关于HTTPS
最近做项目要做HTTPS双向验证。遇到挺多之前不熟悉的地方。记录一下
当一个Client要进行HTTPS的请求的时候。如图
1.Client发送一个HTTPS的Hello报文,把自己支持的一套Cipher Suite(密钥算法套件,简称Cipher)发送给服务端。
2.3 服务端接收到报文,把其中支持的加密算法与自己支持的加密算法比对。选取一个大家都能支持的算法,并且把自己的证书封装发送给客户端。
4.5 客户端验证证书,通过之后或者用户接受了不授信的证书,此时会生成一串随机数作为密码,然后用证书中的公钥加密。(之后还要用之前约定好的Hash算法进行一次签名)然后把加密之后的数据发送到服务端。
- 服务端接收到数据之后用自己的私钥进行解密,拿到客户端发送过来的密码。
- 之后的数据交互都是使用这个密码来进行对称加密了。
以上任意的环节出错,都有可能出现: unable to find valid certification path to requested target
SSL网络请求Debug
先分析一个正常的SSL网络请求。在启动测试之前加入启动参数
-Djavax.net.debug=all 或者 -Djavax.net.debug=ssl
然后发送一个HTTPS的请求。 分析其debug日志。
2019-02-27 13:39:02,699 [main] INFO com.xxx.xxx.configuration.Configuration - ==================== load properties configuration begin ====================
2019-02-27 13:39:02,702 [main] INFO com.xxx.xxx.configuration.Configuration - config the item [name=class,value=class com.xxx.xxx.configuration.Configuration]
2019-02-27 13:39:02,702 [main] INFO com.xxx.xxx.configuration.Configuration - ==================== load properties configuration end ====================
adding as trusted cert:
Subject: CN=appgateway.xxx.com.cn, OU=科技开发中心, O=XXXX股份有限公司, L=Beijing, ST=Beijing, C=CN, SERIALNUMBER=9111000010112001XW, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Beijing, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN
Issuer: CN=Symantec Class 3 EV SSL CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Algorithm: RSA; Serial number: 0x5a8962852801338bee7dad56ea2295f4
Valid from Fri Aug 04 08:00:00 CST 2017 until Mon Aug 05 07:59:59 CST 2019
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
…………
…………
trigger seeding of SecureRandom
done seeding SecureRandom
2019-02-27 13:39:03,296 [main] INFO com.xxx.xxx.util.SpringBeanUtils - SpringBeanUtils instance has be created
2019-02-27 13:39:03,298 [main] INFO com.xxx.xxx.util.SpringBeanUtils - Get applicationContext is ok, context id is org.springframework.context.support.GenericApplicationContext@4d15107f
2019-02-27 13:39:03,794 [main] INFO com.xxx.xxx.ext.impl.ScOpenCardServiceExtImp - sign source :132S 1301000000012019022700000014 20190227133903 车牌号检测 1301 130100000001 981301 川T88880 000000000000 1
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
……
……
%% No cached client session
###Client发送Hello报文到服务端,并且告诉服务端客户端支持的对称加密算法。
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1551245944 bytes = { 24, 75, 77, 113, 169, 126, 69, 96, 50, 175, 152, 126, 33, 24, 84, 60, 28, 38, 119, 98, 177, 167, 102, 244, 109, 43, 20, 84 }
Session ID: {}
### 支持的加密套件
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
[write] MD5 and SHA1 hashes: len = 161
0000: 01 00 00 9D 03 03 5C 76 22 78 18 4B 4D 71 A9 7E ......\v"x.KMq..
0010: 45 60 32 AF 98 7E 21 18 54 3C 1C 26 77 62 B1 A7 E`2...!.T<.&wb..
……
.
main, WRITE: TLSv1.2 Handshake, length = 161
[Raw write]: length = 166
0000: 16 03 03 00 A1 01 00 00 9D 03 03 5C 76 22 78 18 ...........\v"x.
0010: 4B 4D 71 A9 7E 45 60 32 AF 98 7E 21 18 54 3C 1C KMq..E`2...!.T<.
……
[Raw read]: length = 5
0000: 16 03 03 00 52 ....R
[Raw read]: length = 82
0000: 02 00 00 4E 03 03 5C 76 1F 62 78 2C 2C 24 9E 44 ...N..\v.bx,,$.D
0010: B6 D7 2A ED B1 63 D7 2C FB 74 4A 0A 8E 02 D2 D9 ..*..c.,.tJ.....
……
main, READ: TLSv1.2 Handshake, length = 82
### 服务端收到客户端的招呼请求而返回数据
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1551245154 bytes = { 120, 44, 44, 36, 158, 68, 182, 215, 42, 237, 177, 99, 215, 44, 251, 116, 74, 10, 142, 2, 210, 217, 151, 109, 193, 60, 72, 230 }
Session ID: {16, 99, 46, 96, 144, 32, 226, 212, 102, 135, 107, 64, 154, 12, 167, 97, 63, 179, 194, 218, 195, 185, 217, 172, 208, 30, 27, 216, 138, 250, 225, 109}
### 服务端返回的选取的加密算法。
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension ec_point_formats, formats: [uncompressed]
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_GCM_SHA256]
** TLS_RSA_WITH_AES_128_GCM_SHA256
[read] MD5 and SHA1 hashes: len = 82
0000: 02 00 00 4E 03 03 5C 76 1F 62 78 2C 2C 24 9E 44 ...N..\v.bx,,$.D
0010: B6 D7 2A ED B1 63 D7 2C FB 74 4A 0A 8E 02 D2 D9 ..*..c.,.tJ.....
