客戶端 Jre 對HTTPS證書的處理策略

原創 陶醉还初心 2018-09-03 19:31

HTTPS(HTTP over Secure Socket Layer),簡單講即HTTP下加入SSL層,HTTPS的安全基礎是SSL。

如果要實現SSL通訊,通訊雙方需要設置KeyStore和TrustStore。
如果是單向認證,那麼client側只需要設置TrustStore, 客戶端的TrustStore文件中保存着被客戶端所信任的服務器的證書信息。

客戶端在進行SSL連接時,JSSE將根據這個文件中的證書決定是否信任服務器端的證書。

但是通常我們並不需要做這個就能正常訪問HTTPS服務。比如利用Spring中的RestTemplate訪問微信的獲取AccessToken的API接口。

@Test  
public void testRestTemplate() throws Exception {  
    String url = "https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=1&secret=2";  
    RestTemplate restTemplate = new RestTemplate();  
    String resultJasonStr = restTemplate.getForObject(url, String.class);  
    System.out.println(resultJasonStr);  
}

運行成功,我們可以看到打印出來的返回結果,因爲我們用的appid和secret都是錯誤的,所以會得到40001錯誤。

{"errcode":40001,"errmsg":"invalid credential, access_token is invalid or not latest hint: [v_xuha0307vr18]"}

如果不用Spring,也可以直接使用Java的java.net.URLConnection,會得到同樣的結果

@Test  
public void testHttpUrlConnection() throws IOException, URISyntaxException {  
    URL url = new URL("https://api.weixin.qq.com/cgi-bin/token?grant_type=client_credential&appid=1&secret=2");  
  
  
    URLConnection con = url.openConnection();  
    con.connect();  
    BufferedReader reader = new BufferedReader(new InputStreamReader(con.getInputStream(), "utf-8"));  
    String s;  
    while ((s = reader.readLine()) != null) {  
        System.out.println(s);  
    }  
    reader.close();  
}
爲什麼不需要設置TrustStore,HTTPS客戶端就能正常工作呢?
首先要說明,TrustStore文件中也可以不保存服務器的證書信息,如果服務器的證書是經過CA簽名的,那麼只要保存着CA的根證書即可。
在SunJSSE中,有一個信任管理器類負責決定是否信任遠端的證書,這個類有如下的處理規則:
1)若系統屬性javax.net.ssl.trustStore指定了TrustStore文件,那麼信任管理器就去jre安裝路徑下的lib/security/目錄中尋找並使用這個文件來檢查證書。
2)若該系統屬性沒有指定TrustStore文件,它就會去JRE安裝路徑下尋找默認的TrustStore文件,這個文件的相對路徑爲:lib/security/jssecacerts。
3)若jssecacerts不存在,但是cacerts存在(它隨JRE一起發行,含有數量有限的可信任的基本證書),那麼這個默認的TrustStore文件就是lib/security/cacerts。
按照這個規則,我們猜測,在JRE的jssecacerts或者是cacerts保存着微信API服務器證書的CA證書。


本機所使用的JDK1.8的jre/lib/security/下面找到了cacerts文件,

首先查看一下里面的證書。訪問TrustStore文件需要store password, 默認的password是changeit.

C:\Program Files\Java\jdk1.8.0_45\jre\lib\security>keytool -list  -keystore cacerts -storepass changeit  
  
