禁用不在Java中工作的弹性搜索Restclient的SSL验证

我正在尝试连接到承载在gcp框中的弹性搜索。要连接到这个，有一个SSL检查，我需要一个证书

然而，通过这些讨论，我们有可能关闭这种核查

我曾试图取消验证。但它有以下错误

javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at org.elasticsearch.client.RestClient$SyncResponseListener.get(RestClient.java:947)
    at org.elasticsearch.client.RestClient.performRequest(RestClient.java:229)
    at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1762)
    at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1732)
    at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1694)
    at org.elasticsearch.client.RestHighLevelClient.search(RestHighLevelClient.java:1090)
    at org.dexter.lab.elasticUtils.ESUtils.getLastIndexedTimeStamp(ESUtils.java:44)
    at org.dexter.lab.druidUtils.DruidDelayChecker.main(DruidDelayChecker.java:357)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353)
    ... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:262)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
    ... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 23 more

这就是我所做的：

我做了一个重写来验证函数并返回true。这样它就不会检查了。这就是代码

restClientBuilder.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
                @Override
                public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
                    return httpClientBuilder.setSSLHostnameVerifier(new HostnameVerifier() {
                        public boolean verify(String s, SSLSession sslSession) {
                            return true;
                        }
                    });
                }
            });

我尝试了另一种方法，就像弹性线中提到的那样

restClientBuilder.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
                @Override
                public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
                    return httpClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
                }
            });

我已经生成了一个自签名证书，并且它工作了。我启用了调试日志以了解为什么需要证书

以下是添加证书后的日志：

***
Found trusted certificate:
[
[
  Version: V3

接下来是有关证书的详细信息

问题是，我无法为生产环境生成自签名证书，并且即使在重写之后也会因不使用证书而出现异常

有没有可能的解决办法？非常感谢您的帮助

---

提前感谢

在您的示例中，您只禁用了主机名验证。服务器（ElasticSearch或ElasticSearch之上的东西）正在向您发送公钥/证书，并且您的Restclient在ssl握手期间尝试验证该公钥/证书。您需要做的是告诉您的RestClient，它可以从任何人那里接收证书，但是当它收到证书时，它不应该真正验证它。因此，您需要一个定制的trustmanager，它的任务是验证证书，但实际上它根本不进行验证。您需要的是一个，请参阅下面的代码片段以及RestClient的用法：

选项1

/**
*不安全的{@link UnsafeX509ExtendedTrustManager TrustManager}，信任所有X.509证书而不进行任何验证。
*
*注意：
*切勿在生产中使用此{@link UnsafeX509ExtendedTrustManager}。
*它纯粹用于测试目的，因此非常不安全。
*

*

*抑制警告：java:S4830-“在SSL/TLS连接期间应验证服务器证书”
*此TrustManager不验证证书，不应在生产中使用。
*它只是用于测试目的，而不是用于验证服务器证书。
*/
公共最终类UnsafeX509ExtendedTrustManager扩展X509ExtendedTrustManager{
私有静态最终记录器Logger=LoggerFactory.getLogger（UnsafeX509ExtendedTrustManager.class）；
私有静态最终X509ExtendedTrustManager实例=新的UnsafeX509ExtendedTrustManager（）；
private static final String CERTIFICATE_LOG_MESSAGE=“在不验证的情况下接受以下{}证书：{}”；
私有静态最终X509Certificate[]空_CERTIFICATES=新X509Certificate[0]；
私有UnsafeX509ExtendedTrustManager（）{}
公共静态X509ExtendedTrustManager getInstance（）{
返回实例；
}
@凌驾
public void checkClientTrusted（X509Certificate[]证书，字符串authType）{
日志证书（证书，“客户”）；
}
@凌驾
public void checkClientTrusted（X509Certificate[]证书，字符串authType，套接字）{
日志证书（证书，“客户”）；
}
@凌驾
public void checkClientTrusted（X509Certificate[]证书，字符串authType，SSLEngine SSLEngine）{
日志证书（证书，“客户”）；
}
@凌驾
public void checkServerTrusted（X509Certificate[]证书，字符串authType）{
日志证书（证书，“服务器”）；
}
@凌驾
public void checkServerTrusted（X509Certificate[]证书、字符串authType、套接字）{
日志证书（证书，“服务器”）；
}
@凌驾
public void checkServerTrusted（X509Certificate[]证书，字符串authType，SSLEngine SSLEngine）{
日志证书（证书，“服务器”）；
}
私有静态无效日志证书（X509Certificate[]证书，字符串服务器或客户端）{
字符串主体=提取主体（证书）；
LOGGER.warn（证书日志消息、服务器或客户端、主体）；
}
私有静态字符串提取主体（X509Certificate[]证书）{
返回数组.stream（证书）
.map（X509Certificate:：getSubjectX500Principal）
.map（主体：：toString）
.map（主体->字符串.format（“{%s}”，主体））
.collect（收集器.连接（“，”，“[”，“]））；
}
@凌驾
公共X509证书[]getAcceptedIssuers（）{
返回空的证书；
}
}

上面的日志记录语句完全不是必需的，但是如果您想查看trustmanager实际收到了哪个证书，则可以使用它

可以使用以下代码段将上述trustmanager提供给RestHighLevelClient：

SSLContext SSLContext=SSLContext.getInstance（“TLS”）；
init（null，新的信任管理器[]{UnsafeX509ExtendedTrustManager.INSTANCE}，null）；
RestClientBuilder RestClientBuilder=RestClient
.builder（新的HttpHost（“localhost”，9200，“https”））
.setHttpClientConfigCallback（httpClientBuilder->
httpClientBuilder.setSSLContext（sslContext）
.setSSLHostnameVerifier（（主机，会话）->true））；

顺便说一句，我不建议您或其他任何人使用UnsafeX509ExtendedTrustManager。它不安全，不应在生产中使用。

选项2

如果您不想将自定义代码添加到代码库中，而只想轻松禁用ssl验证，那么您可能希望尝试以下代码段。它是一个易于生成SSL的库

    @Bean
        public RestHighLevelClient createSimpleElasticClient() throws Exception {
            try {
                SSLContextBuilder sslBuilder = SSLContexts.custom()
                        .loadTrustMaterial(null, (x509Certificates, s) -> true);
                        final SSLContext sslContext = sslBuilder.build();
                RestHighLevelClient client = new RestHighLevelClient(RestClient
                        .builder(new HttpHost(hostNameOrLoadbalancerURL, 443, "https")) 
//port number is given as 443 since its https schema
                        .setHttpClientConfigCallback(new HttpClientConfigCallback() {
                            @Override
                            public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
                                return httpClientBuilder
                                         .setSSLContext(sslContext)
                                         .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
                            }
                        })
                        .setRequestConfigCallback(new RestClientBuilder.RequestConfigCallback() {
                            @Override
                            public RequestConfig.Builder customizeRequestConfig(
                                    RequestConfig.Builder requestConfigBuilder) {
                                return requestConfigBuilder.setConnectTimeout(5000)
                                        .setSocketTimeout(120000);
                            }
                        }));
                System.out.println("elasticsearch client created");
                return client;
            } catch (Exception e) {
                System.out.println(e);
                throw new Exception("Could not create an elasticsearch client!!");
            }
        }