我正在尝试使用 Apache HttpComponents 库对 JBoss 服务器进行 HTTP GET 调用。当我使用 http URL 执行此操作时,它工作正常,但是当我使用 https URL 时,它不起作用。这是我的代码:
public static String HttpGET(String requestURL, Cookie cookie)
throws HttpException {
DefaultHttpClient httpClient = new DefaultHttpClient();
if (cookie != null) {
CookieStore store = new BasicCookieStore();
store.addCookie(cookie);
((AbstractHttpClient) httpClient).setCookieStore(store);
}
HttpGet httpGet = new HttpGet(requestURL);
HttpResponse response = null;
HttpEntity responseEntity = null;
String responseBody = null;
try {
response = httpClient.execute(httpGet);
// Do some more stuff...
} catch (SSLPeerUnverifiedException ex) {
// Message "peer not authenticated" means the server presented
// a certificate that was not found in the local truststore.
throw new HttpException("HTTP GET request failed; possible"
+ " missing or invalid certificate: " + ex.getMessage());
} catch (IOException e) {
e.printStackTrace();
} finally {
// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpClient.getConnectionManager().shutdown();
}
return responseBody;
}
当我execute()我的GET电话时,我得到了一个SSLPeerUnverifiedException。错误消息是:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
经过一些广泛的谷歌搜索和搜索StackOverflow问题,我一直看到这个建议,所以我在我的DefaultHttpClient周围添加了这个包装器,如下所示:
private static HttpClient wrapClient(HttpClient httpClient) {
try {
SSLContext ctx = SSLContext.getInstance("TLS");
X509TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs,
String string) {
}
public void checkServerTrusted(X509Certificate[] xcs,
String string) {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
X509HostnameVerifier verifier = new X509HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return false;
}
@Override
public void verify(String arg0, SSLSocket arg1)
throws IOException { }
@Override
public void verify(String arg0, X509Certificate arg1)
throws SSLException { }
@Override
public void verify(String arg0, String[] arg1, String[] arg2)
throws SSLException { }
};
ctx.init(null, new TrustManager[] { tm }, null);
SSLSocketFactory socketFactory = new SSLSocketFactory(ctx);
socketFactory.setHostnameVerifier(verifier);
Scheme sch = new Scheme("https", 443, socketFactory);
httpClient.getConnectionManager().getSchemeRegistry().register(sch);
return httpClient;
} catch (Exception ex) {
ex.printStackTrace();
return null;
}
}
但是,这只会产生不同的错误:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
我相信证书设置正确,因为使用 Jersey 库编写的其他代码可以成功连接到此服务器。但是,我没有看到我在Apache HttpComponents上做错了什么。有什么想法吗?如果我犯了明显的错误,我深表歉意,我是SSL的新手,还没有完全了解我在做什么。感谢您的任何帮助!
这可能是由于您的服务器需要服务器名称指示。
由于Apache HTTP Client 4.2.2似乎不支持SNI(即使使用Java 7,它也不会发送server_name扩展),因此您可能会获得与使用SNI的其他库不同的证书。
似乎有一种方法可以在Apache HTTP Client 4.3中获得SNI支持(但至少你仍然需要Java 7)。