httpClient 实现https服务器认证

关于HTTPS

最近做项目要做HTTPS双向验证。遇到挺多之前不熟悉的地方。记录一下

httpClient 实现https服务器认证_第1张图片
HTTPS

当一个Client要进行HTTPS的请求的时候。如图
1.Client发送一个HTTPS的Hello报文,把自己支持的一套Cipher Suite(密钥算法套件,简称Cipher)发送给服务端。
2.3 服务端接收到报文,把其中支持的加密算法与自己支持的加密算法比对。选取一个大家都能支持的算法,并且把自己的证书封装发送给客户端。
4.5 客户端验证证书,通过之后或者用户接受了不授信的证书,此时会生成一串随机数作为密码,然后用证书中的公钥加密。(之后还要用之前约定好的Hash算法进行一次签名)然后把加密之后的数据发送到服务端。

  1. 服务端接收到数据之后用自己的私钥进行解密,拿到客户端发送过来的密码。
  2. 之后的数据交互都是使用这个密码来进行对称加密了。

以上任意的环节出错,都有可能出现: unable to find valid certification path to requested target

SSL网络请求Debug

先分析一个正常的SSL网络请求。在启动测试之前加入启动参数
-Djavax.net.debug=all 或者 -Djavax.net.debug=ssl
然后发送一个HTTPS的请求。 分析其debug日志。

2019-02-27 13:39:02,699 [main] INFO com.xxx.xxx.configuration.Configuration - ==================== load properties configuration begin ====================
2019-02-27 13:39:02,702 [main] INFO com.xxx.xxx.configuration.Configuration - config the item [name=class,value=class com.xxx.xxx.configuration.Configuration] 
2019-02-27 13:39:02,702 [main] INFO com.xxx.xxx.configuration.Configuration - ==================== load properties configuration  end  ====================
adding as trusted cert:
  Subject: CN=appgateway.xxx.com.cn, OU=科技开发中心, O=XXXX股份有限公司, L=Beijing, ST=Beijing, C=CN, SERIALNUMBER=9111000010112001XW, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Beijing, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN
  Issuer:  CN=Symantec Class 3 EV SSL CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  Algorithm: RSA; Serial number: 0x5a8962852801338bee7dad56ea2295f4
  Valid from Fri Aug 04 08:00:00 CST 2017 until Mon Aug 05 07:59:59 CST 2019

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
…………
…………
trigger seeding of SecureRandom
done seeding SecureRandom
2019-02-27 13:39:03,296 [main] INFO com.xxx.xxx.util.SpringBeanUtils - SpringBeanUtils instance has be created
2019-02-27 13:39:03,298 [main] INFO com.xxx.xxx.util.SpringBeanUtils - Get applicationContext is ok, context id is org.springframework.context.support.GenericApplicationContext@4d15107f
2019-02-27 13:39:03,794 [main] INFO com.xxx.xxx.ext.impl.ScOpenCardServiceExtImp - sign source :132S130100000001201902270000001420190227133903车牌号检测1301130100000001981301川T888800000000000001
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
……
……
%% No cached client session
###Client发送Hello报文到服务端,并且告诉服务端客户端支持的对称加密算法。
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1551245944 bytes = { 24, 75, 77, 113, 169, 126, 69, 96, 50, 175, 152, 126, 33, 24, 84, 60, 28, 38, 119, 98, 177, 167, 102, 244, 109, 43, 20, 84 }
Session ID:  {}
### 支持的加密套件
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
[write] MD5 and SHA1 hashes:  len = 161
0000: 01 00 00 9D 03 03 5C 76   22 78 18 4B 4D 71 A9 7E  ......\v"x.KMq..
0010: 45 60 32 AF 98 7E 21 18   54 3C 1C 26 77 62 B1 A7  E`2...!.T<.&wb..
……
                .
main, WRITE: TLSv1.2 Handshake, length = 161
[Raw write]: length = 166
0000: 16 03 03 00 A1 01 00 00   9D 03 03 5C 76 22 78 18  ...........\v"x.
0010: 4B 4D 71 A9 7E 45 60 32   AF 98 7E 21 18 54 3C 1C  KMq..E`2...!.T<.
……

[Raw read]: length = 5
0000: 16 03 03 00 52                                     ....R
[Raw read]: length = 82
0000: 02 00 00 4E 03 03 5C 76   1F 62 78 2C 2C 24 9E 44  ...N..\v.bx,,$.D
0010: B6 D7 2A ED B1 63 D7 2C   FB 74 4A 0A 8E 02 D2 D9  ..*..c.,.tJ.....
……

main, READ: TLSv1.2 Handshake, length = 82

### 服务端收到客户端的招呼请求而返回数据
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1551245154 bytes = { 120, 44, 44, 36, 158, 68, 182, 215, 42, 237, 177, 99, 215, 44, 251, 116, 74, 10, 142, 2, 210, 217, 151, 109, 193, 60, 72, 230 }
Session ID:  {16, 99, 46, 96, 144, 32, 226, 212, 102, 135, 107, 64, 154, 12, 167, 97, 63, 179, 194, 218, 195, 185, 217, 172, 208, 30, 27, 216, 138, 250, 225, 109}
### 服务端返回的选取的加密算法。
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension ec_point_formats, formats: [uncompressed]
***
Warning: No renegotiation indication extension in ServerHello
%% Initialized:  [Session-1, TLS_RSA_WITH_AES_128_GCM_SHA256]
** TLS_RSA_WITH_AES_128_GCM_SHA256
[read] MD5 and SHA1 hashes:  len = 82
0000: 02 00 00 4E 03 03 5C 76   1F 62 78 2C 2C 24 9E 44  ...N..\v.bx,,$.D
0010: B6 D7 2A ED B1 63 D7 2C   FB 74 4A 0A 8E 02 D2 D9  ..*..c.,.tJ.....
……

