Java8u181引入了一个更改,即在使用连接到LDAPS(TLS(服务器的Java JNDI LDAP AP时启用证书主机名验证。
请参阅:https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html#JDK-8200666
如何禁用此主机名验证,或者更好地指定自定义javax.net.ssl.HostnameVerifier类。 Oracle 的文档仅指定了禁用验证的 Java 环境属性,但没有指出任何有问题地完成此操作的方法,这对于不(或不希望(能够更改运行它们的 JVM 的位/开关的环境至关重要。
此问题:如何禁用 java 1.8.181 版本的端点识别 提出类似的问题,但解决方案是通过命令行更改 Java 环境。 我问如何在没有环境开关的情况下以编程方式完成它。
关于在 Java 中禁用其他类型的 SSL 连接的主机名验证还有其他问题/答案,但这些答案不适用于 JNDI LDAP API。
正如@Patrick-Mevzek已经说过的那样:不要这样做!
但是,如果您真的必须这样做,那么您可以通过以下方式进行操作:
你需要一个SocketFactory,它包含一个虚拟的TrustManager,它只是忽略任何东西。有很多例子可以展示如何创造这样的东西。不幸的是,他们中的大多数人(全部?(都使用X509TrustManager来完成这项工作。这将适用于无效的证书,但不会处理错误或丢失的主机名。为此,您需要一个"X509ExtendedTrustManager":
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
/**
* This Socket factory will accept all certificates and all hostnames
*/
public class NonVerifyingSSLSocketFactory extends SocketFactory {
private static SocketFactory nonVerifyingSSLSochetFactory;
static {
TrustManager [] distrustManager = new TrustManager [] {new X509ExtendedTrustManager () {
@Override
public void checkClientTrusted (X509Certificate [] chain, String authType, Socket socket) {
}
@Override
public void checkServerTrusted (X509Certificate [] chain, String authType, Socket socket) {
}
@Override
public void checkClientTrusted (X509Certificate [] chain, String authType, SSLEngine engine) {
}
@Override
public void checkServerTrusted (X509Certificate [] chain, String authType, SSLEngine engine) {
}
public X509Certificate [] getAcceptedIssuers () {
return null;
}
public void checkClientTrusted (X509Certificate [] c, String a) {
}
public void checkServerTrusted (X509Certificate [] c, String a) {
}
}};
try {
SSLContext sc = SSLContext.getInstance ("SSL");
sc.init (null, distrustManager, new java.security.SecureRandom ());
nonVerifyingSSLSochetFactory = sc.getSocketFactory ();
} catch (GeneralSecurityException e) {
throw new RuntimeException (e);
}
}
/**
* This method is needed. It is called by the LDAP Context to create the connection
*
* @see SocketFactory#getDefault()
*/
@SuppressWarnings ("unused")
public static SocketFactory getDefault () {
return new NonVerifyingSSLSocketFactory ();
}
/**
* @see SocketFactory#createSocket(String, int)
*/
public Socket createSocket (String arg0, int arg1) throws IOException {
return nonVerifyingSSLSochetFactory.createSocket (arg0, arg1);
}
/**
* @see SocketFactory#createSocket(java.net.InetAddress, int)
*/
public Socket createSocket (InetAddress arg0, int arg1) throws IOException {
return nonVerifyingSSLSochetFactory.createSocket (arg0, arg1);
}
/**
* @see SocketFactory#createSocket(String, int, InetAddress, int)
*/
public Socket createSocket (String arg0, int arg1, InetAddress arg2, int arg3) throws IOException {
return nonVerifyingSSLSochetFactory.createSocket (arg0, arg1, arg2, arg3);
}
/**
* @see SocketFactory#createSocket(InetAddress, int, InetAddress, int)
*/
public Socket createSocket (InetAddress arg0, int arg1, InetAddress arg2,
int arg3) throws IOException {
return nonVerifyingSSLSochetFactory.createSocket (arg0, arg1, arg2, arg3);
}
}
在 InitialLdapContext 环境中使用它来激活它:
env.put ("java.naming.ldap.factory.socket", NonVerifyingSSLSocketFactory.class.getName ());
测试:
- OpenJDK 版本 "1.8.0_191">
- oraclejdk版本"1.8.0_25"(这个版本不需要它,但它无论如何都可以工作并且不会破坏任何东西(
在创建 httpclient 实例之前设置系统属性
System.setProperty("jdk.internal.httpclient.disableHostnameVerification", "true");