ゞ沉默是金ゞ

          魚離不開水,但是沒有說不離開哪滴水.
          posts - 98,comments - 104,trackbacks - 0

          I use Apache’s HttpClient library for all my URL related needs. It is a marvelous library that does most of the job behind the scenes. Compared the Java’s URL class, it is not as easy to use as Apache’s HttpClient. While using this library, a site that I commonly check for updates threw the exception message javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.

          When I checked the site, it seemed that its SSL certificated had expired. The only workaround for this is to create your own TrustManager. This class actually checks if the SSL certificate is valid. The scheme used by SSL is called X.509 and Java has a specific TrustManager for this scheme, called X509TrustManager.

          This handy method created by theskeleton is just the perfect solution to have your HttpClient object bypass any SSL related errors and ensures that it accepts all SSL certificates of a site, whether it is expired or not.


          public static HttpClient wrapClient(HttpClient base) {
              
          try {
                  SSLContext ctx 
          = SSLContext.getInstance("TLS");
                  X509TrustManager tm 
          = new X509TrustManager() {
                      
          public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException { }
           
                      
          public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException { }
           
                      
          public X509Certificate[] getAcceptedIssuers() {
                          
          return null;
                      }
                  };
                  ctx.init(
          nullnew TrustManager[]{tm}, null);
                  SSLSocketFactory ssf 
          = new SSLSocketFactory(ctx);
                  ssf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
                  ClientConnectionManager ccm 
          = base.getConnectionManager();
                  SchemeRegistry sr 
          = ccm.getSchemeRegistry();
                  sr.register(
          new Scheme("https", ssf, 443));
                  
          return new DefaultHttpClient(ccm, base.getParams());
              } 
          catch (Exception ex) {
                  
          return null;
              }
          }

          Another way is to recreate the keystore, for the keystore you should have the site in the CN=XXX.
          the command as below:
          1. Create keystore
          keytool -genkey -dname "cn=daXXX.XXX.com,o=,c=" -storepass MB7BROKERpzn -keystore pznKeyStore.jks -alias pznsigned
          2. Export the cert
          keytool -export -keystore pznKeyStore.jks -alias pznsigned -file pznsslcert.cer
          3. Create trust store for client
          keytool -genkey -dname "cn=da957203.fmr.com,o=,c=" -storepass MB7BROKERpzn -keystore pznTrustStore.jks -alias pzntrustsigned
          4. import the server cert
          keytool -import -alias pzntrust -file pznsslcert.cer -keystore pznTrustStore.jks -storepass MB7BROKERpzn
          5. use http client to call the server
                  try {
                      KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());
                      FileInputStream instream = new FileInputStream(new File(trustfname));
                      try {
                          trustStore.load(instream, passphrase.toCharArray());
                      } finally {
                          try { instream.close(); } catch (Exception ignore) {}
                      }
                      SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
                      Scheme sch = new Scheme("https", 443, socketFactory);
                      httpclient.getConnectionManager().getSchemeRegistry().register(sch);
                  } catch (Exception e1) {
                      // TODO Auto-generated catch block
                      e1.printStackTrace();
                  }





          posted on 2012-08-14 18:42 ゞ沉默是金ゞ 閱讀(3660) 評論(2)  編輯  收藏 所屬分類: HTTP

          FeedBack:
          # re: How To Avoid javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Problem Using Apache HttpClient
          2012-10-03 23:53 | shigangxing
          Another way is to recreate the keystore...
          有兩個(gè)問題不清楚,呵呵:
          1,為什么要分開創(chuàng)建兩個(gè)keystore
          2,兩個(gè)cn的值貌似不同,都是網(wǎng)站的域名么  回復(fù)  更多評論
            
          # re: How To Avoid javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Problem Using Apache HttpClient
          2012-11-29 10:22 | dashi99
          @shigangxing
          There are two types of SSL connection:
          a. Server auth: The client needs to trust the server. The server presents a key to the client which the client must trust. This is known as 1 way or asymetric auth.
          b. Client auth: Both client and server need to trust each other. In addition to the server presenting its key to the client, here the client also presents a key to the server which the server must trust. This is also known as two way or symmetric auth.

            回復(fù)  更多評論
            
          主站蜘蛛池模板: 朝阳市| 贞丰县| 东城区| 饶平县| 彭州市| 东源县| 松潘县| 交城县| 新宁县| 吉林省| 汾阳市| 福鼎市| 凭祥市| 拜泉县| 平武县| 久治县| 察隅县| 涿鹿县| 南通市| 南江县| 象州县| 天长市| 宝山区| 临朐县| 故城县| 延川县| 西昌市| 周口市| 永胜县| 北安市| 平罗县| 淄博市| 凌海市| 安化县| 靖远县| 洪江市| 石嘴山市| 东乌珠穆沁旗| 台北市| 东兴市| 勐海县|