[Raw read]: length = 5
0000: 16 03 03 07 2A                                     ....*
[Raw read]: length = 1834
0000: 0B 00 07 26 00 07 23 00   07 20 30 82 07 1C 30 82  ...&..#.. 0...0.
0010: 06 04 A0 03 02 01 02 02   10 5A 89 62 85 28 01 33  .........Z.b.(.3
……

main, READ: TLSv1.2 Handshake, length = 1834
### 服务端返回的服务端自己的证书。
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=appgateway.xxx.com.cn, OU=科技开发中心, O=XXXX股份有限公司, L=Beijing, ST=Beijing, C=CN, SERIALNUMBER=9111000010112001XW, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Beijing, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 23080700215634761319123560960556235026253206542610592101640272321439149926144696029632942437196330431812488906845966273392369622049027795517869825331130506054192600480674246576410753931256227681316778046333316578705198556247995247136829261420566514594828803371509553527289740789768132275587077331528734812885950955710535017621411146227873445410076143934862944428752807397841729714169544611013595829664673342853619864333774053669271999082330576354265436355986160512785260831259256161036283036555432773434851632109798185947587255214084178291568058704487313928300160873679588178589090996022242606555072350012601724203781
  public exponent: 65537
  Validity: [From: Fri Aug 04 08:00:00 CST 2017,
               To: Mon Aug 05 07:59:59 CST 2019]
  Issuer: CN=Symantec Class 3 EV SSL CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  SerialNumber: [    5a896285 2801338b ee7dad56 ea2295f4]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B   01 69 00 76 00 DD EB 1D  ...o...k.i.v....
0010: 2B 7A 0D 4F A6 20 8B 81   AD 81 68 70 7E 2E 8E 9D  +z.O. ....hp....
……

[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://sr.symcd.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://sr.symcb.com/sr.crt
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 01 59 AB E7 DD 3A 0B 59   A6 64 63 D6 CF 20 07 57  .Y...:.Y.dc.. .W
0010: D5 91 E7 6A                                        ...j
]
]

[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://sr.symcb.com/sr.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.6]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 17 68 74 74 70 73 3A   2F 2F 64 2E 73 79 6D 63  ..https://d.symc
0010: 62 2E 63 6F 6D 2F 63 70   73                       b.com/cps

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 19 0C 17 68 74 74 70   73 3A 2F 2F 64 2E 73 79  0...https://d.sy
0010: 6D 63 62 2E 63 6F 6D 2F   72 70 61                 mcb.com/rpa

]]  ]
  [CertificatePolicyId: [2.23.140.1.1]
[]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: appgateway.xxx.com.cn
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 17 79 E4 BD A0 6C B4 23   1C D7 E8 DF AE 67 FF 2A  .y...l.#.....g.*
……
]
***
### 这次表示已经从本地找到了信赖的证书 
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=appgateway.xxx.com.cn, OU=科技开发中心, O=XXXX股份有限公司, L=Beijing, ST=Beijing, C=CN, SERIALNUMBER=XX12001XW, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=Beijing, OID.1.3.6.1.4.1.311.60.2.1.2=Beijing, OID.1.3.6.1.4.1.311.60.2.1.3=CN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 23080700215634761319123560960556235026253206542610592101640272321439149926144696029632942437196330431812488906845966273392369622049027795517869825331130506054192600480674246576410753931256227681316778046333316578705198556247995247136829261420566514594828803371509553527289740789768132275587077331528734812885950955710535017621411146227873445410076143934862944428752807397841729714169544611013595829664673342853619864333774053669271999082330576354265436355986160512785260831259256161036283036555432773434851632109798185947587255214084178291568058704487313928300160873679588178589090996022242606555072350012601724203781
  public exponent: 65537
  Validity: [From: Fri Aug 04 08:00:00 CST 2017,
               To: Mon Aug 05 07:59:59 CST 2019]
  Issuer: CN=Symantec Class 3 EV SSL CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  SerialNumber: [    5a896285 2801338b ee7dad56 ea2295f4]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 6F 04 82 01 6B   01 69 00 76 00 DD EB 1D  ...o...k.i.v....
……

[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://sr.symcd.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://sr.symcb.com/sr.crt
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 01 59 AB E7 DD 3A 0B 59   A6 64 63 D6 CF 20 07 57  .Y...:.Y.dc.. .W
0010: D5 91 E7 6A                                        ...j
]
]

[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://sr.symcb.com/sr.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.6]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 17 68 74 74 70 73 3A   2F 2F 64 2E 73 79 6D 63  ..https://d.symc
0010: 62 2E 63 6F 6D 2F 63 70   73                       b.com/cps

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 19 0C 17 68 74 74 70   73 3A 2F 2F 64 2E 73 79  0...https://d.sy
0010: 6D 63 62 2E 63 6F 6D 2F   72 70 61                 mcb.com/rpa

]]  ]
  [CertificatePolicyId: [2.23.140.1.1]
[]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: appgateway.xxx.com.cn
]

