Question

我有一个通用的 SSLSocket 工具 SSLSocket 家具类, 基本上允许您在您想要信任 Diffie- Hellman 的所有证书和/ 或转折证书和/ 或 Diffie- Hellman 时因 JDK 错误而信任的情况下进行切换。我最近添加了提供您自己的 SSLSocket 工具的选项, 但似乎有些被遗忘了。

禁用 Diffie- Hellman 很容易在工厂做, 只需在您创建插座时添加一些代码即可。但是要信任所有证书, 我用不同的证书替换工厂

public UtilSSLSocketFactory trustAllCertificates() {
    if (trustingAllCertificates)
    //Already doing this, no need to do it again
        return this;
    trustingAllCertificates = true;
    try {
        TrustManager[] tm = new TrustManager[] {new TrustingX509TrustManager()};
        SSLContext context = SSLContext.getInstance("SSL");
        context.init(new KeyManager[0], tm, new SecureRandom());
        wrappedFactory = (SSLSocketFactory) context.getSocketFactory();
    } catch (Exception e) {
        throw new RuntimeException("Can t recreate socket factory that trusts all certificates", e);
    }
    return this;
}

有没有办法让一个专横的SSLSocket Factory 相信所有证书而不替换证书?

Answer 1

除了盲目信任所有证书通常是一个坏主意( 如果您想要使用 SSL/ TLS 来保障通信安全), 您使用的模式似乎很奇怪。

SSLContext 是一家生产 SSLSocketFactory 的工厂,而该工厂又是一个生产 SSLSocket 的工厂。

如果需要,您可以用 SSLContext (从 Java 6 开始) 设置默认的 SSLContext (从 Java 6 开始), 设置为 SSLContext.setDefault(...) : 这将影响默认的 SSLSocket Factory , 但也许不会更具体。

您无法更改现有 SSLSocketFactory 实例所使用的 SSLContext 。

除非您现有的 SSLSocketFactory 与带有特定设置的默认执行有所不同(例如,在返回之前,您会在创建的套接字上稍加调整),否则您试图做的事情似乎不符合此处的预期设计模式。

Answer 2

an arbitrary SSLSocketFactory to trust all certificates without replacing it

否。您 有来设置您自定义的“ 信任所有证书” 管理器, 否则默认管理器正在使用, 在您的 JDK 安装中“ 咨询” Java 默认的信托店, 即 < code> accerts 。

但从安全角度看,如果你没有服务器认证,你最好使用普通的 TCP 来避免 SSL 管理费,因为你实际上没有任何安全。

Answer 3

试试这个代码...... 这是一个工作代码, 使用这个类在你的代码中像这样

HttpClient client = MySSLSocketFactory.getNewHttpClient();

这是代码

import java.io.IOException;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

import org.apache.http.HttpVersion;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.HttpParams;
import org.apache.http.params.HttpProtocolParams;
import org.apache.http.protocol.HTTP;

public class MySSLSocketFactory extends SSLSocketFactory {
    SSLContext sslContext = SSLContext.getInstance("TLS");

    public MySSLSocketFactory(KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
       super(truststore);

       TrustManager tm = new X509TrustManager() {
           public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
           }

           public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
           }

           public X509Certificate[] getAcceptedIssuers() {
               return null;
           }
       };

       sslContext.init(null, new TrustManager[] { tm }, null);
    }

    @Override
    public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException {
       return sslContext.getSocketFactory().createSocket(socket, host, port, autoClose);
    }

    @Override
    public Socket createSocket() throws IOException {
       return sslContext.getSocketFactory().createSocket();
    }


public static HttpClient getNewHttpClient() {
    try {
       KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
       trustStore.load(null, null);

       SSLSocketFactory sf = new MySSLSocketFactory(trustStore);
       sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

       HttpParams params = new BasicHttpParams();
       HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
       HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);

       SchemeRegistry registry = new SchemeRegistry();
       registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
       registry.register(new Scheme("https", sf, 443));

       ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry);

       return new DefaultHttpClient(ccm, params);
    } catch (Exception e) {
       return new DefaultHttpClient();
    }
}

}

友情链接