在使用SSL配置TCP连接时,根据spring文档,我们一直在使用我们自己的TcpSSLContextSupport实例,因为DefaultTcpSSLContextSupport需要初始化客户端证书。这是我们的 bean 配置:
private static final int SERIALIZER_HEADER_SIZE = 2;
@Bean
public ByteArrayLengthHeaderSerializer byteArrayLengthHeaderSerializer() {
return new ByteArrayLengthHeaderSerializer(SERIALIZER_HEADER_SIZE);
}
@Bean
public AbstractClientConnectionFactory tcpClientConnectionFactory() {
TcpNetClientConnectionFactory connFactory =
new TcpNetClientConnectionFactory(props.getUrl(), props.getPort());
connFactory.setSerializer(byteArrayLengthHeaderSerializer());
connFactory.setDeserializer(byteArrayLengthHeaderSerializer());
connFactory.setSoTimeout(props.getSoTimeout());
if (props.isUseSSL()) {
connFactory.setTcpSocketFactorySupport(new DefaultTcpNetSSLSocketFactorySupport(() -> {
return SSLContext.getDefault();
}));
}
return connFactory;
}
由于客户端证书是已知证书,我们不需要提供自己的密钥库和信任库,因此这是在创建 TCP 连接时正确配置 SSL 的正确方法吗?
没错,这正是将自定义SSLContext注入ConnectionFactory的方法。
你也可以考虑在你的上下文中"信任所有人":
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
X509Certificate[] myTrustedAnchors = new X509Certificate[0];
return myTrustedAnchors;
}
@Override
public void checkClientTrusted(X509Certificate[] certs, String authType) {}
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType) {}
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new SecureRandom());
return sc;