]
### 通过HASH算法生成签名
  Algorithm: [SHA256withRSA]
  Signature:
0000: 17 79 E4 BD A0 6C B4 23   1C D7 E8 DF AE 67 FF 2A  .y...l.#.....g.*
0010: E3 D3 D8 09 90 E6 2E DD   43 2B B6 B1 A2 B1 F2 02  ........C+......
……

]
[read] MD5 and SHA1 hashes:  len = 1834
0000: 0B 00 07 26 00 07 23 00   07 20 30 82 07 1C 30 82  ...&..#.. 0...0.
0010: 06 04 A0 03 02 01 02 02   10 5A 89 62 85 28 01 33  .........Z.b.(.3
……

[Raw read]: length = 5
0000: 16 03 03 00 04                                     .....
[Raw read]: length = 4
0000: 0E 00 00 00                                        ....
main, READ: TLSv1.2 Handshake, length = 4

### HELLODone

*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
[write] MD5 and SHA1 hashes:  len = 262
0000: 10 00 01 02 01 00 20 E1   00 CD 0E 53 79 FB 5A 05  ...... ....Sy.Z.
0010: DF 50 24 0F F9 CD 57 04   4E 56 0B D0 BA 16 35 D1  .P$...W.NV....5.
……

main, WRITE: TLSv1.2 Handshake, length = 262
[Raw write]: length = 267
0000: 16 03 03 01 06 10 00 01   02 01 00 20 E1 00 CD 0E  ........... ....
0010: 53 79 FB 5A 05 DF 50 24   0F F9 CD 57 04 4E 56 0B  Sy.Z..P$...W.NV.
……

SESSION KEYGEN:
PreMaster Secret:
0000: 03 03 7B 02 1A C6 D3 55   1B 7A 3F 72 FE CC DC C9  .......U.z?r....
0010: 25 46 C2 FC 46 49 FE 3B   90 61 07 27 14 99 F3 CB  %F..FI.;.a.'....

CONNECTION KEYGEN:
Client Nonce:
0000: 5C 76 22 78 18 4B 4D 71   A9 7E 45 60 32 AF 98 7E  \v"x.KMq..E`2...

Server Nonce:
0000: 5C 76 1F 62 78 2C 2C 24   9E 44 B6 D7 2A ED B1 63  \v.bx,,$.D..*..c

Master Secret:
0000: 05 24 C8 16 61 BE 39 8E   89 64 34 34 5E 58 2E 1E  .$..a.9..d44^X..