……
[Raw read]: length = 5
0000: 16 03 03 07 2A ....*
[Raw read]: length = 1834
0000: 0B 00 07 26 00 07 23 00 07 20 30 82 07 1C 30 82 ...&..#.. 0...0.
0010: 06 04 A0 03 02 01 02 02 10 5A 89 62 85 28 01 33 .........Z.b.(.3
……
main, READ: TLSv1.2 Handshake, length = 1834
### 服务端返回的服务端自己的证书。
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=appgateway.xxx.com.cn, OU=科技开发中心, O=XXXX股份有限公司, L=Beijing, ST=Beijing, C=CN, SERIALNUMBER=9111000010112001XW, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Beijing, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 23080700215634761319123560960556235026253206542610592101640272321439149926144696029632942437196330431812488906845966273392369622049027795517869825331130506054192600480674246576410753931256227681316778046333316578705198556247995247136829261420566514594828803371509553527289740789768132275587077331528734812885950955710535017621411146227873445410076143934862944428752807397841729714169544611013595829664673342853619864333774053669271999082330576354265436355986160512785260831259256161036283036555432773434851632109798185947587255214084178291568058704487313928300160873679588178589090996022242606555072350012601724203781
public exponent: 65537
Validity: [From: Fri Aug 04 08:00:00 CST 2017,
To: Mon Aug 05 07:59:59 CST 2019]
Issuer: CN=Symantec Class 3 EV SSL CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
SerialNumber: [ 5a896285 2801338b ee7dad56 ea2295f4]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B 01 69 00 76 00 DD EB 1D ...o...k.i.v....
0010: 2B 7A 0D 4F A6 20 8B 81 AD 81 68 70 7E 2E 8E 9D +z.O. ....hp....
……
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://sr.symcd.com
,
accessMethod: caIssuers
accessLocation: URIName: http://sr.symcb.com/sr.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 01 59 AB E7 DD 3A 0B 59 A6 64 63 D6 CF 20 07 57 .Y...:.Y.dc.. .W
0010: D5 91 E7 6A ...j
]
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://sr.symcb.com/sr.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.6]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 6D 63 ..https://d.symc
0010: 62 2E 63 6F 6D 2F 63 70 73 b.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 19 0C 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 0...https://d.sy
0010: 6D 63 62 2E 63 6F 6D 2F 72 70 61 mcb.com/rpa
]] ]
[CertificatePolicyId: [2.23.140.1.1]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: appgateway.xxx.com.cn
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 17 79 E4 BD A0 6C B4 23 1C D7 E8 DF AE 67 FF 2A .y...l.#.....g.*
……
]
***
### 这次表示已经从本地找到了信赖的证书
Found trusted certificate:
[
[
Version: V3
Subject: CN=appgateway.xxx.com.cn, OU=科技开发中心, O=XXXX股份有限公司, L=Beijing, ST=Beijing, C=CN, SERIALNUMBER=XX12001XW, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Beijing, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 23080700215634761319123560960556235026253206542610592101640272321439149926144696029632942437196330431812488906845966273392369622049027795517869825331130506054192600480674246576410753931256227681316778046333316578705198556247995247136829261420566514594828803371509553527289740789768132275587077331528734812885950955710535017621411146227873445410076143934862944428752807397841729714169544611013595829664673342853619864333774053669271999082330576354265436355986160512785260831259256161036283036555432773434851632109798185947587255214084178291568058704487313928300160873679588178589090996022242606555072350012601724203781
public exponent: 65537
Validity: [From: Fri Aug 04 08:00:00 CST 2017,
To: Mon Aug 05 07:59:59 CST 2019]
Issuer: CN=Symantec Class 3 EV SSL CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
SerialNumber: [ 5a896285 2801338b ee7dad56 ea2295f4]
Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B 01 69 00 76 00 DD EB 1D ...o...k.i.v....
……
[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://sr.symcd.com
,
accessMethod: caIssuers
accessLocation: URIName: http://sr.symcb.com/sr.crt
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 01 59 AB E7 DD 3A 0B 59 A6 64 63 D6 CF 20 07 57 .Y...:.Y.dc.. .W
0010: D5 91 E7 6A ...j
]
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://sr.symcb.com/sr.crl]
]]
[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.6]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 6D 63 ..https://d.symc
0010: 62 2E 63 6F 6D 2F 63 70 73 b.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 19 0C 17 68 74 74 70 73 3A 2F 2F 64 2E 73 79 0...https://d.sy
0010: 6D 63 62 2E 63 6F 6D 2F 72 70 61 mcb.com/rpa
]] ]
[CertificatePolicyId: [2.23.140.1.1]
[] ]
]
[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: appgateway.xxx.com.cn
]
]
### 通过HASH算法生成签名
Algorithm: [SHA256withRSA]
Signature:
0000: 17 79 E4 BD A0 6C B4 23 1C D7 E8 DF AE 67 FF 2A .y...l.#.....g.*
0010: E3 D3 D8 09 90 E6 2E DD 43 2B B6 B1 A2 B1 F2 02 ........C+......
