无CA认证的Java ssl加密
我已经使用ApacheMina编写了android客户端。现在,我正在尝试将TLS支持添加到此客户端。但在客户端,我不想做服务器身份验证。我使用它只是为了加密。我应该如何做到这一点 我试过这样做无CA认证的Java ssl加密,java,android,ssl,handshake,apache-mina,Java,Android,Ssl,Handshake,Apache Mina,我已经使用ApacheMina编写了android客户端。现在,我正在尝试将TLS支持添加到此客户端。但在客户端,我不想做服务器身份验证。我使用它只是为了加密。我应该如何做到这一点 我试过这样做 SSLContext sc = null; SslFilter sslFilter; private void startTLS() { try { sc = SSLContext.getInstance("TLSv1"); sc.init(null, null,
SSLContext sc = null;
SslFilter sslFilter;
private void startTLS() {
try {
sc = SSLContext.getInstance("TLSv1");
sc.init(null, null, null);
sslFilter = new SslFilter(sc);
sslFilter.setUseClientMode(true);
session.getFilterChain().addFirst("mySSL", sslFilter);
} catch(Exception e) {
e.printStackTrace();
}
}
但当我点击这个方法时,连接就关闭了。有人知道这件事吗
另外sslFilter.getEnabledProtocols()&sslFilter.getenablediphersuites()
给出null
值
服务器处于扭曲状态。为了更清楚,您可以查看下面提到服务器机制的链接。
同样在MinaAPI中,有一个方法sslFilter.setNeedClientAuth(boolean)
,但我不确定它的应用(我认为它在服务器端很有用)
新代码:
@Override
public void messageReceived(IoSession session, Object msg) {
jsonParser(msg) //communication is in json
if (condition) {
startTLS();
}
}
SslFilter sslFilter;
public void startTLS(JSONObject msg) throws GeneralSecurityException{
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) { }
public void checkServerTrusted(X509Certificate[] certs, String authType) { }
}};
try {
SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(null, trustAllCerts, null);
IoFilterChain chain = session.getFilterChain();
sslFilter = new SslFilter(sslContext);
sslFilter.setUseClientMode(true);
chain.addFirst("sslFilter", sslFilter);
} catch(Exception e){
e.printStackTrace();
}
}
追溯:
协商消息为:SESSION\u UNSECURED
跟踪跟踪如下:
02-05 12:50:20.365: W/System.err(994): Unexpected character (S) at position 0.
02-05 12:50:20.374: W/System.err(994): at org.json.simple.parser.Yylex.yylex(Yylex.java:610)
02-05 12:50:20.394: W/System.err(994): at org.json.simple.parser.JSONParser.nextToken(JSONParser.java:269)
02-05 12:50:20.394: W/System.err(994): at org.json.simple.parser.JSONParser.parse(JSONParser.java:118)
02-05 12:50:20.404: W/System.err(994): at org.json.simple.parser.JSONParser.parse(JSONParser.java:81)
02-05 12:50:20.444: W/System.err(994): at org.json.simple.parser.JSONParser.parse(JSONParser.java:75)
02-05 12:50:20.444: W/System.err(994): at network.com.parse(com.java:146)
02-05 12:50:20.444: W/System.err(994): at network.com.messageReceived(com.java:106)
02-05 12:50:20.474: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
02-05 12:50:20.474: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
02-05 12:50:20.474: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
02-05 12:50:20.474: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
02-05 12:50:20.487: W/System.err(994): at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:214)
02-05 12:50:20.494: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
02-05 12:50:20.494: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
02-05 12:50:20.514: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
02-05 12:50:20.514: W/System.err(994): at org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:322)
02-05 12:50:20.524: W/System.err(994): at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:497)
02-05 12:50:20.524: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
02-05 12:50:20.524: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
02-05 12:50:20.524: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
02-05 12:50:20.556: W/System.err(994): at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
02-05 12:50:20.564: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
02-05 12:50:20.564: W/System.err(994): at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
02-05 12:50:20.574: W/System.err(994): at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710)
02-05 12:50:20.574: W/System.err(994): at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664)
02-05 12:50:20.604: W/System.err(994): at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653)
02-05 12:50:20.604: W/System.err(994): at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67)
02-05 12:50:20.604: W/System.err(994): at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124)
02-05 12:50:20.614: W/System.err(994): at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
02-05 12:50:20.614: W/System.err(994): at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1080)
02-05 12:50:20.614: W/System.err(994): at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:573)
02-05 12:50:20.625: W/System.err(994): at java.lang.Thread.run(Thread.java:841)
“不工作”不是可接受的问题描述。但是,如果没有至少一个对等方的身份验证,SSL是不安全的。见RFC 2246。如果你不知道你在以安全的方式与谁交谈,加密没有多大意义。当我看到一个问题说“它不起作用”,但没有解释它以何种方式不起作用时,我会投票关闭,因为9次中有9次“缺乏足够的信息来诊断问题”。“它不起作用”并没有给任何人一个检查问题的起点。解释您得到的结果以及它们与预期结果的差异,并包括您收到的任何错误消息。(很有诱惑力的回答是,“告诉它去dice.com看看招聘广告吧”。)这家伙要求的要么是:(1)没有服务器身份验证(即定制的
X509TrustManager
),要么(2)如何在密码套件中使用aNULL
。有人本可以问这个问题,而不是投他的反对票,然后结束这个问题。(如果你不知道我在说什么,那么你可能一开始就不应该参与进来)。如果要添加aNULL
密码套件,请参阅。您必须提前选择密码套件,并确保它们包含aNULL
。如果您想放弃服务器身份验证(即常规的X509检查),则添加自定义的X509TrustManager
,覆盖checkServerTrusted
,并始终接受调用期间获得的内容。在OWASP上查看Android示例,不要执行checkServerTrusted
中所示的操作。