... no MAC keys used for this cipher
Client write key:
0000: D8 DC 19 45 8E 17 4D 7F   B0 EA 3D BD 79 A0 E1 09  ...E..M...=.y...
Server write key:
0000: D1 52 6A 14 67 B1 BA BE   64 5F F6 86 9D 4D A1 10  .Rj.g...d_...M..
Client write IV:
0000: DA 4E 2A 17                                        .N*.
Server write IV:
0000: 14 88 33 80                                        ..3.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
[Raw write]: length = 6
0000: 14 03 03 00 01 01                                  ......
*** Finished
verify_data:  { 71, 204, 171, 236, 126, 197, 251, 137, 8, 239, 0, 217 }
***
[write] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C 47 CC AB EC   7E C5 FB 89 08 EF 00 D9  ....G...........
Padded plaintext before ENCRYPTION:  len = 16
0000: 14 00 00 0C 47 CC AB EC   7E C5 FB 89 08 EF 00 D9  ....G...........
main, WRITE: TLSv1.2 Handshake, length = 40
[Raw write]: length = 45
0000: 16 03 03 00 28 00 00 00   00 00 00 00 00 46 14 2C  ....(........F.,
0010: 16 75 2A 72 74 F7 D4 E9   4C F9 9D 5A 16 95 04 A4  .u*rt...L..Z....
0020: 2A 76 6B 9B B9 B7 D3 F4   05 7A 66 9A 72           *vk......zf.r
[Raw read]: length = 5
0000: 14 03 03 00 01                                     .....
[Raw read]: length = 1
0000: 01                                                 .
main, READ: TLSv1.2 Change Cipher Spec, length = 1
[Raw read]: length = 5
0000: 16 03 03 00 28                                     ....(
[Raw read]: length = 40
0000: 10 9D 6A D9 F8 9D 5E 5D   08 43 0D 7E DB 41 17 EE  ..j...^].C...A..
0010: E6 CD 9B 07 1A 0F BF 50   E0 1E 0B 47 29 DE B3 60  .......P...G)..`
0020: EE 5A 86 4A DB 05 04 F4                            .Z.J....
main, READ: TLSv1.2 Handshake, length = 40
Padded plaintext after DECRYPTION:  len = 16
0000: 14 00 00 0C A2 D9 3E 0F   47 AC BF 4A 64 C3 56 7A  ......>.G..Jd.Vz
### 
*** Finished
verify_data:  { 162, 217, 62, 15, 71, 172, 191, 74, 100, 195, 86, 122 }
***
%% Cached client session: [Session-1, TLS_RSA_WITH_AES_128_GCM_SHA256]
[read] MD5 and SHA1 hashes:  len = 16
0000: 14 00 00 0C A2 D9 3E 0F   47 AC BF 4A 64 C3 56 7A  ......>.G..Jd.Vz
main, setSoTimeout(60000) called
2019-02-27 13:39:04,300 [main] INFO com.xxx.xxx.util.ScVerifyHostName - hostname = [223.71.195.74],session = [223.71.195.74]
### 开始发送数据。下面展示的是加密前的明文
Padded plaintext before ENCRYPTION:  len = 836
0000: 50 4F 53 54 20 2F 54 68   69 72 64 50 61 72 74 79  POST /ThirdParty
0010: 53 65 72 76 65 69 63 65   49 6E 54 58 20 48 54 54  ServeiceInTX HTT
0020: 50 2F 31 2E 31 0D 0A 43   6F 6E 74 65 6E 74 2D 54  P/1.1..Content-T
0030: 79 70 65 3A 20 74 65 78   74 2F 78 6D 6C 3B 63 68  ype: text/xml;ch
0040: 61 72 73 65 74 3D 47 42   4B 0D 0A 43 6F 6E 74 65  arset=GBK..Conte
0050: 6E 74 2D 4C 65 6E 67 74   68 3A 20 35 38 31 0D 0A  nt-Length: 581..
0060: 43 6F 6E 74 65 6E 74 2D   45 6E 63 6F 64 69 6E 67  Content-Encoding
0070: 3A 20 47 42 4B 0D 0A 48   6F 73 74 3A 20 32 32 33  : GBK..Host: 223
0080: 2E 37 31 2E 31 39 35 2E   37 34 3A 31 30 32 36 39  .71.195.74:10269
0090: 0D 0A 43 6F 6E 6E 65 63   74 69 6F 6E 3A 20 4B 65  ..Connection: Ke
00A0: 65 70 2D 41 6C 69 76 65   0D 0A 55 73 65 72 2D 41  ep-Alive..User-A
00B0: 67 65 6E 74 3A 20 41 70   61 63 68 65 2D 48 74 74  gent: Apache-Htt
00C0: 70 43 6C 69 65 6E 74 2F   34 2E 35 20 28 4A 61 76  pClient/4.5 (Jav
00D0: 61 2F 31 2E 38 2E 30 5F   31 32 31 29 0D 0A 41 63  a/1.8.0_121)..Ac
00E0: 63 65 70 74 2D 45 6E 63   6F 64 69 6E 67 3A 20 67  cept-Encoding: g
00F0: 7A 69 70 2C 64 65 66 6C   61 74 65 0D 0A 0D 0A 3C  zip,deflate....<
0100: 3F 78 6D 6C 20 76 65 72   73 69 6F 6E 3D 22 31 2E  ?xml version="1.
0110: 30 22 20 65 6E 63 6F 64   69 6E 67 3D 22 67 62 6B  0" encoding="gbk
