禁用不在Java中工作的弹性搜索Restclient的SSL验证
我正在尝试连接到承载在gcp框中的弹性搜索。要连接到这个,有一个SSL检查,我需要一个证书 然而,通过这些讨论,我们有可能关闭这种核查 我曾试图取消验证。但它有以下错误禁用不在Java中工作的弹性搜索Restclient的SSL验证,java,elasticsearch,ssl,certificate,ssl-certificate,Java,elasticsearch,Ssl,Certificate,Ssl Certificate,我正在尝试连接到承载在gcp框中的弹性搜索。要连接到这个,有一个SSL检查,我需要一个证书 然而,通过这些讨论,我们有可能关闭这种核查 我曾试图取消验证。但它有以下错误 javax.net.ssl.SSLHandshakeException: General SSLEngine problem at org.elasticsearch.client.RestClient$SyncResponseListener.get(RestClient.java:947) at org.
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at org.elasticsearch.client.RestClient$SyncResponseListener.get(RestClient.java:947)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:229)
at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1762)
at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1732)
at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1694)
at org.elasticsearch.client.RestHighLevelClient.search(RestHighLevelClient.java:1090)
at org.dexter.lab.elasticUtils.ESUtils.getLastIndexedTimeStamp(ESUtils.java:44)
at org.dexter.lab.druidUtils.DruidDelayChecker.main(DruidDelayChecker.java:357)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 23 more
这就是我所做的:
我做了一个重写来验证函数并返回true。这样它就不会检查了。这就是代码
restClientBuilder.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setSSLHostnameVerifier(new HostnameVerifier() {
public boolean verify(String s, SSLSession sslSession) {
return true;
}
});
}
});
我尝试了另一种方法,就像弹性线中提到的那样
restClientBuilder.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
}
});
我已经生成了一个自签名证书,并且它工作了。我启用了调试日志以了解为什么需要证书
以下是添加证书后的日志:
***
Found trusted certificate:
[
[
Version: V3
接下来是有关证书的详细信息
问题是,我无法为生产环境生成自签名证书,并且即使在重写之后也会因不使用证书而出现异常
有没有可能的解决办法?非常感谢您的帮助
提前感谢在您的示例中,您只禁用了主机名验证。服务器(ElasticSearch或ElasticSearch之上的东西)正在向您发送公钥/证书,并且您的Restclient在ssl握手期间尝试验证该公钥/证书。您需要做的是告诉您的RestClient,它可以从任何人那里接收证书,但是当它收到证书时,它不应该真正验证它。因此,您需要一个定制的trustmanager,它的任务是验证证书,但实际上它根本不进行验证。您需要的是一个,请参阅下面的代码片段以及RestClient的用法: 选项1
/**
*不安全的{@link UnsafeX509ExtendedTrustManager TrustManager},信任所有X.509证书而不进行任何验证。
*
*注意:
*切勿在生产中使用此{@link UnsafeX509ExtendedTrustManager}。
*它纯粹用于测试目的,因此非常不安全。
*
*
*抑制警告:java:S4830-“在SSL/TLS连接期间应验证服务器证书”
*此TrustManager不验证证书,不应在生产中使用。
*它只是用于测试目的,而不是用于验证服务器证书。
*/
公共最终类UnsafeX509ExtendedTrustManager扩展X509ExtendedTrustManager{
私有静态最终记录器Logger=LoggerFactory.getLogger(UnsafeX509ExtendedTrustManager.class);
私有静态最终X509ExtendedTrustManager实例=新的UnsafeX509ExtendedTrustManager();
private static final String CERTIFICATE_LOG_MESSAGE=“在不验证的情况下接受以下{}证书:{}”;
私有静态最终X509Certificate[]空_CERTIFICATES=新X509Certificate[0];
私有UnsafeX509ExtendedTrustManager(){}
公共静态X509ExtendedTrustManager getInstance(){
返回实例;
}
@凌驾
public void checkClientTrusted(X509Certificate[]证书,字符串authType){
日志证书(证书,“客户”);
}
@凌驾
public void checkClientTrusted(X509Certificate[]证书,字符串authType,套接字){
日志证书(证书,“客户”);
}
@凌驾
public void checkClientTrusted(X509Certificate[]证书,字符串authType,SSLEngine SSLEngine){
日志证书(证书,“客户”);
}
@凌驾
public void checkServerTrusted(X509Certificate[]证书,字符串authType){
日志证书(证书,“服务器”);
}
@凌驾
public void checkServerTrusted(X509Certificate[]证书、字符串authType、套接字){
日志证书(证书,“服务器”);
}
@凌驾
public void checkServerTrusted(X509Certificate[]证书,字符串authType,SSLEngine SSLEngine){
日志证书(证书,“服务器”);
}
私有静态无效日志证书(X509Certificate[]证书,字符串服务器或客户端){
字符串主体=提取主体(证书);
LOGGER.warn(证书日志消息、服务器或客户端、主体);
}
私有静态字符串提取主体(X509Certificate[]证书){
返回数组.stream(证书)
.map(X509Certificate::getSubjectX500Principal)
.map(主体::toString)
.map(主体->字符串.format(“{%s}”,主体))
.collect(收集器.连接(“,”,“[”,“]));
}
@凌驾
公共X509证书[]getAcceptedIssuers(){
返回空的证书;
}
}
上面的日志记录语句完全不是必需的,但是如果您想查看trustmanager实际收到了哪个证书,则可以使用它
可以使用以下代码段将上述trustmanager提供给RestHighLevelClient:
SSLContext SSLContext=SSLContext.getInstance(“TLS”);
init(null,新的信任管理器[]{UnsafeX509ExtendedTrustManager.INSTANCE},null);
RestClientBuilder RestClientBuilder=RestClient
.builder(新的HttpHost(“localhost”,9200,“https”))
.setHttpClientConfigCallback(httpClientBuilder->
httpClientBuilder.setSSLContext(sslContext)
.setSSLHostnameVerifier((主机,会话)->true));
顺便说一句,我不建议您或其他任何人使用UnsafeX509ExtendedTrustManager。它不安全,不应在生产中使用。
选项2
如果您不想将自定义代码添加到代码库中,而只想轻松禁用ssl验证,那么您可能希望尝试以下代码段。它是一个易于生成SSL的库
@Bean
public RestHighLevelClient createSimpleElasticClient() throws Exception {
try {
SSLContextBuilder sslBuilder = SSLContexts.custom()
.loadTrustMaterial(null, (x509Certificates, s) -> true);
final SSLContext sslContext = sslBuilder.build();
RestHighLevelClient client = new RestHighLevelClient(RestClient
.builder(new HttpHost(hostNameOrLoadbalancerURL, 443, "https"))
//port number is given as 443 since its https schema
.setHttpClientConfigCallback(new HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder
.setSSLContext(sslContext)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
}
})
.setRequestConfigCallback(new RestClientBuilder.RequestConfigCallback() {
@Override
public RequestConfig.Builder customizeRequestConfig(
RequestConfig.Builder requestConfigBuilder) {
return requestConfigBuilder.setConnectTimeout(5000)
.setSocketTimeout(120000);
}
}));
System.out.println("elasticsearch client created");
return client;
} catch (Exception e) {
System.out.println(e);
throw new Exception("Could not create an elasticsearch client!!");
}
}