……
]
[read] MD5 and SHA1 hashes: len = 1834
0000: 0B 00 07 26 00 07 23 00 07 20 30 82 07 1C 30 82 ...&..#.. 0...0.
0010: 06 04 A0 03 02 01 02 02 10 5A 89 62 85 28 01 33 .........Z.b.(.3
……
[Raw read]: length = 5
0000: 16 03 03 00 04 .....
[Raw read]: length = 4
0000: 0E 00 00 00 ....
main, READ: TLSv1.2 Handshake, length = 4
### HELLODone
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
[write] MD5 and SHA1 hashes: len = 262
0000: 10 00 01 02 01 00 20 E1 00 CD 0E 53 79 FB 5A 05 ...... ....Sy.Z.
0010: DF 50 24 0F F9 CD 57 04 4E 56 0B D0 BA 16 35 D1 .P$...W.NV....5.
……
main, WRITE: TLSv1.2 Handshake, length = 262
[Raw write]: length = 267
0000: 16 03 03 01 06 10 00 01 02 01 00 20 E1 00 CD 0E ........... ....
0010: 53 79 FB 5A 05 DF 50 24 0F F9 CD 57 04 4E 56 0B Sy.Z..P$...W.NV.
……
SESSION KEYGEN:
PreMaster Secret:
0000: 03 03 7B 02 1A C6 D3 55 1B 7A 3F 72 FE CC DC C9 .......U.z?r....
0010: 25 46 C2 FC 46 49 FE 3B 90 61 07 27 14 99 F3 CB %F..FI.;.a.'....
CONNECTION KEYGEN:
Client Nonce:
0000: 5C 76 22 78 18 4B 4D 71 A9 7E 45 60 32 AF 98 7E \v"x.KMq..E`2...
Server Nonce:
0000: 5C 76 1F 62 78 2C 2C 24 9E 44 B6 D7 2A ED B1 63 \v.bx,,$.D..*..c
Master Secret:
0000: 05 24 C8 16 61 BE 39 8E 89 64 34 34 5E 58 2E 1E .$..a.9..d44^X..
... no MAC keys used for this cipher
Client write key:
0000: D8 DC 19 45 8E 17 4D 7F B0 EA 3D BD 79 A0 E1 09 ...E..M...=.y...
Server write key:
0000: D1 52 6A 14 67 B1 BA BE 64 5F F6 86 9D 4D A1 10 .Rj.g...d_...M..
Client write IV:
0000: DA 4E 2A 17 .N*.
Server write IV:
0000: 14 88 33 80 ..3.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 03 00 01 01 ......
*** Finished
verify_data: { 71, 204, 171, 236, 126, 197, 251, 137, 8, 239, 0, 217 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 47 CC AB EC 7E C5 FB 89 08 EF 00 D9 ....G...........
Padded plaintext before ENCRYPTION: len = 16
0000: 14 00 00 0C 47 CC AB EC 7E C5 FB 89 08 EF 00 D9 ....G...........
main, WRITE: TLSv1.2 Handshake, length = 40
[Raw write]: length = 45
0000: 16 03 03 00 28 00 00 00 00 00 00 00 00 46 14 2C ....(........F.,
0010: 16 75 2A 72 74 F7 D4 E9 4C F9 9D 5A 16 95 04 A4 .u*rt...L..Z....
0020: 2A 76 6B 9B B9 B7 D3 F4 05 7A 66 9A 72 *vk......zf.r
[Raw read]: length = 5
0000: 14 03 03 00 01 .....
[Raw read]: length = 1
0000: 01 .
main, READ: TLSv1.2 Change Cipher Spec, length = 1
[Raw read]: length = 5
0000: 16 03 03 00 28 ....(
[Raw read]: length = 40
0000: 10 9D 6A D9 F8 9D 5E 5D 08 43 0D 7E DB 41 17 EE ..j...^].C...A..
0010: E6 CD 9B 07 1A 0F BF 50 E0 1E 0B 47 29 DE B3 60 .......P...G)..`
0020: EE 5A 86 4A DB 05 04 F4 .Z.J....
main, READ: TLSv1.2 Handshake, length = 40
Padded plaintext after DECRYPTION: len = 16
0000: 14 00 00 0C A2 D9 3E 0F 47 AC BF 4A 64 C3 56 7A ......>.G..Jd.Vz
###
*** Finished
verify_data: { 162, 217, 62, 15, 71, 172, 191, 74, 100, 195, 86, 122 }
***
%% Cached client session: [Session-1, TLS_RSA_WITH_AES_128_GCM_SHA256]
[read] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C A2 D9 3E 0F 47 AC BF 4A 64 C3 56 7A ......>.G..Jd.Vz
main, setSoTimeout(60000) called
2019-02-27 13:39:04,300 [main] INFO com.xxx.xxx.util.ScVerifyHostName - hostname = [223.71.195.74],session = [223.71.195.74]
### 开始发送数据。下面展示的是加密前的明文
Padded plaintext before ENCRYPTION: len = 836
0000: 50 4F 53 54 20 2F 54 68 69 72 64 50 61 72 74 79 POST /ThirdParty
0010: 53 65 72 76 65 69 63 65 49 6E 54 58 20 48 54 54 ServeiceInTX HTT
0020: 50 2F 31 2E 31 0D 0A 43 6F 6E 74 65 6E 74 2D 54 P/1.1..Content-T
0030: 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 3B 63 68 ype: text/xml;ch
0040: 61 72 73 65 74 3D 47 42 4B 0D 0A 43 6F 6E 74 65 arset=GBK..Conte
0050: 6E 74 2D 4C 65 6E 67 74 68 3A 20 35 38 31 0D 0A nt-Length: 581..