  
密鑰庫類型: JKS  
密鑰庫提供方: SUN  
  
  
您的密鑰庫包含 92 個條目  
  
  
digicertassuredidrootca, 2008-4-16, trustedCertEntry,  
證書指紋 (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43  
trustcenterclass2caii, 2008-4-29, trustedCertEntry,  
證書指紋 (SHA1): AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E  
thawtepremiumserverca, 2009-12-12, trustedCertEntry,  
證書指紋 (SHA1): E0:AB:05:94:20:72:54:93:05:60:62:02:36:70:F7:CD:2E:FC:66:66  
swisssignplatinumg2ca, 2008-11-1, trustedCertEntry,  
證書指紋 (SHA1): 56:E0:FA:C0:3B:8F:18:23:55:18:E5:D3:11:CA:E8:C2:43:31:AB:66  
swisssignsilverg2ca, 2008-11-1, trustedCertEntry,  
證書指紋 (SHA1): 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB  
thawteserverca, 2009-12-12, trustedCertEntry,  
證書指紋 (SHA1): 9F:AD:91:A6:CE:6A:C6:C5:00:47:C4:4E:C9:D4:A5:0D:92:D8:49:79  
equifaxsecureebusinessca1, 2014-11-12, trustedCertEntry,  
證書指紋 (SHA1): AE:E6:3D:70:E3:76:FB:C7:3A:EB:B0:A1:C1:D4:C4:7A:A7:40:B3:F4  
securetrustca, 2014-3-6, trustedCertEntry,  
證書指紋 (SHA1): 87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11  
utnuserfirstclientauthemailca, 2006-5-2, trustedCertEntry,  
證書指紋 (SHA1): B1:72:B1:A5:6D:95:F9:1F:E5:02:87:E1:4D:37:EA:6A:44:63:76:8A  
thawtepersonalfreemailca, 2009-12-12, trustedCertEntry,  
證書指紋 (SHA1): E6:18:83:AE:84:CA:C1:C1:CD:52:AD:E8:E9:25:2B:45:A6:4F:B7:E2  
affirmtrustnetworkingca, 2014-4-15, trustedCertEntry,  
證書指紋 (SHA1): 29:36:21:02:8B:20:ED:02:F5:66:C5:32:D1:D6:ED:90:9F:45:00:2F  
entrustevca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9  
utnuserfirsthardwareca, 2006-5-2, trustedCertEntry,  
證書指紋 (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7  
certumca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18  
addtrustclass1ca, 2006-5-2, trustedCertEntry,  
證書指紋 (SHA1): CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D  
entrustrootcag2, 2010-6-23, trustedCertEntry,  
證書指紋 (SHA1): 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4  
equifaxsecureca, 2003-7-19, trustedCertEntry,  
證書指紋 (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A  
quovadisrootca3, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): 1F:49:14:F7:D8:74:95:1D:DD:AE:02:C0:BE:FD:3A:2D:82:75:51:85  
quovadisrootca2, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7  
swisscomrootca2, 2015-1-16, trustedCertEntry,  
證書指紋 (SHA1): 77:47:4F:C6:30:E4:0F:4C:47:64:3F:84:BA:B8:C6:95:4A:8A:41:EC  
digicerthighassuranceevrootca, 2008-4-16, trustedCertEntry,  
證書指紋 (SHA1): 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25  
secomvalicertclass1ca, 2008-6-3, trustedCertEntry,  
證書指紋 (SHA1): E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E  
equifaxsecureglobalebusinessca1, 2014-11-12, trustedCertEntry,  
證書指紋 (SHA1): 3A:74:CB:7A:47:DB:70:DE:89:1F:24:35:98:64:B8:2D:82:BD:1A:36  
geotrustuniversalca, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): E6:21:F3:35:43:79:05:9A:4B:68:30:9D:8A:2F:74:22:15:87:EC:79  
verisignclass3ca, 2009-12-12, trustedCertEntry,  
證書指紋 (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B  
thawteprimaryrootcag3, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2  
thawteprimaryrootcag2, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12  
deutschetelekomrootca2, 2008-11-15, trustedCertEntry,  
證書指紋 (SHA1): 85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF  
buypassclass3ca, 2014-1-7, trustedCertEntry,  
證書指紋 (SHA1): DA:FA:F7:FA:66:84:EC:06:8F:14:50:BD:C7:C2:81:A5:BC:A9:64:57  
utnuserfirstobjectca, 2006-5-2, trustedCertEntry,  
證書指紋 (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46  
geotrustprimaryca, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): 32:3C:11:8E:1B:F7:B8:B6:52:54:E2:E2:10:0D:D6:02:90:37:F0:96  
buypassclass2ca, 2014-1-7, trustedCertEntry,  
