使用javax.net.ssl.SSLPeerUnverifiedException的HTTPS的HTTP Get失败
在过去的几个月里,我一直在使用这个基础设施,它工作得很好。我曾经用https点击谷歌并得到结果。突然,我开始得到HTTPS URL的SSLPeerVerifiedException。我认为没有任何变化。有人能指出原因和解决办法吗 各种版本:使用javax.net.ssl.SSLPeerUnverifiedException的HTTPS的HTTP Get失败,java,ssl,httpclient,ssl-certificate,http-get,Java,Ssl,Httpclient,Ssl Certificate,Http Get,在过去的几个月里,我一直在使用这个基础设施,它工作得很好。我曾经用https点击谷歌并得到结果。突然,我开始得到HTTPS URL的SSLPeerVerifiedException。我认为没有任何变化。有人能指出原因和解决办法吗 各种版本: Apache-HttpComponents-HttpCore = 4.1; Apache-HttpComponents-HttpClient = 4.1.1; JDK = 1.6_64; 代码段: pu
Apache-HttpComponents-HttpCore = 4.1;
Apache-HttpComponents-HttpClient = 4.1.1;
JDK = 1.6_64;
代码段:
public void execute(HttpContext httpContext, HttpUriRequest request, HttpHost proxy,
Credentials proxyCredentials) throws IOException {
HttpClient httpClient = getHttpClient(proxy, proxyCredentials, true,
configuration.getHttpConnectionTimeout(), configuration.getHttpSocketTimeout());
httpClient.execute(request, httpContext);
}
/**
* Default constructor
*/
public HttpClientUtil() throws IOException {
/*
* A TrustManager which trusts every server certificates.
*/
TrustManager tm = new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException { }
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException { }
};
try {
SSLContext context = SSLContext.getInstance("TLS");
context.init(new KeyManager[0], new TrustManager[]{tm}, new SecureRandom());
connectionManager = new ThreadSafeClientConnManager();
connectionManager.setMaxTotal(Constant.HTTP_CONNECTION_POOL_MAX_TOTAL_CONNECTIONS);
connectionManager.setDefaultMaxPerRoute(Constant.HTTP_CONNECTION_POOL_DEFAULT_MAX_CONNECTIONS_PER_ROUTE);
connectionManager.getSchemeRegistry().register(new Scheme(Constant.PROTOCOL_HTTPS, Constant.HTTPS_DEFAULT_PORT, new SSLSocketFactory(context)));
} catch (Exception e) {
throw new IOException(e);
}
}
private HttpClient getHttpClient(HttpHost proxy, Credentials proxyCredentials,
boolean followRedirects, int connectionTimeout, int soTimeout) {
DefaultHttpClient client = new DefaultHttpClient(connectionManager);
client.addRequestInterceptor(requestAcceptEncoding);
client.addResponseInterceptor(httpResponseMaskInterceptor);
client.addResponseInterceptor(responseContentEncoding);
HttpParams params = client.getParams();
if (proxy != null) {
params.setParameter(ConnRoutePNames.DEFAULT_PROXY, proxy);
if (proxyCredentials != null) {
client.getCredentialsProvider().setCredentials(
new AuthScope(proxy.getHostName(), proxy.getPort()), proxyCredentials);
}
}
HttpProtocolParams.setUserAgent(params, configuration.getUserAgent());
HttpConnectionParams.setConnectionTimeout(params, connectionTimeout);
HttpConnectionParams.setSoTimeout(params, soTimeout);
HttpClientParams.setRedirecting(params, followRedirects);
if (followRedirects) {
client.setRedirectStrategy(redirectStrategy);
}
return client;
}
堆栈跟踪:
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.createLayeredSocket(SSLSocketFactory.java:446)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.updateSecureConnection(DefaultClientConnectionOperator.java:200)
at org.apache.http.impl.conn.AbstractPoolEntry.layerProtocol(AbstractPoolEntry.java:277)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.layerProtocol(AbstractPooledConnAdapter.java:142)
at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultRequestDirector.java:758)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:565)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at com.amazon.mobius.httpproxy.util.HttpClientUtil.execute(HttpClientUtil.java:390)
at com.amazon.mobius.httpproxy.ec2.RequestExecutor.executeViaEC2(RequestExecutor.java:267)
... 45 more
任何帮助都将不胜感激
谢谢,像这样使用这种信任管理器是一个糟糕的主意(如果您试图连接的是谷歌的服务器,那么当然不需要了:它的CA证书可能在默认捆绑包中受信任)。我们应该使用哪种信任管理器?我们是否继续使用HTTP客户机()中的默认SSL?去掉与设置
SSLContext/SSLSocketFactory
有关的任何内容。让JSSE使用它自己的默认设置。我了解到建立隧道式SSL连接的所有低级细节都由HttpClient处理,我们可以直接进行HTTP调用。但是,我们也访问了谷歌以外的其他网站,我们不需要自定义SSL吗?需要明确的是,此信任管理器的问题在于它无法验证证书,从而使连接容易受到潜在中间人攻击。这就破坏了首先使用SSL的意义。