0120: 22 3F 3E 3C 41 67 77 3E   3C 48 65 61 64 3E 3C 74  "?>132S13010000000
0160: 31 32 30 31 39 30 32 32   37 30 30 30 30 30 30 31  1201902270000001
0170: 34 3C 2F 72 65 71 53 65   72 69 61 4E 6F 3E 3C 74  42019022
0190: 37 31 33 33 39 30 33 3C   2F 74 72 61 64 65 54 69  7133903..........<
01C0: 2F 74 72 61 64 65 44 65   73 63 72 69 70 74 69 6F  /tradeDescriptio
01D0: 6E 3E 3C 66 68 55 6E 69   63 6F 64 65 3E 31 33 30  n>130
01E0: 31 3C 2F 66 68 55 6E 69   63 6F 64 65 3E 3C 70 6C  113010
0200: 30 30 30 30 30 30 31 3C   2F 70 6C 61 74 66 6F 72  0000001b31B
0220: 49 2F 6C 61 64 47 68 4E   36 52 65 79 30 6B 6A 48  I/ladGhN6Rey0kjH
0230: 6C 55 68 4A 75 63 30 78   5A 6D 34 45 68 57 67 56  lUhJuc0xZm4EhWgV
0240: 43 58 31 75 59 44 6A 32   2B 5A 68 57 77 6C 46 2F  CX1uYDj2+ZhWwlF/
0250: 64 45 7A 70 37 7A 67 57   65 64 45 5A 36 6D 6B 4D  dEzp7zgWedEZ6mkM
0260: 70 68 6E 47 37 32 49 32   66 4C 62 6A 76 67 41 4C  phnG72I2fLbjvgAL
0270: 62 6E 52 69 36 50 41 33   71 6A 67 4B 6B 45 30 79  bnRi6PA3qjgKkE0y
0280: 6F 7A 4B 32 76 30 57 6C   66 74 70 6F 6B 55 2F 37  ozK2v0WlftpokU/7
0290: 6F 49 77 2B 47 77 6A 35   73 75 34 5A 4F 38 48 63  oIw+Gwj5su4ZO8Hc
02A0: 6B 76 72 31 62 5A 38 31   76 49 64 30 31 54 57 63  kvr1bZ81vId01TWc
02B0: 69 6E 43 34 36 51 77 33   55 78 74 66 6F 55 53 4A  inC46Qw3UxtfoUSJ
02C0: 2F 50 56 6C 4C 33 77 3D   3C 2F 73 69 67 6E 3E 3C  /PVlL3w=<
02D0: 2F 48 65 61 64 3E 3C 42   6F 64 79 3E 3C 70 6F 73  /Head>981301..T88880
0310: 30 30 30 30 30 30 30 30   30 30 30 30 3C 2F 74 65  0000000000001
0330: 3C 2F 76 6C 70 63 3E 3C   2F 42 6F 64 79 3E 3C 2F  
main, WRITE: TLSv1.2 Application Data, length = 860
### 下面是通过加密算法用密码加密后的密文
[Raw write]: length = 865
0000: 17 03 03 03 5C 00 00 00   00 00 00 00 01 13 A5 8C  ....\...........
0010: 7E 8E 99 84 25 DC C7 3D   74 B6 79 65 D8 BC DB D9  ....%..=t.ye....
0020: F1 98 3B 7E F3 EF 8E B6   74 E3 2B 6A 42 1C A4 9B  ..;.....t.+jB...
0030: 11 B9 47 2B 27 9C 2E 74   24 99 C5 FD BF 73 42 43  ..G+'..t$....sBC
0040: 7A 81 3D E0 D9 45 9C 55   52 CE AC 13 2B CF 1C 8B  z.=..E.UR...+...
0050: F0 32 D3 8F 4E 33 19 BD   DB E4 0B 80 30 5E F4 43  .2..N3......0^.C
0060: 6B F5 F2 29 DA 8A 72 50   0B 03 58 9A 2D 86 0E 15  k..)..rP..X.-...
0070: FB 60 08 7F 66 9E C6 0A   7E 35 2D DA E9 94 43 AD  .`..f....5-...C.
0080: FB 76 93 B5 27 A9 E3 24   3A 44 80 BB 43 19 BC FD  .v..'..$:D..C...
0090: 91 03 80 4E 0A D3 E6 EE   D9 8A 24 6C A0 4C 93 6D  ...N......$l.L.m
00A0: 89 06 29 FC 51 C7 4A 2B   41 C5 E0 FA 03 0B D7 9B  ..).Q.J+A.......
00B0: 94 A0 AD 55 FB F3 60 F4   05 6F 27 32 22 E6 AB 1A  ...U..`..o'2"...
00C0: C2 DD 32 86 B4 81 32 04   5E E6 C7 47 85 83 6E 83  ..2...2.^..G..n.
00D0: 82 59 90 C3 87 01 1A 31   52 E6 72 72 C8 90 3E 76  .Y.....1R.rr..>v
00E0: 9F 97 9D 49 40 74 3D A4   5C 60 31 CB 7A 1E 47 3B  ...I@t=.\`1.z.G;
00F0: F0 2E D5 04 A0 1C 3E DE   87 74 48 B7 B3 52 C3 84  ......>..tH..R..
0100: EC A2 86 73 09 2F 2F A9   94 30 8C A4 A1 38 7A A5  ...s.//..0...8z.
0110: 07 D7 C7 D5 11 4C 70 3B   02 4A 47 92 31 BB E9 19  .....Lp;.JG.1...
0120: 57 0F CC 7C 3E E6 F0 F8   C9 4B CD 99 D2 4A 08 9D  W...>....K...J..
0130: 18 4A 85 D6 47 71 99 A6   E9 44 C9 45 37 9B AB 69  .J..Gq...D.E7..i
0140: 21 61 A3 A2 26 17 A7 F2   92 5C 52 27 56 39 6F 3A  !a..&....\R'V9o:
0150: 88 A9 3D 07 57 B1 68 30   A5 82 13 23 F9 CB 73 9D  ..=.W.h0...#..s.
0160: 6A CF 1D 83 9A F9 B3 9E   23 5C F5 0E B6 B3 6B F8  j.......#\....k.
0170: CA A5 63 3D A3 CB 79 1D   A7 30 02 08 F8 0F E3 6E  ..c=..y..0.....n
0180: 70 78 F0 D5 88 6C 45 09   D0 33 8C 26 78 21 35 9D  px...lE..3.&x!5.
0190: 8A FC A3 D5 6F FA F6 59   31 49 52 7E C2 73 4F 4D  ....o..Y1IR..sOM
01A0: 06 4D B0 7F D7 CB 28 DA   8A 91 3F 69 1E 04 92 51  .M....(...?i...Q
01B0: 07 B6 A6 08 62 D8 B7 26   33 37 C5 C5 6A B1 53 7A  ....b..&37..j.Sz
