Java 验证服务器Verisign证书会引发不受信任的服务器证书异常
我在尝试将HttpsURLConnection连接到后端时验证Verisign证书时遇到问题 当前认证链:Java 验证服务器Verisign证书会引发不受信任的服务器证书异常,java,android,ssl,certificate,verisign,Java,Android,Ssl,Certificate,Verisign,我在尝试将HttpsURLConnection连接到后端时验证Verisign证书时遇到问题 当前认证链: $openssl s_客户端-连接主机:443 0 s:/C=AT/ST=xxx/L=xxx/O=xxx/CN=host i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Interna
$openssl s_客户端-连接主机:4430 s:/C=AT/ST=xxx/L=xxx/O=xxx/CN=host
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Auth
ority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Auth
ority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
java.security.cert.CertificateException:java.security.cert.CertPathValidatorException:TrustAnchor找到,但证书验证失败。String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("verisign_0", getVerisign0());
keyStore.setCertificateEntry("verisign_1", getVerisign1());
keyStore.setCertificateEntry("verisign_2", getVerisign2());
keyStore.setCertificateEntry("verisign_3", getVerisign3());
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
return urlConnection;
connection.connect()[0] = {java.lang.StackTraceElement@830078967208}"org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:168)"
[1] = {java.lang.StackTraceElement@830078967584}"org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:366)"
[2] = {java.lang.StackTraceElement@830078967960}"org.apache.harmony.luni.internal.net.www.protocol.http.HttpConnection.getSecureSocket(HttpConnection.java:168)"
[3] = {java.lang.StackTraceElement@830078968368}"org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl$HttpsEngine.connect(HttpsURLConnectionImpl.java:399)"
[4] = {java.lang.StackTraceElement@830078968816}"org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:147)"
如果没有进一步的代码,我不能说,但是,我可以看到您正在加载受信任的证书,但是您在哪里加载自己的密钥库?如果是在其他代码中,我就说不出来了 另外,当您尝试使用外部信任库时会发生什么情况,例如$JAVA_HOME/jre/lib/security/cacerts 假设您真的想要使用动态信任存储(通常它们都是静态的),请查看
如前所述,JVM中的信任库是静态的,一旦初始化,证书就不能附加到它(正如我在类似问题中观察到的那样)。 简单的解决方案是将您的证书添加到默认证书中:$JAVA_HOME/jre/lib/security/cacerts 或者尝试将信任库初始化代码包含到静态{}块中,以便更快地初始化它,并获得绕过默认行为的机会
您还可以使用自定义文件keyStore,并要求jvm将其与-Djavax.net.ssl.keyStore*参数一起使用。这只是供您尝试的提示。我最近做了一个应用程序,它需要通过HTTPS与服务器通信,在版本低于4的HttpsURLConnection类中运行良好,但在所有其他版本中,它返回不可信。我们的证书已签发。唯一的解决办法是使用SSLSocket搜索论坛和主题。为什么这样做有效,而其他解决方案无效?我没有找到任何合乎逻辑的答案。希望这有助于并享受您的工作。证书是否过期或CLR/OCSP URL无法访问(或甚至被吊销)?很抱歉延迟评论,但我不在城里。如果有人遇到类似问题:由于我无法在安装我们应用程序的每个设备上安装证书,我将不得不使用设备的内部trustStore和我自己的trustStore以及我的证书(如果第一个trustStore返回异常,将使用这些证书)。