0060: 43 6F 6E 74 65 6E 74 2D 45 6E 63 6F 64 69 6E 67 Content-Encoding
0070: 3A 20 47 42 4B 0D 0A 48 6F 73 74 3A 20 32 32 33 : GBK..Host: 223
0080: 2E 37 31 2E 31 39 35 2E 37 34 3A 31 30 32 36 39 .71.195.74:10269
0090: 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 ..Connection: Ke
00A0: 65 70 2D 41 6C 69 76 65 0D 0A 55 73 65 72 2D 41 ep-Alive..User-A
00B0: 67 65 6E 74 3A 20 41 70 61 63 68 65 2D 48 74 74 gent: Apache-Htt
00C0: 70 43 6C 69 65 6E 74 2F 34 2E 35 20 28 4A 61 76 pClient/4.5 (Jav
00D0: 61 2F 31 2E 38 2E 30 5F 31 32 31 29 0D 0A 41 63 a/1.8.0_121)..Ac
00E0: 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 cept-Encoding: g
00F0: 7A 69 70 2C 64 65 66 6C 61 74 65 0D 0A 0D 0A 3C zip,deflate....<
0100: 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 2E ?xml version="1.
0110: 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 67 62 6B 0" encoding="gbk
0120: 22 3F 3E 3C 41 67 77 3E 3C 48 65 61 64 3E 3C 74 "?>132S 13010000000
0160: 31 32 30 31 39 30 32 32 37 30 30 30 30 30 30 31 1201902270000001
0170: 34 3C 2F 72 65 71 53 65 72 69 61 4E 6F 3E 3C 74 42019022
0190: 37 31 33 33 39 30 33 3C 2F 74 72 61 64 65 54 69 7133903..........<
01C0: 2F 74 72 61 64 65 44 65 73 63 72 69 70 74 69 6F /tradeDescriptio
01D0: 6E 3E 3C 66 68 55 6E 69 63 6F 64 65 3E 31 33 30 n>130
01E0: 31 3C 2F 66 68 55 6E 69 63 6F 64 65 3E 3C 70 6C 1 13010
0200: 30 30 30 30 30 30 31 3C 2F 70 6C 61 74 66 6F 72 0000001b31B
0220: 49 2F 6C 61 64 47 68 4E 36 52 65 79 30 6B 6A 48 I/ladGhN6Rey0kjH
0230: 6C 55 68 4A 75 63 30 78 5A 6D 34 45 68 57 67 56 lUhJuc0xZm4EhWgV
0240: 43 58 31 75 59 44 6A 32 2B 5A 68 57 77 6C 46 2F CX1uYDj2+ZhWwlF/
0250: 64 45 7A 70 37 7A 67 57 65 64 45 5A 36 6D 6B 4D dEzp7zgWedEZ6mkM
0260: 70 68 6E 47 37 32 49 32 66 4C 62 6A 76 67 41 4C phnG72I2fLbjvgAL
0270: 62 6E 52 69 36 50 41 33 71 6A 67 4B 6B 45 30 79 bnRi6PA3qjgKkE0y
0280: 6F 7A 4B 32 76 30 57 6C 66 74 70 6F 6B 55 2F 37 ozK2v0WlftpokU/7
0290: 6F 49 77 2B 47 77 6A 35 73 75 34 5A 4F 38 48 63 oIw+Gwj5su4ZO8Hc
02A0: 6B 76 72 31 62 5A 38 31 76 49 64 30 31 54 57 63 kvr1bZ81vId01TWc
02B0: 69 6E 43 34 36 51 77 33 55 78 74 66 6F 55 53 4A inC46Qw3UxtfoUSJ
02C0: 2F 50 56 6C 4C 33 77 3D 3C 2F 73 69 67 6E 3E 3C /PVlL3w= <
02D0: 2F 48 65 61 64 3E 3C 42 6F 64 79 3E 3C 70 6F 73 /Head>981301..T88880
0300: 76 6C 70 3E 3C 74 65 72 6D 69 6E 61 6C 69 64 3E vlp>
0310: 30 30 30 30 30 30 30 30 30 30 30 30 3C 2F 74 65 0000000000001
0330: 3C 2F 76 6C 70 63 3E 3C 2F 42 6F 64 79 3E 3C 2F
0340: 41 67 77 3E Agw>
main, WRITE: TLSv1.2 Application Data, length = 860
### 下面是通过加密算法用密码加密后的密文
[Raw write]: length = 865
0000: 17 03 03 03 5C 00 00 00 00 00 00 00 01 13 A5 8C ....\...........
0010: 7E 8E 99 84 25 DC C7 3D 74 B6 79 65 D8 BC DB D9 ....%..=t.ye....
0020: F1 98 3B 7E F3 EF 8E B6 74 E3 2B 6A 42 1C A4 9B ..;.....t.+jB...
0030: 11 B9 47 2B 27 9C 2E 74 24 99 C5 FD BF 73 42 43 ..G+'..t$....sBC
0040: 7A 81 3D E0 D9 45 9C 55 52 CE AC 13 2B CF 1C 8B z.=..E.UR...+...