01C0: 57 48 32 2E 00 70 96 DE   BB 5C FA 02 42 E4 47 AE  WH2..p...\..B.G.
01D0: BE 0F 65 C3 C6 59 AB 76   B7 22 43 92 4F 5B 14 52  ..e..Y.v."C.O[.R
01E0: B3 D4 D8 97 4A C9 E6 BC   6B 66 53 37 D9 5A B3 C6  ....J...kfS7.Z..
01F0: AA 4A 8B CD 49 3B 9A FD   99 49 28 B8 C2 ED B5 4C  .J..I;...I(....L
0200: 38 B5 4B 7D BA B7 59 59   A9 89 BA 51 79 22 29 4A  8.K...YY...Qy")J
0210: B4 C0 4C 50 B8 A6 4B 30   93 4C 5B 3D 6F 39 C1 D6  ..LP..K0.L[=o9..
0220: C1 FE 45 3B 89 9E 34 CE   E6 7E 85 61 6B 93 86 8E  ..E;..4....ak...
0230: 5F E5 22 3D 8F B3 33 B4   71 45 BB 48 6D 14 EB C7  _."=..3.qE.Hm...
0240: 2A 7E 72 80 F7 94 1B 86   00 B8 F2 7C CF 02 AC F0  *.r.............
0250: F8 98 95 0B 25 81 11 C8   21 B3 3A 2B B0 AF 78 A7  ....%...!.:+..x.
0260: 2F 77 33 37 88 A9 CF D2   46 F2 F2 DB 19 3E 1B AB  /w37....F....>..
0270: D7 AF 7D 43 E7 71 1F 39   25 CD 64 A6 8E 29 B8 07  ...C.q.9%.d..)..
0280: 05 40 9E EB 42 6A 58 F6   D1 32 81 A1 9E 51 CE 85  [email protected]..
0290: E8 16 26 1A 73 6E 02 05   2B EA 5D D1 A2 62 87 04  ..&.sn..+.]..b..
02A0: E6 37 A9 26 E6 93 42 06   B6 CE 40 93 BE 65 78 8C  [email protected].
02B0: EC 08 40 18 3F 6A 98 95   CC 1F 49 95 17 DC 75 E2  ..@.?j....I...u.
02C0: 01 6A 05 F4 69 D0 03 41   15 6B 74 B6 97 14 23 04  .j..i..A.kt...#.
02D0: AC 89 C0 06 0B 85 DA 96   18 E1 29 B1 2E 34 84 5A  ..........)..4.Z
02E0: B7 EF 31 73 7A 07 3F DA   F5 32 24 8D 4D E0 DF 92  ..1sz.?..2$.M...
02F0: 8E D1 E6 3A 50 BC EF 41   32 19 B3 A7 CF 4F 42 81  ...:P..A2....OB.
0300: D8 47 36 B8 FE 26 5D FB   AE C0 43 B0 CF C6 93 40  .G6..&]...C....@
0310: D5 D2 36 56 8D 93 BA CB   3A 80 0B 33 E0 4D AC 20  ..6V....:..3.M. 
0320: B0 54 C8 0F FF EA D8 8E   6D A3 9D 55 59 F4 B0 E8  .T......m..UY...
0330: 95 92 6A D1 DD 70 E9 6F   1E BE DA 97 8F 15 57 24  ..j..p.o......W$
0340: 05 B7 FF A2 BE DE 0E 9D   D7 AF 9F C6 0F 2C B1 43  .............,.C
0350: 15 46 30 F0 7E 3D CD B3   7C 66 CC 59 55 F4 2C 85  .F0..=...f.YU.,.
0360: 6E                                                 n
[Raw read]: length = 5
0000: 17 03 03 00 C8                                     .....
[Raw read]: length = 200
0000: 10 9D 6A D9 F8 9D 5E 5E   AC 14 A1 E8 A4 51 A4 88  ..j...^^.....Q..
0010: 8C 33 5A D6 37 A0 97 FD   22 9E A0 D2 7E 4D F8 41  .3Z.7..."....M.A
0020: 3D 7D 0A D9 58 67 63 DE   BB 43 72 DA 7C 63 F0 79  =...Xgc..Cr..c.y
0030: 4C 3C B1 23 75 9D D9 36   28 65 D8 66 FC 1F A4 A5  L<.#u..6(e.f....
0040: 37 DA AF 75 8A 41 24 4C   40 41 0D 45 6E 3C 6A 2C  [email protected]E......_ 
0080: 96 0F C6 F1 B7 E3 2F 58   1C C0 6B 0B F5 90 CE 5D  ....../X..k....]
0090: 3A B6 F4 2D 93 52 75 1E   92 D2 1F C2 B8 7A 14 2B  :..-.Ru......z.+
00A0: 3E C0 B6 5E 8D 00 15 5B   DC 13 F2 E2 2E 86 76 1E  >..^...[......v.
00B0: 39 BE FD 4A 64 0D 09 07   2F F4 5A FB 04 D7 77 64  9..Jd.../.Z...wd
00C0: 19 C4 77 09 40 AF D5 C0                            ..w.@...
main, READ: TLSv1.2 Application Data, length = 200
Padded plaintext after DECRYPTION:  len = 176
0000: 48 54 54 50 2F 31 2E 31   20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0010: 0A 43 6F 6E 74 65 6E 74   2D 54 79 70 65 3A 20 74  .Content-Type: t
0020: 65 78 74 2F 78 6D 6C 3B   63 68 61 72 73 65 74 3D  ext/xml;charset=
0030: 47 42 4B 0D 0A 44 61 74   65 3A 20 57 65 64 2C 20  GBK..Date: Wed, 
0040: 32 37 20 46 65 62 20 32   30 31 39 20 30 35 3A 33  27 Feb 2019 05:3
0050: 35 3A 30 35 20 47 4D 54   0D 0A 43 6F 6E 74 65 6E  5:05 GMT..Conten
0060: 74 2D 4C 65 6E 67 74 68   3A 20 35 30 35 0D 0A 43  t-Length: 505..C
0070: 6F 6E 6E 65 63 74 69 6F   6E 3A 20 4B 65 65 70 2D  onnection: Keep-
0080: 61 6C 69 76 65 0D 0A 56   69 61 3A 20 31 2E 31 20  alive..Via: 1.1 
0090: 49 44 2D 30 33 31 34 32   31 37 32 37 30 36 31 32  ID-0314217270612
