首頁(yè) 新隨筆新文章聯(lián)系聚合

posts - 98,comments - 104,trackbacks - 0

2012年8月

>

日

一

二

三

四

五

六

29

30

31

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

1

2

3

4

5

6

7

8

常用鏈接

留言簿(3)

隨筆分類(lèi)

隨筆檔案

文章分類(lèi)

文章檔案

搜索

閱讀排行榜

I use Apache’s HttpClient library for all my URL related needs. It is a marvelous library that does most of the job behind the scenes. Compared the Java’s URL class, it is not as easy to use as Apache’s HttpClient. While using this library, a site that I commonly check for updates threw the exception message javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.

When I checked the site, it seemed that its SSL certificated had expired. The only workaround for this is to create your own TrustManager. This class actually checks if the SSL certificate is valid. The scheme used by SSL is called X.509 and Java has a specific TrustManager for this scheme, called X509TrustManager.

This handy method created by theskeleton is just the perfect solution to have your HttpClient object bypass any SSL related errors and ensures that it accepts all SSL certificates of a site, whether it is expired or not.

public static HttpClient wrapClient(HttpClient base) {
    try {
        SSLContext ctx = SSLContext.getInstance("TLS");
        X509TrustManager tm = new X509TrustManager() {
            public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { }

            public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException { }

            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };
        ctx.init(null, new TrustManager[]{tm}, null);
        SSLSocketFactory ssf = new SSLSocketFactory(ctx);
        ssf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
        ClientConnectionManager ccm = base.getConnectionManager();
        SchemeRegistry sr = ccm.getSchemeRegistry();
        sr.register(new Scheme("https", ssf, 443));
        return new DefaultHttpClient(ccm, base.getParams());
    } catch (Exception ex) {
        return null;
    }
}

Another way is to recreate the keystore, for the keystore you should have the site in the CN=XXX.
the command as below:
1. Create keystore

keytool -genkey -dname "cn=daXXX.XXX.com,o=,c=" -storepass MB7BROKERpzn -keystore pznKeyStore.jks -alias pznsigned

2. Export the cert
keytool -export -keystore pznKeyStore.jks -alias pznsigned -file pznsslcert.cer
3. Create trust store for client
keytool -genkey -dname "cn=da957203.fmr.com,o=,c=" -storepass MB7BROKERpzn -keystore pznTrustStore.jks -alias pzntrustsigned
4. import the server cert
keytool -import -alias pzntrust -file pznsslcert.cer -keystore pznTrustStore.jks -storepass MB7BROKERpzn
5. use http client to call the server

        try {
           KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
           FileInputStream instream = new FileInputStream(new File(trustfname));
           try {
                trustStore.load(instream, passphrase.toCharArray());
           } finally {
                try { instream.close(); } catch (Exception ignore) {}
           }
           SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
           Scheme sch = new Scheme("https", 443, socketFactory);
           httpclient.getConnectionManager().getSchemeRegistry().register(sch);
       } catch (Exception e1) {
           // TODO Auto-generated catch block
           e1.printStackTrace();
       }

posted on 2012-08-14 18:42 ゞ沉默是金ゞ閱讀(3646) 評(píng)論(2) 編輯收藏所屬分類(lèi): HTTP

FeedBack:

# re: How To Avoid javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Problem Using Apache HttpClient

2012-10-03 23:53 | shigangxing

Another way is to recreate the keystore...
有兩個(gè)問(wèn)題不清楚，呵呵：
1,為什么要分開(kāi)創(chuàng)建兩個(gè)keystore
2,兩個(gè)cn的值貌似不同，都是網(wǎng)站的域名么回復(fù) 更多評(píng)論

# re: How To Avoid javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Problem Using Apache HttpClient

2012-11-29 10:22 | dashi99

@shigangxing
There are two types of SSL connection:
a. Server auth: The client needs to trust the server. The server presents a key to the client which the client must trust. This is known as 1 way or asymetric auth.
b. Client auth: Both client and server need to trust each other. In addition to the server presenting its key to the client, here the client also presents a key to the server which the server must trust. This is also known as two way or symmetric auth.

回復(fù) 更多評(píng)論

新用戶(hù)注冊(cè) 刷新評(píng)論列表


只有注冊(cè)用戶(hù)登錄后才能發(fā)表評(píng)論。




網(wǎng)站導(dǎo)航: 博客園 IT新聞 Chat2DB C++博客博問(wèn) 管理
相關(guān)文章: How To Avoid javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Problem Using Apache HttpClient How to Create Client/Server Keystores using Java Keytool IE下Ajax緩存問(wèn)題的解決辦法 RPC簡(jiǎn)介 Java獲取客戶(hù)端真實(shí)IP地址的兩種方法什么是RFC?