0050: F0 32 D3 8F 4E 33 19 BD DB E4 0B 80 30 5E F4 43 .2..N3......0^.C
0060: 6B F5 F2 29 DA 8A 72 50 0B 03 58 9A 2D 86 0E 15 k..)..rP..X.-...
0070: FB 60 08 7F 66 9E C6 0A 7E 35 2D DA E9 94 43 AD .`..f....5-...C.
0080: FB 76 93 B5 27 A9 E3 24 3A 44 80 BB 43 19 BC FD .v..'..$:D..C...
0090: 91 03 80 4E 0A D3 E6 EE D9 8A 24 6C A0 4C 93 6D ...N......$l.L.m
00A0: 89 06 29 FC 51 C7 4A 2B 41 C5 E0 FA 03 0B D7 9B ..).Q.J+A.......
00B0: 94 A0 AD 55 FB F3 60 F4 05 6F 27 32 22 E6 AB 1A ...U..`..o'2"...
00C0: C2 DD 32 86 B4 81 32 04 5E E6 C7 47 85 83 6E 83 ..2...2.^..G..n.
00D0: 82 59 90 C3 87 01 1A 31 52 E6 72 72 C8 90 3E 76 .Y.....1R.rr..>v
00E0: 9F 97 9D 49 40 74 3D A4 5C 60 31 CB 7A 1E 47 3B ...I@t=.\`1.z.G;
00F0: F0 2E D5 04 A0 1C 3E DE 87 74 48 B7 B3 52 C3 84 ......>..tH..R..
0100: EC A2 86 73 09 2F 2F A9 94 30 8C A4 A1 38 7A A5 ...s.//..0...8z.
0110: 07 D7 C7 D5 11 4C 70 3B 02 4A 47 92 31 BB E9 19 .....Lp;.JG.1...
0120: 57 0F CC 7C 3E E6 F0 F8 C9 4B CD 99 D2 4A 08 9D W...>....K...J..
0130: 18 4A 85 D6 47 71 99 A6 E9 44 C9 45 37 9B AB 69 .J..Gq...D.E7..i
0140: 21 61 A3 A2 26 17 A7 F2 92 5C 52 27 56 39 6F 3A !a..&....\R'V9o:
0150: 88 A9 3D 07 57 B1 68 30 A5 82 13 23 F9 CB 73 9D ..=.W.h0...#..s.
0160: 6A CF 1D 83 9A F9 B3 9E 23 5C F5 0E B6 B3 6B F8 j.......#\....k.
0170: CA A5 63 3D A3 CB 79 1D A7 30 02 08 F8 0F E3 6E ..c=..y..0.....n
0180: 70 78 F0 D5 88 6C 45 09 D0 33 8C 26 78 21 35 9D px...lE..3.&x!5.
0190: 8A FC A3 D5 6F FA F6 59 31 49 52 7E C2 73 4F 4D ....o..Y1IR..sOM
01A0: 06 4D B0 7F D7 CB 28 DA 8A 91 3F 69 1E 04 92 51 .M....(...?i...Q
01B0: 07 B6 A6 08 62 D8 B7 26 33 37 C5 C5 6A B1 53 7A ....b..&37..j.Sz
01C0: 57 48 32 2E 00 70 96 DE BB 5C FA 02 42 E4 47 AE WH2..p...\..B.G.
01D0: BE 0F 65 C3 C6 59 AB 76 B7 22 43 92 4F 5B 14 52 ..e..Y.v."C.O[.R
01E0: B3 D4 D8 97 4A C9 E6 BC 6B 66 53 37 D9 5A B3 C6 ....J...kfS7.Z..
01F0: AA 4A 8B CD 49 3B 9A FD 99 49 28 B8 C2 ED B5 4C .J..I;...I(....L
0200: 38 B5 4B 7D BA B7 59 59 A9 89 BA 51 79 22 29 4A 8.K...YY...Qy")J
0210: B4 C0 4C 50 B8 A6 4B 30 93 4C 5B 3D 6F 39 C1 D6 ..LP..K0.L[=o9..
0220: C1 FE 45 3B 89 9E 34 CE E6 7E 85 61 6B 93 86 8E ..E;..4....ak...
0230: 5F E5 22 3D 8F B3 33 B4 71 45 BB 48 6D 14 EB C7 _."=..3.qE.Hm...
0240: 2A 7E 72 80 F7 94 1B 86 00 B8 F2 7C CF 02 AC F0 *.r.............
0250: F8 98 95 0B 25 81 11 C8 21 B3 3A 2B B0 AF 78 A7 ....%...!.:+..x.
0260: 2F 77 33 37 88 A9 CF D2 46 F2 F2 DB 19 3E 1B AB /w37....F....>..
0270: D7 AF 7D 43 E7 71 1F 39 25 CD 64 A6 8E 29 B8 07 ...C.q.9%.d..)..
0280: 05 40 9E EB 42 6A 58 F6 D1 32 81 A1 9E 51 CE 85 [email protected]..
0290: E8 16 26 1A 73 6E 02 05 2B EA 5D D1 A2 62 87 04 ..&.sn..+.]..b..
02A0: E6 37 A9 26 E6 93 42 06 B6 CE 40 93 BE 65 78 8C [email protected].