00A0: 31 31 30 20 75 70 72 6F   78 79 2D 33 0D 0A 0D 0A  110 uproxy-3....
[Raw read]: length = 5
0000: 17 03 03 02 11                                     .....
### 接受到的密文
[Raw read]: length = 529
0000: 10 9D 6A D9 F8 9D 5E 5F   92 9C CF F2 7F EC D9 65  ..j...^_.......e
0010: 8B ED AF 2F A8 4C D9 72   84 26 D1 AF BD 58 51 C9  .../.L.r.&...XQ.
0020: C1 24 3E 34 23 00 8D 30   01 1C A6 97 DB A4 76 62  .$>4#..0......vb
0030: 92 0E 48 3B 34 E4 C6 33   2D 93 7F 79 C8 0F EC A6  ..H;4..3-..y....
0040: A9 2F 38 02 A2 16 05 FC   15 D0 3F 68 71 B0 84 DD  ./8.......?hq...
0050: 59 20 05 B5 FA 45 E3 13   12 92 E4 31 71 89 09 D6  Y ...E.....1q...
0060: 09 03 37 76 E4 38 0C E1   57 C6 FA 54 49 2B 7F 14  ..7v.8..W..TI+..
0070: C2 17 BD 91 7F 0F 29 51   70 10 29 13 87 7F 0B D3  ......)Qp.).....
0080: FB 7B B1 F5 D0 A3 9B 7D   59 BA 91 AB 5D 65 10 5C  ........Y...]e.\
0090: B8 3E 19 88 23 3C 31 68   29 1F A0 A6 59 1E 70 C2  .>..#<1h)...Y.p.
00A0: 71 35 5B 42 15 3A 51 41   10 34 C6 2B 88 0C 9E 07  q5[B.:QA.4.+....
00B0: AF B4 5A 86 DA 21 B3 EB   4B 54 96 2E 0F 13 BC E2  ..Z..!..KT......
00C0: A7 8A 6F D9 91 D0 2A 91   5E 4B CD 2C FF 5E C6 AE  ..o...*.^K.,.^..
00D0: 6E 39 BA 90 96 7B 5B C3   53 82 06 73 1E 62 08 52  n9....[.S..s.b.R
00E0: 4E 8F 67 D6 54 02 0A 3A   83 F9 23 62 EB 2D 62 80  N.g.T..:..#b.-b.
00F0: 4D 2C 12 93 60 80 23 D0   11 BF 46 98 E1 48 3A 7F  M,..`.#...F..H:.
0100: 43 33 9C 42 B3 93 4E 6A   0E A5 CC C5 28 79 8E 08  C3.B..Nj....(y..
0110: DC CD 88 C0 B9 4F 22 A5   AC AB B0 06 F6 BA 19 49  .....O"........I
0120: 40 A3 B0 1C BB C8 27 18   32 59 04 6A CE 1D 95 CE  @.....'.2Y.j....
0130: 4C CB 7A FF 98 58 D1 C2   51 99 93 A4 03 02 AF D5  L.z..X..Q.......
0140: 8F 65 4C 5B 8D 90 16 7B   77 49 EB 02 90 47 22 57  .eL[....wI...G"W
0150: 81 B3 65 49 38 8C CD 19   80 E1 BF BB 13 28 18 9E  ..eI8........(..
0160: 07 61 63 82 2C 76 4E 4E   43 E0 4F 72 BF 2A D8 AE  .ac.,vNNC.Or.*..
0170: 3A 59 AA A7 BA 4A 22 2A   A5 44 0E 95 F7 27 1E 61  :Y...J"*.D...'.a
0180: 45 68 A1 26 E3 73 94 BD   C9 72 D2 32 6F 5B 26 5D  Eh.&.s...r.2o[&]
0190: 07 92 E0 58 DE 71 48 23   0D E1 59 71 AB 36 35 F5  ...X.qH#..Yq.65.
01A0: 82 82 02 4B E7 21 12 81   3C 70 2A D3 70 70 33 00  ...K.!..<
0030: 72 65 71 53 65 72 69 61   4E 6F 3E 31 33 30 31 30  reqSeriaNo>13010
0040: 30 30 30 30 30 30 31 32   30 31 39 30 32 32 37 30  0000001201902270
0050: 30 30 30 30 30 31 34 3C   2F 72 65 71 53 65 72 69  00000142
0070: 30 31 39 30 32 32 37 31   33 33 39 30 33 3C 2F 74  0190227133903000000通‹
00C0: 61 66 3B 26 23 78 36 32   31 30 3B 26 23 78 35 32  af;成R
00D0: 39 66 3B 3C 2F 72 65 74   75 72 6E 4D 73 67 3E 3C  9f;<
00E0: 73 69 67 6E 3E 54 50 51   61 45 72 6F 73 72 64 69  sign>TPQaErosrdi
00F0: 34 75 35 4C 71 46 51 6E   74 4C 6C 4B 51 59 4C 68  4u5LqFQntLlKQYLh
0100: 7A 35 6B 71 63 53 74 75   4B 37 68 37 74 68 65 70  z5kqcStuK7h7thep
0110: 6F 79 74 65 49 4D 6D 6C   32 30 55 36 35 31 2B 44  oyteIMml20U651+D
0120: 57 79 6B 30 4F 36 4D 46   53 56 51 45 65 74 63 2F  Wyk0O6MFSVQEetc/
0130: 73 7A 79 49 71 52 73 63   73 78 33 34 61 50 4A 48  szyIqRscsx34aPJH
0140: 37 68 6B 43 39 39 2B 5A   31 4C 2F 2B 79 78 52 43  7hkC99+Z1L/+yxRC
0150: 75 68 54 37 52 76 43 35   65 44 31 6E 2F 47 37 6C  uhT7RvC5eD1n/G7l
0160: 48 63 42 69 42 6E 65 44   37 46 70 48 41 50 33 56  HcBiBneD7FpHAP3V
0170: 37 6E 71 37 51 65 6B 64   62 46 31 56 4A 71 51 78  7nq7QekdbF1VJqQx
0180: 2B 69 75 57 6F 4E 30 4C   2F 68 37 7A 45 64 76 4D  +iuWoN0L/h7zEdvM
0190: 3D 3C 2F 73 69 67 6E 3E   3C 2F 48 65 61 64 3E 3C  =<
01A0: 42 6F 64 79 3E 3C 63 6F   64 65 3E 31 3C 2F 63 6F  Body>1无
01C0: 26 23 78 36 62 36 34 3B   26 23 78 38 66 36 36 3B  此车
01D0: 26 23 78 37 32 34 63 3B   3C 2F 6D 73 67 3E 3C 66  牌1