證書指紋 (SHA1): 49:0A:75:74:DE:87:0A:47:FE:58:EE:F6:C7:6B:EB:C6:0B:12:40:99  
baltimorecodesigningca, 2002-5-10, trustedCertEntry,  
證書指紋 (SHA1): 30:46:D8:C8:88:FF:69:30:C3:4A:FC:CD:49:27:08:7C:60:56:7B:0D  
verisignclass1ca, 2009-12-12, trustedCertEntry,  
證書指紋 (SHA1): CE:6A:64:A3:09:E4:2F:BB:D9:85:1C:45:3E:64:09:EA:E8:7D:60:F1  
baltimorecybertrustca, 2002-5-10, trustedCertEntry,  
證書指紋 (SHA1): D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74  
starfieldclass2ca, 2005-1-20, trustedCertEntry,  
證書指紋 (SHA1): AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A  
camerfirmachamberscommerceca, 2008-11-1, trustedCertEntry,  
證書指紋 (SHA1): 6E:3A:55:A4:19:0C:19:5C:93:84:3C:C0:DB:72:2E:31:30:61:F0:B1  
ttelesecglobalrootclass3ca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): 55:A6:72:3E:CB:F2:EC:CD:C3:23:74:70:19:9D:2A:BE:11:E3:81:D1  
verisignclass3g5ca, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5  
ttelesecglobalrootclass2ca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): 59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9  
trustcenteruniversalcai, 2008-4-29, trustedCertEntry,  
證書指紋 (SHA1): 6B:2F:34:AD:89:58:BE:62:FD:B0:6B:5C:CE:BB:9D:D9:4F:4E:39:F3  
verisignclass3g4ca, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): 22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A  
verisignclass3g3ca, 2004-3-26, trustedCertEntry,  
證書指紋 (SHA1): 13:2D:0D:45:53:4B:69:97:CD:B2:D5:C3:39:E2:55:76:60:9B:5C:C6  
xrampglobalca, 2014-3-6, trustedCertEntry,  
證書指紋 (SHA1): B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6  
certplusclass3pprimaryca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): 21:6B:2A:29:E6:2A:00:CE:82:01:46:D8:24:41:41:B9:25:11:B2:79  
certumtrustednetworkca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): 07:E0:32:E0:20:B7:2C:3F:19:2F:06:28:A2:59:3A:19:A7:0F:06:9E  
verisignclass3g2ca, 2004-3-26, trustedCertEntry,  
證書指紋 (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F  
globalsignr3ca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): D6:9B:56:11:48:F0:1C:77:C5:45:78:C1:09:26:DF:5B:85:69:76:AD  
utndatacorpsgcca, 2006-5-2, trustedCertEntry,  
證書指紋 (SHA1): 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4  
secomscrootca2, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): 5F:3B:8C:F2:F8:10:B3:7D:78:B4:CE:EC:19:19:C3:73:34:B9:C7:74  
gtecybertrustglobalca, 2002-5-10, trustedCertEntry,  
證書指紋 (SHA1): 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74  
secomscrootca1, 2008-6-3, trustedCertEntry,  
證書指紋 (SHA1): 36:B1:2B:49:F9:81:9E:D7:4C:9E:BC:38:0F:C6:56:8F:5D:AC:B2:F7  
affirmtrustcommercialca, 2014-4-15, trustedCertEntry,  
證書指紋 (SHA1): F9:B5:B6:32:45:5F:9C:BE:EC:57:5F:80:DC:E9:6E:2C:C7:B2:78:B7  
trustcenterclass4caii, 2008-4-29, trustedCertEntry,  
證書指紋 (SHA1): A6:9A:91:FD:05:7F:13:6A:42:63:0B:B1:76:0D:2D:51:12:0C:16:50  
verisignuniversalrootca, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): 36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54  
globalsignr2ca, 2007-8-3, trustedCertEntry,  
證書指紋 (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE  
certplusclass2primaryca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): 74:20:74:41:72:9C:DD:92:EC:79:31:D8:23:10:8D:C2:81:92:E2:BB  
digicertglobalrootca, 2008-4-16, trustedCertEntry,  
證書指紋 (SHA1): A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36  
globalsignca, 2008-3-19, trustedCertEntry,  
證書指紋 (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C  
thawteprimaryrootca, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81  
starfieldrootg2ca, 2014-7-19, trustedCertEntry,  
證書指紋 (SHA1): B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E  
geotrustglobalca, 2003-7-19, trustedCertEntry,  