02B0: EC 08 40 18 3F 6A 98 95 CC 1F 49 95 17 DC 75 E2 ..@.?j....I...u.
02C0: 01 6A 05 F4 69 D0 03 41 15 6B 74 B6 97 14 23 04 .j..i..A.kt...#.
02D0: AC 89 C0 06 0B 85 DA 96 18 E1 29 B1 2E 34 84 5A ..........)..4.Z
02E0: B7 EF 31 73 7A 07 3F DA F5 32 24 8D 4D E0 DF 92 ..1sz.?..2$.M...
02F0: 8E D1 E6 3A 50 BC EF 41 32 19 B3 A7 CF 4F 42 81 ...:P..A2....OB.
0300: D8 47 36 B8 FE 26 5D FB AE C0 43 B0 CF C6 93 40 .G6..&]...C....@
0310: D5 D2 36 56 8D 93 BA CB 3A 80 0B 33 E0 4D AC 20 ..6V....:..3.M.
0320: B0 54 C8 0F FF EA D8 8E 6D A3 9D 55 59 F4 B0 E8 .T......m..UY...
0330: 95 92 6A D1 DD 70 E9 6F 1E BE DA 97 8F 15 57 24 ..j..p.o......W$
0340: 05 B7 FF A2 BE DE 0E 9D D7 AF 9F C6 0F 2C B1 43 .............,.C
0350: 15 46 30 F0 7E 3D CD B3 7C 66 CC 59 55 F4 2C 85 .F0..=...f.YU.,.
0360: 6E n
[Raw read]: length = 5
0000: 17 03 03 00 C8 .....
[Raw read]: length = 200
0000: 10 9D 6A D9 F8 9D 5E 5E AC 14 A1 E8 A4 51 A4 88 ..j...^^.....Q..
0010: 8C 33 5A D6 37 A0 97 FD 22 9E A0 D2 7E 4D F8 41 .3Z.7..."....M.A
0020: 3D 7D 0A D9 58 67 63 DE BB 43 72 DA 7C 63 F0 79 =...Xgc..Cr..c.y
0030: 4C 3C B1 23 75 9D D9 36 28 65 D8 66 FC 1F A4 A5 L<.#u..6(e.f....
0040: 37 DA AF 75 8A 41 24 4C 40 41 0D 45 6E 3C 6A 2C [email protected]E......_
0080: 96 0F C6 F1 B7 E3 2F 58 1C C0 6B 0B F5 90 CE 5D ....../X..k....]
0090: 3A B6 F4 2D 93 52 75 1E 92 D2 1F C2 B8 7A 14 2B :..-.Ru......z.+
00A0: 3E C0 B6 5E 8D 00 15 5B DC 13 F2 E2 2E 86 76 1E >..^...[......v.
00B0: 39 BE FD 4A 64 0D 09 07 2F F4 5A FB 04 D7 77 64 9..Jd.../.Z...wd
00C0: 19 C4 77 09 40 AF D5 C0 ..w.@...
main, READ: TLSv1.2 Application Data, length = 200
Padded plaintext after DECRYPTION: len = 176
0000: 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.
0010: 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 .Content-Type: t
0020: 65 78 74 2F 78 6D 6C 3B 63 68 61 72 73 65 74 3D ext/xml;charset=
0030: 47 42 4B 0D 0A 44 61 74 65 3A 20 57 65 64 2C 20 GBK..Date: Wed,
0040: 32 37 20 46 65 62 20 32 30 31 39 20 30 35 3A 33 27 Feb 2019 05:3
0050: 35 3A 30 35 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 5:05 GMT..Conten
0060: 74 2D 4C 65 6E 67 74 68 3A 20 35 30 35 0D 0A 43 t-Length: 505..C
0070: 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D onnection: Keep-
0080: 61 6C 69 76 65 0D 0A 56 69 61 3A 20 31 2E 31 20 alive..Via: 1.1
0090: 49 44 2D 30 33 31 34 32 31 37 32 37 30 36 31 32 ID-0314217270612
00A0: 31 31 30 20 75 70 72 6F 78 79 2D 33 0D 0A 0D 0A 110 uproxy-3....
[Raw read]: length = 5
0000: 17 03 03 02 11 .....
### 接受到的密文
[Raw read]: length = 529
0000: 10 9D 6A D9 F8 9D 5E 5F 92 9C CF F2 7F EC D9 65 ..j...^_.......e
0010: 8B ED AF 2F A8 4C D9 72 84 26 D1 AF BD 58 51 C9 .../.L.r.&...XQ.
0020: C1 24 3E 34 23 00 8D 30 01 1C A6 97 DB A4 76 62 .$>4#..0......vb
0030: 92 0E 48 3B 34 E4 C6 33 2D 93 7F 79 C8 0F EC A6 ..H;4..3-..y....
0040: A9 2F 38 02 A2 16 05 FC 15 D0 3F 68 71 B0 84 DD ./8.......?hq...
0050: 59 20 05 B5 FA 45 E3 13 12 92 E4 31 71 89 09 D6 Y ...E.....1q...
0060: 09 03 37 76 E4 38 0C E1 57 C6 FA 54 49 2B 7F 14 ..7v.8..W..TI+..
0070: C2 17 BD 91 7F 0F 29 51 70 10 29 13 87 7F 0B D3 ......)Qp.).....
