVersion;
    import org.apache.http.client.HttpClient;
    import org.apache.http.conn.ClientConnectionManager;
    import org.apache.http.conn.scheme.PlainSocketFactory;
    import org.apache.http.conn.scheme.Scheme;
    import org.apache.http.conn.scheme.SchemeRegistry;
    import org.apache.http.conn.ssl.SSLSocketFactory;
    import org.apache.http.impl.client.DefaultHttpClient;
    import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
    import org.apache.http.params.BasicHttpParams;
    import org.apache.http.params.HttpParams;
    import org.apache.http.params.HttpProtocolParams;
    import org.apache.http.protocol.HTTP;
    
    //http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https
    public class MySSLSocketFactory extends SSLSocketFactory {
    
        SSLContext sslContext = SSLContext.getInstance("TLS");
    
    public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
    
        super(truststore);
        TrustManager tm = new X509TrustManager() {
    
            @Override
            public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            }
    
            @Override
            public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            }
    
            @Override
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };
    
        sslContext.init(null, new TrustManager[] { tm }, null);
    }
    
    @Override
    public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
        return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
    }
    
    @Override
    public Socket createSocket() throws IOException {
        return sslContext.getSocketFactory().createSocket();
    }
    
    
    
    public static HttpClient getNewHttpClient() {
    
        try {
            KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
            trustStore.load(null, null);
    
            SSLSocketFactory sf = new MySSLSocketFactory(trustStore);
            sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    
            HttpParams params = new BasicHttpParams();
            HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
            HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);
    
            SchemeRegistry registry = new SchemeRegistry();
            registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
            registry.register(new Scheme("https", sf, 443));
    
            ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry);
    
            return new DefaultHttpClient(ccm, params);
    
        } catch (Exception e) {
            return new DefaultHttpClient();
        }
    }
    

    }

    Hope this helps someone.

    0 讨论(0)
  • 2020-11-21 05:25

    There a many answers above but I wasn't able to get any of them working correctly (with my limited time), so for anyone else in the same situation you can try the code below which worked perfectly for my java testing purposes:

        public static HttpClient wrapClient(HttpClient base) {
        try {
            SSLContext ctx = SSLContext.getInstance("TLS");
            X509TrustManager tm = new X509TrustManager() {
                public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { }
    
                public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException { }
    
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
            };
            ctx.init(null, new TrustManager[]{tm}, null);
            SSLSocketFactory ssf = new SSLSocketFactory(ctx);
            ssf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
            ClientConnectionManager ccm = base.getConnectionManager();
            SchemeRegistry sr = ccm.getSchemeRegistry();
            sr.register(new Scheme("https", ssf, 443));
            return new DefaultHttpClient(ccm, base.getParams());
        } catch (Exception ex) {
            return null;
        }
    }
    

    and call like:

    DefaultHttpClient baseClient = new DefaultHttpClient();
    HttpClient httpClient = wrapClient(baseClient );
    

    Reference: http://tech.chitgoks.com/2011/04/24/how-to-avoid-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated-problem-using-apache-httpclient/

    0 讨论(0)
  • 2020-11-21 05:26

    Add this code before the HttpsURLConnection and it will be done. I got it.

    private void trustEveryone() { 
        try { 
                HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier(){ 
                        public boolean verify(String hostname, SSLSession session) { 
                                return true; 
                        }}); 
                SSLContext context = SSLContext.getInstance("TLS"); 
                context.init(null, new X509TrustManager[]{new X509TrustManager(){ 
                        public void checkClientTrusted(X509Certificate[] chain, 
                                        String authType) throws CertificateException {} 
                        public void checkServerTrusted(X509Certificate[] chain, 
                                        String authType) throws CertificateException {} 
                        public X509Certificate[] getAcceptedIssuers() { 
                                return new X509Certificate[0]; 
                        }}}, new SecureRandom()); 
                HttpsURLConnection.setDefaultSSLSocketFactory( 
                                context.getSocketFactory()); 
        } catch (Exception e) { // should never happen 
                e.printStackTrace(); 
        } 
    } 
    

    I hope this helps you.

    0 讨论(0)
  • 2020-11-21 05:28

    The API of HttpComponents has got changed. It works with the code below.

    public static HttpClient getTestHttpClient() {
        try {
            SSLSocketFactory sf = new SSLSocketFactory(new TrustStrategy(){
                @Override
                public boolean isTrusted(X509Certificate[] chain,
                        String authType) throws CertificateException {
                    return true;
                }
            }, new AllowAllHostnameVerifier());
    
            SchemeRegistry registry = new SchemeRegistry();
            registry.register(new Scheme("https",8444, sf));
            ClientConnectionManager ccm = new ThreadSafeClientConnManager(registry);
            return new DefaultHttpClient(ccm);
        } catch (Exception e) {
            e.printStackTrace();
            return new DefaultHttpClient();
        }
    }
    
    0 讨论(0)
提交回复
热议问题