證書指紋 (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12  
soneraclass2ca, 2006-3-29, trustedCertEntry,  
證書指紋 (SHA1): 37:F7:6D:E6:07:7C:90:C5:B1:3E:93:1A:B7:41:10:B4:F2:E4:9A:27  
swisscomrootevca2, 2015-1-16, trustedCertEntry,  
證書指紋 (SHA1): E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B  
verisigntsaca, 2014-11-12, trustedCertEntry,  
證書指紋 (SHA1): 20:CE:B1:F0:F5:1C:0E:19:A9:F3:8D:B1:AA:8E:03:8C:AA:7A:C7:01  
soneraclass1ca, 2006-3-29, trustedCertEntry,  
證書指紋 (SHA1): 07:47:22:01:99:CE:74:B9:7C:B0:3D:79:B2:64:A2:C8:55:E9:33:FF  
quovadisrootca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): DE:3F:40:BD:50:93:D3:9B:6C:60:F6:DA:BC:07:62:01:00:89:76:C9  
affirmtrustpremiumeccca, 2014-4-15, trustedCertEntry,  
證書指紋 (SHA1): B8:23:6B:00:2F:1D:16:86:53:01:55:6C:11:A4:37:CA:EB:FF:C3:BB  
starfieldservicesrootg2ca, 2014-7-19, trustedCertEntry,  
證書指紋 (SHA1): 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F  
valicertclass2ca, 2005-1-20, trustedCertEntry,  
證書指紋 (SHA1): 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6  
comodoaaaca, 2006-5-2, trustedCertEntry,  
證書指紋 (SHA1): D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49  
addtrustqualifiedca, 2006-5-2, trustedCertEntry,  
證書指紋 (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF  
keynectisrootca, 2010-4-24, trustedCertEntry,  
證書指紋 (SHA1): 9C:61:5C:4D:4D:85:10:3A:53:26:C2:4D:BA:EA:E4:A2:D2:D5:CC:97  
aolrootca2, 2008-3-19, trustedCertEntry,  
證書指紋 (SHA1): 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84  
addtrustexternalca, 2006-5-2, trustedCertEntry,  
證書指紋 (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68  
verisignclass2g3ca, 2004-3-26, trustedCertEntry,  
證書指紋 (SHA1): 61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11  
aolrootca1, 2008-3-19, trustedCertEntry,  
證書指紋 (SHA1): 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A  
luxtrustglobalrootca, 2015-1-16, trustedCertEntry,  
證書指紋 (SHA1): C9:3C:34:EA:90:D9:13:0C:0F:03:00:4B:98:BD:8B:35:70:91:56:11  
verisignclass2g2ca, 2004-3-26, trustedCertEntry,  
證書指紋 (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D  
geotrustprimarycag3, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): 03:9E:ED:B8:0B:E7:A0:3C:69:53:89:3B:20:D2:D9:32:3A:4C:2A:FD  
geotrustprimarycag2, 2009-12-11, trustedCertEntry,  
證書指紋 (SHA1): 8D:17:84:D5:37:F3:03:7D:EC:70:FE:57:8B:51:9A:99:E6:10:D7:B0  
swisssigngoldg2ca, 2008-11-1, trustedCertEntry,  
證書指紋 (SHA1): D8:C5:38:8A:B7:30:1B:1B:6E:D4:7A:E6:45:25:3A:6F:9F:1A:27:61  
entrust2048ca, 2010-6-23, trustedCertEntry,  
證書指紋 (SHA1): 50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31  
chunghwaepkirootca, 2014-1-14, trustedCertEntry,  
證書指紋 (SHA1): 67:65:0D:F1:7E:8E:7E:5B:82:40:A4:F4:56:4B:CF:E2:3D:69:C6:F0  
camerfirmachambersignca, 2008-11-1, trustedCertEntry,  
證書指紋 (SHA1): 4A:BD:EE:EC:95:0D:35:9C:89:AE:C7:52:A1:2C:5B:29:F6:D6:AA:0C  
camerfirmachambersca, 2008-11-1, trustedCertEntry,  
證書指紋 (SHA1): 78:6A:74:AC:76:AB:14:7F:9C:6A:30:50:BA:9E:A8:7E:FE:9A:CE:3C  
godaddyclass2ca, 2005-1-20, trustedCertEntry,  
證書指紋 (SHA1): 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4  
affirmtrustpremiumca, 2014-4-15, trustedCertEntry,  
證書指紋 (SHA1): D8:A6:33:2C:E0:03:6F:B1:85:F6:63:4F:7D:6A:06:65:26:32:28:27  
verisignclass1g3ca, 2004-3-26, trustedCertEntry,  
證書指紋 (SHA1): 20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5  
secomevrootca1, 2008-6-3, trustedCertEntry,  
證書指紋 (SHA1): FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D  
verisignclass1g2ca, 2004-3-26, trustedCertEntry,  
證書指紋 (SHA1): 27:3E:E1:24:57:FD:C4:F9:0C:55:E8:2B:56:16:7F:62:F5:32:E5:47  
godaddyrootg2ca, 2014-7-19, trustedCertEntry,  
證書指紋 (SHA1): 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B