0080: FB 7B B1 F5 D0 A3 9B 7D 59 BA 91 AB 5D 65 10 5C ........Y...]e.\
0090: B8 3E 19 88 23 3C 31 68 29 1F A0 A6 59 1E 70 C2 .>..#<1h)...Y.p.
00A0: 71 35 5B 42 15 3A 51 41 10 34 C6 2B 88 0C 9E 07 q5[B.:QA.4.+....
00B0: AF B4 5A 86 DA 21 B3 EB 4B 54 96 2E 0F 13 BC E2 ..Z..!..KT......
00C0: A7 8A 6F D9 91 D0 2A 91 5E 4B CD 2C FF 5E C6 AE ..o...*.^K.,.^..
00D0: 6E 39 BA 90 96 7B 5B C3 53 82 06 73 1E 62 08 52 n9....[.S..s.b.R
00E0: 4E 8F 67 D6 54 02 0A 3A 83 F9 23 62 EB 2D 62 80 N.g.T..:..#b.-b.
00F0: 4D 2C 12 93 60 80 23 D0 11 BF 46 98 E1 48 3A 7F M,..`.#...F..H:.
0100: 43 33 9C 42 B3 93 4E 6A 0E A5 CC C5 28 79 8E 08 C3.B..Nj....(y..
0110: DC CD 88 C0 B9 4F 22 A5 AC AB B0 06 F6 BA 19 49 .....O"........I
0120: 40 A3 B0 1C BB C8 27 18 32 59 04 6A CE 1D 95 CE @.....'.2Y.j....
0130: 4C CB 7A FF 98 58 D1 C2 51 99 93 A4 03 02 AF D5 L.z..X..Q.......
0140: 8F 65 4C 5B 8D 90 16 7B 77 49 EB 02 90 47 22 57 .eL[....wI...G"W
0150: 81 B3 65 49 38 8C CD 19 80 E1 BF BB 13 28 18 9E ..eI8........(..
0160: 07 61 63 82 2C 76 4E 4E 43 E0 4F 72 BF 2A D8 AE .ac.,vNNC.Or.*..
0170: 3A 59 AA A7 BA 4A 22 2A A5 44 0E 95 F7 27 1E 61 :Y...J"*.D...'.a
0180: 45 68 A1 26 E3 73 94 BD C9 72 D2 32 6F 5B 26 5D Eh.&.s...r.2o[&]
0190: 07 92 E0 58 DE 71 48 23 0D E1 59 71 AB 36 35 F5 ...X.qH#..Yq.65.
01A0: 82 82 02 4B E7 21 12 81 3C 70 2A D3 70 70 33 00 ...K.!..<
0030: 72 65 71 53 65 72 69 61 4E 6F 3E 31 33 30 31 30 reqSeriaNo>13010
0040: 30 30 30 30 30 30 31 32 30 31 39 30 32 32 37 30 0000001201902270
0050: 30 30 30 30 30 31 34 3C 2F 72 65 71 53 65 72 69 00000142
0070: 30 31 39 30 32 32 37 31 33 33 39 30 33 3C 2F 74 0190227133903
000000通
00C0: 61 66 3B 26 23 78 36 32 31 30 3B 26 23 78 35 32 af;成R
00D0: 39 66 3B 3C 2F 72 65 74 75 72 6E 4D 73 67 3E 3C 9f;<
00E0: 73 69 67 6E 3E 54 50 51 61 45 72 6F 73 72 64 69 sign>TPQaErosrdi
00F0: 34 75 35 4C 71 46 51 6E 74 4C 6C 4B 51 59 4C 68 4u5LqFQntLlKQYLh
0100: 7A 35 6B 71 63 53 74 75 4B 37 68 37 74 68 65 70 z5kqcStuK7h7thep
0110: 6F 79 74 65 49 4D 6D 6C 32 30 55 36 35 31 2B 44 oyteIMml20U651+D
0120: 57 79 6B 30 4F 36 4D 46 53 56 51 45 65 74 63 2F Wyk0O6MFSVQEetc/
0130: 73 7A 79 49 71 52 73 63 73 78 33 34 61 50 4A 48 szyIqRscsx34aPJH
0140: 37 68 6B 43 39 39 2B 5A 31 4C 2F 2B 79 78 52 43 7hkC99+Z1L/+yxRC
0150: 75 68 54 37 52 76 43 35 65 44 31 6E 2F 47 37 6C uhT7RvC5eD1n/G7l
0160: 48 63 42 69 42 6E 65 44 37 46 70 48 41 50 33 56 HcBiBneD7FpHAP3V
0170: 37 6E 71 37 51 65 6B 64 62 46 31 56 4A 71 51 78 7nq7QekdbF1VJqQx
0180: 2B 69 75 57 6F 4E 30 4C 2F 68 37 7A 45 64 76 4D +iuWoN0L/h7zEdvM
0190: 3D 3C 2F 73 69 67 6E 3E 3C 2F 48 65 61 64 3E 3C =<
01A0: 42 6F 64 79 3E 3C 63 6F 64 65 3E 31 3C 2F 63 6F Body>1无
01C0: 26 23 78 36 62 36 34 3B 26 23 78 38 66 36 36 3B 此车
01D0: 26 23 78 37 32 34 63 3B 3C 2F 6D 73 67 3E 3C 66 牌 1
Process finished with exit code 0
关于JKS
JKS即 Java Key Store 是Java密钥库(KeyStore)比较常见的一种格式,是JAVA的keytools证书工具支持的证书私钥格式。其他的证书需要转化为JSK才能被JVM识别。
关于证书的导入
在JAVA中使用HTTPS协议调用下游服务的时候,需要在JVM中安装服务器下发的证书。
在程序中如果出现 unable to find valid certification path to requested target--主要原因为在客户端未将服务器下发的证书导入到JVM中.
