Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/362.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
SSL:让Java检查整个信任链_Java_Ssl_Https - Fatal编程技术网
Fatal编程技术网
  • java/
  • SSL:让Java检查整个信任链

SSL:让Java检查整个信任链

java ssl https

SSL:让Java检查整个信任链,java,ssl,https,Java,Ssl,Https,假设我正在使用此证书链通过https与客户端通信: acme root | +--- acme intermediate | +--- server cert 我已经创建了一个信任存储,在这里我使用导入了acme intermediate证书 keytool -import -alias intermediate-ca -file acme_intermediate.der -keystore /path/to/intermediate-cacert

假设我正在使用此证书链通过https与客户端通信:

acme root
  |
  +--- acme intermediate
         |
         +--- server cert
我已经创建了一个信任存储,在这里我使用导入了
acme intermediate
证书

keytool -import -alias intermediate-ca -file acme_intermediate.der -keystore /path/to/intermediate-cacerts
并启动虚拟机与

java -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/path/to/intermediate-cacerts ...
连接到服务器时,连接成功。我希望出现
javax.net.ssl.SSLHandshakeException
,其中
无法找到请求目标的有效证书路径
或类似路径,因为
acme root
证书未存储在我的
中间ca

当然,我已经检查了JVM是否通过
strace
检查了默认的系统信任库,但它没有:

$ strace -tt -f -etrace=open java -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStore=/path/to/intermediate-cacerts Program 2>&1 | grep -vE 'open\((.*\.(so|jar)|"/(proc|dev|etc/host|tmp|sys))'

22:31:21.103201 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/amd64/jvm.cfg", O_RDONLY) = 3
[pid 27619] 22:31:21.119299 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/endorsed", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
[pid 27619] 22:31:21.125422 open("/etc/nsswitch.conf", O_RDONLY) = 3
[pid 27619] 22:31:21.127423 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
[pid 27619] 22:31:21.141141 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/meta-index", O_RDONLY) = 3
[pid 27619] 22:31:21.540826 open("/usr/lib/locale/locale-archive", O_RDONLY) = 4
[pid 27619] 22:31:21.541576 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
[pid 27619] 22:31:21.542221 open("/etc/localtime", O_RDONLY) = 4
[pid 27619] 22:31:22.267438 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/ext/meta-index", O_RDONLY) = 4
[pid 27619] 22:31:22.318007 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/ext", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4
[pid 27619] 22:31:22.462944 open("/usr/java/packages/lib/ext", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
[pid 27619] 22:31:22.604155 open("/home/me/Program.class", O_RDONLY) = 4
[pid 27619] 22:31:22.728273 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/security/java.security", O_RDONLY) = 4
[pid 27619] 22:31:24.048924 open("/usr/share/jbossas/standalone/data/intermediate-cacerts", O_RDONLY) = 9
[pid 27619] 22:31:24.462164 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/meta-index", O_RDONLY) = 10
[pid 27619] 22:31:24.626192 open("/etc/resolv.conf", O_RDONLY) = 11
[pid 27619] 22:31:25.523615 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/net.properties", O_RDONLY) = 12
[pid 27619] 22:31:26.168961 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
Successfully connected
当省略
-Djavax.net.ssl
选项时,我观察到系统信任库的
open()

[pid 27212] 10:54:53.699479 open("/usr/lib/jvm/java-1.7.0-oracle-1.7.0.51.x86_64/jre/lib/security/cacerts", O_RDONLY) = 9
使用以下代码片段创建连接:

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(hostname, port);
互联网上的这篇文章和一些资源都说,无法在多个信任库中生成Java查找证书。他们说需要克隆系统信任库并导入所需的额外证书。听起来似乎有道理

  • 是否存在使Java检查整个信任链的配置选项
  • 如果没有,我应该手动实现什么来检查信任链
只要链中的任何证书都是可信的,握手就会成功。您不需要导入整个链,只需导入链的顶部元素。