在瀏覽器裏直接訪問,查看一下證書



可以看到這個證書指紋並不在上面信任證書列表裏面


但是它的根證書GeoTrust Global CA的指紋DE:28:F4...在可信任證書列表中。


=============================================================================


有時候服務器證書並沒有經過簽名,或者簽名的根證書不是上述可信任證書。這個時候,直接使用URLConnection或者RestTemplate就會得到如下的錯誤:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

這個時候有三個辦法:
1)創建一個Trust Store, 導入Server證書或者其簽名的根證書
keytool -export -alias jettyserver -keystore jettyserver.keystore -storepass jettyserverks -file jettyserver.cer
keytool -import -alias jettyserver -keystore jettyclienttrust.keystore -storepass jettyclienttrustks -file jettyserver.cer
然後在Java代碼中
System.setProperty("javax.net.ssl.trustStore", "jettyclienttrust.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "jettyclienttrustks");
這個辦法比較簡單,但是有個缺點就是這個是全局設置,會影響其他訪問HTTPS的地方。


2)直接把Server證書或者其簽名的根證書導入到cacerts中。
keytool -import -alias jettyserver -keystore cacerts -storepass changeit -file c:\_tmp\jettyserver.cer
這個辦法的缺點是所有部署程序的主機上都要作同樣的事情,當然可以把JDK集成到程序裏面。


3)自己實現證書信任管理器類,跳過證書信任的檢查。可以看下參考資料1和參考資料2裏面的做法。


==============================================================================
如果遇到java.security.cert.CertificateException: No subject alternative names present的錯誤,
原因是生成證書的時候,CN(commonName)必須和域名保持一致。比如如果CN設置了localhost,那麼訪問的時候不能用127.0.0.1。  


[參考資料]
1)http://www.cnblogs.com/devinzhang/archive/2012/02/28/2371631.html
2)http://blog.csdn.net/rongyongfeikai2/article/details/41659353
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

java線程併發庫

  ThreadLocal的使用,,,實際上相當於維護了一個Map,其中以鍵值對的形式,存儲了某一個數據被多個線程訪問所對應的值。當然這個數據只能有

xinyetonghua 2020-07-08 12:36:33

分佈式系統各個節點狀態如何同步?淺談一下

寫在前面:2020年面試必備的Java後端進階面試題總結了一份複習指南在Github上,內容詳細,圖文並茂,有需要學習的朋友可以Star一下! GitHub地址:https://github.com/abel-max/Java-S

毛发旺盛的程序员 2020-07-08 12:27:30

ZooKeeper 一致性協議 ZAB 原理,瞭解一下

一致性協議有很多種,比如 Paxos,Raft,2PC,3PC等等,在這講一種協議,ZAB 協議,該協議應該是所有一致性協議中生產環境中應用最多的了。爲什麼?因爲它是爲 Zookeeper 設計的分佈式一致性協議! 1. 什麼是