一般我们拿到的下发的证书文件都是cer后缀,或者pem后缀的。我们需要使用keytool转化为java使用JKS证书。
keytool -keypasswd -alias test2 -keystore test.keystore
keytool -import -alias testopen -file test.crt -keystore test.keystore -storepass 123456
上一条命令是导出test.crt文件为JKS文件 test.keystore。其中 123456为keystore的密钥。
Java代码中使用HTTPS (使用HttpClient 4.5)
public class XXHttpClientUtils implements InitializingBean {
private static SSLConnectionSocketFactory sslConnectionSocketFactory = null;
private static RequestConfig requestConfig;
private static final String KEY_STORE_TYPE_JKS = "jks";
private static final String SCHEME_HTTPS = "https";
@Override
public void afterPropertiesSet() throws Exception {
init();
}
public static String getKeystorePath() {
return "";
}
/**
** JKS的密钥
*/
public static String getKeystorePw() {
return "123456";
}
public void init() {
try {
requestConfig = RequestConfig.custom()
.setConnectTimeout(connectTimeOut).setConnectionRequestTimeout(connectRequestTimeOut)
.setSocketTimeout(socketTimeOut).build();
SSLContext sslContext = null;
### 重点还是在于创建SSLContext。
sslContext = createVerifySSLContext();
if (sslContext == null) {
logger.error("error in create sslContext , use ignore ssl sslContext");
sslContext = createIgnoreVerifySSL();
}
sslConnectionSocketFactory =
new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"}, null,
ScVerifyHostName.getVerifyHostName());
Registry socketFactoryRegistry = RegistryBuilder.create()
.register("http", PlainConnectionSocketFactory.INSTANCE)
.register("https", sslConnectionSocketFactory)
.build();
connManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
HttpClients.custom().setConnectionManager(connManager);
} catch (Exception e) {
logger.error("error in create socketFactory:", e);
}
}
/**
* 创建一个忽略认证服务器的SSLContext
* @return
* @throws NoSuchAlgorithmException
* @throws KeyManagementException
*/
public static SSLContext createIgnoreVerifySSL() throws NoSuchAlgorithmException, KeyManagementException {
SSLContext sc = SSLContext.getInstance("SSLv3");
// 实现一个X509TrustManager接口,用于绕过验证,不用修改里面的方法
X509TrustManager trustManager = new X509TrustManager() {
//检查客户端是否可信。不进行实现
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] paramArrayOfX509Certificate,
String paramString) throws CertificateException {
}
//检查服务端是否可信。该方法检查服务器的证书,若不信任该证书同样抛出异常。
//通过自己实现该方法,可以使之信任我们指定的任何证书。在实现该方法时,也可以简单的不做任何处理,即一个空的函数体,由于不会抛出异常,它就会信任任何证书。在忽略认证的实现中把它设置为空方法。
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] paramArrayOfX509Certificate,
String paramString) throws CertificateException {
}
// 返回受信任的X509证书数组。
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
};
sc.init(null, new TrustManager[]{trustManager}, null);
return sc;
}
public static SSLContext createVerifySSLContext() throws NoSuchAlgorithmException, KeyManagementException {
SSLContext sslContext = null;
sslContext = SSLContext.getInstance("TLS");
InputStream ksin = null;
InputStream tsin = null;
try {
KeyStore keyStore = KeyStore.getInstance(KEY_STORE_TYPE_JKS);
KeyStore trustKeyStore = KeyStore.getInstance(KEY_STORE_TYPE_JKS);
//getKeystorePw()返回keyStore的文件的密码
//getKeystorePath()返回keyStore的文件的目录
ksin = new FileInputStream(getKeystorePath());
tsin = new FileInputStream(getKeystorePath());
keyStore.load(ksin, getKeystorePw().toCharArray());
trustKeyStore.load(tsin, getKeystorePw().toCharArray());
KeyManagerFactory keyFactory = null;
keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, getKeystorePw().toCharArray());
KeyManager[] keyManagers = keyFactory.getKeyManagers();
TrustManagerFactory trustFactory = null;
trustFactory = TrustManagerFactory.getInstance("SunX509");
trustFactory.init(trustKeyStore);
TrustManager[] trustManagers = trustFactory.getTrustManagers();
//sslContext 初始化,提供SSL认证的证书管理器。
sslContext.init(keyManagers, trustManagers, null);
} catch (Exception e) {
logger.error("error in create verifySsl Context", e);
sslContext = null;
} finally {
try {
ksin.close();
tsin.close();
} catch (Exception e) {
logger.error("error in close file input", e);
}
}
return sslContext;
}
public static String post(String body, String url) throws ETCChannelScException {
CloseableHttpClient client = HttpClients.custom().setConnectionManager(connManager).build();
……
……
}
}
参考
https://www.cnblogs.com/benwu/articles/4891758.html
https://www.cnblogs.com/huqiaoblog/p/8398009.html