毛发旺盛的程序员 2020-07-08 12:27:20

Spring中Transactional 失效的解決方案,讓我們一起探討一下

寫在前面:2020年面試必備的Java後端進階面試題總結了一份複習指南在Github上,內容詳細,圖文並茂,有需要學習的朋友可以Star一下! GitHub地址:https://github.com/abel-max/Java-S

毛发旺盛的程序员 2020-07-08 12:27:20

太狠了,Spring全家桶筆記,一站式通關全攻略,已入職某廠漲薪18K

Spring 早已成爲 Java 後端開發事實上的行業標準,無數的公司選擇 Spring 作爲基礎的開發框架,大部分Java 後端程序員在日常工作中也會接觸到 Spring ,因此,如何用好 Spring ,也就成爲 Java

毛发旺盛的程序员 2020-07-08 12:27:20

java中的NAN和INFINITY java中的NAN和INFINITY

    java中的NAN和INFINITY   java浮點數運算中有兩個特殊的情況:NAN、INFINITY。 1、INFINITY: 在浮點數運算時,有時我們會遇到除數爲0的情況,那java是如何解決的呢? 我們知道,在整型運算中

a318013800 2021-11-28 13:09:28

【Java 小白菜入門筆記 2.2】常用的類和方法

Array Array 含有sort、fill、equals、BinarySearch等方法 import java.util.Arrays; import java.util.Random; public class Arra

江户川柯壮 2020-07-08 12:39:29

springboot增量打包更新--靜態資源分離打包

springboot部署打包爲jar,一般都是全量打包,jar包的大小通常都是超過100M的,並且在進行一般的頁面html微調、js修改、img替換、css樣式修改時也需要重新打包進行部署;每次微小的調整都需要重新打包就太煩了,一

CNOYG 2020-07-08 12:39:29

增加FastDfs多文件存儲路徑

項目需要增加聊天會話功能,涉及到上傳語音圖片等信息。考慮新增一個目錄,所有相關文件存在一個相同的目錄中。因此需要對原項目增加一個存儲的路徑。以前的項目因爲只有一個路徑,且已經運行中。走了些彎路,僅此記錄操作過程。nginx version

pengdayong77 2020-07-08 12:37:23

JSONArray指定日期的反序列化

 JSONArray序列化日期最初用到, 這個是全局設置,會有風險。     String[] dateFormats = new String[] {"yyyyMMdd"};                 JSONUtils.getM

pengdayong77 2020-07-08 12:37:23

java緩存對象,使之不需要每次都從數據庫中獲取,以提高程序性能

直接上源碼,定義一個抽象類,必須實現get方法。該方法是用來獲取需要緩存的對象的。  import java.util.HashMap; import java.util.Map; /** * 用於從數據庫中獲取相應值的緩存類 *

pengdayong77 2020-07-08 12:37:23

類加載和類實例化

Java程序中對類的使用方式分爲兩類 :主動使用和被動使用 主動使用: 創建類的實例 訪問某個類或接口的靜態變量,或者對該靜態變量賦值 調用類的靜態方法 反射 初始化一個類的子類 java虛擬機啓動時被標明爲啓動類的類 從JDK

吃酒忘情殇 2020-07-08 12:36:21

大數據入門(七)win10上eclipse使用Hadoop的配置

目錄工具eclipse的Hadoop環境配置參考 系列: 大數據入門(一)環境搭建,VMware15+CentOS8.1 配置 https://blog.csdn.net/qq_34391511/article/details/1

33 Audrey 2020-07-08 12:35:23

Java動態綁定機制經典案列理解

如題,直接帶入案例進行理解Java的動態綁定機制,不多說直接上代碼了。 package one; public class JavaTest { public static void main(String[] args

柘月十七 2020-07-08 12:33:16

阿里年薪破百架構師推薦:鳥哥的Linux私房菜,搭配面試題,真香

在Linux實操的過程中,你是否有過這些疑問: 如何提取日誌中含有關鍵字的指定行,上一行或上幾行? ln 做了符號鏈接,對符號鏈接進行權限修改,原文件是否會受到影響? Shell 腳本里有很多特殊符號,到底該怎麼用?網上流傳的

毛发旺盛的程序员 2020-07-08 12:27:30