Process finished with exit code 0

关于JKS

JKS即 Java Key Store 是Java密钥库(KeyStore)比较常见的一种格式,是JAVA的keytools证书工具支持的证书私钥格式。其他的证书需要转化为JSK才能被JVM识别。

关于证书的导入

在JAVA中使用HTTPS协议调用下游服务的时候,需要在JVM中安装服务器下发的证书。
在程序中如果出现 unable to find valid certification path to requested target--主要原因为在客户端未将服务器下发的证书导入到JVM中.
一般我们拿到的下发的证书文件都是cer后缀,或者pem后缀的。我们需要使用keytool转化为java使用JKS证书。

keytool -keypasswd -alias test2 -keystore test.keystore

keytool -import -alias testopen -file test.crt -keystore test.keystore -storepass 123456
上一条命令是导出test.crt文件为JKS文件 test.keystore。其中 123456为keystore的密钥。

Java代码中使用HTTPS (使用HttpClient 4.5)

public class XXHttpClientUtils implements InitializingBean {
    private static SSLConnectionSocketFactory sslConnectionSocketFactory = null;
    private static RequestConfig requestConfig;
    private static final String KEY_STORE_TYPE_JKS = "jks";
    private static final String SCHEME_HTTPS = "https";
    @Override
    public void afterPropertiesSet() throws Exception {
        init();
    }

    public static String getKeystorePath() {
        return "";
    }

    /**
    ** JKS的密钥
    */
    public static String getKeystorePw() {
        return "123456";
    }

    public void init() {
        try {
            requestConfig = RequestConfig.custom()
                    .setConnectTimeout(connectTimeOut).setConnectionRequestTimeout(connectRequestTimeOut)
                    .setSocketTimeout(socketTimeOut).build();
            SSLContext sslContext = null;
            ### 重点还是在于创建SSLContext。
            sslContext = createVerifySSLContext();
            if (sslContext == null) {
                logger.error("error in create sslContext , use ignore ssl sslContext");
                sslContext = createIgnoreVerifySSL();
            }
            sslConnectionSocketFactory =
                    new SSLConnectionSocketFactory(sslContext,
                            new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"}, null,
                            ScVerifyHostName.getVerifyHostName());

            Registry socketFactoryRegistry = RegistryBuilder.create()
                    .register("http", PlainConnectionSocketFactory.INSTANCE)
                    .register("https", sslConnectionSocketFactory)
                    .build();
            connManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
            HttpClients.custom().setConnectionManager(connManager);
        } catch (Exception e) {
            logger.error("error in create socketFactory:", e);
        }
    }
     /**
     * 创建一个忽略认证服务器的SSLContext
     * @return
     * @throws NoSuchAlgorithmException
     * @throws KeyManagementException
     */
    public static SSLContext createIgnoreVerifySSL() throws NoSuchAlgorithmException, KeyManagementException {
        SSLContext sc = SSLContext.getInstance("SSLv3");
        // 实现一个X509TrustManager接口,用于绕过验证,不用修改里面的方法
        X509TrustManager trustManager = new X509TrustManager() {
            //检查客户端是否可信。不进行实现
            @Override
            public void checkClientTrusted(
                    java.security.cert.X509Certificate[] paramArrayOfX509Certificate,
                    String paramString) throws CertificateException {
            }

            //检查服务端是否可信。该方法检查服务器的证书,若不信任该证书同样抛出异常。
            //通过自己实现该方法,可以使之信任我们指定的任何证书。在实现该方法时,也可以简单的不做任何处理,即一个空的函数体,由于不会抛出异常,它就会信任任何证书。在忽略认证的实现中把它设置为空方法。
            @Override
            public void checkServerTrusted(
                    java.security.cert.X509Certificate[] paramArrayOfX509Certificate,
                    String paramString) throws CertificateException {
            }
            // 返回受信任的X509证书数组。
            @Override
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };
        sc.init(null, new TrustManager[]{trustManager}, null);
        return sc;
    }


    public static SSLContext createVerifySSLContext() throws NoSuchAlgorithmException, KeyManagementException {
        SSLContext sslContext = null;
        sslContext = SSLContext.getInstance("TLS");
        InputStream ksin = null;
        InputStream tsin = null;
        try {
            KeyStore keyStore = KeyStore.getInstance(KEY_STORE_TYPE_JKS);
            KeyStore trustKeyStore = KeyStore.getInstance(KEY_STORE_TYPE_JKS);
            //getKeystorePw()返回keyStore的文件的密码
            //getKeystorePath()返回keyStore的文件的目录
            ksin = new FileInputStream(getKeystorePath());
            tsin = new FileInputStream(getKeystorePath());
            keyStore.load(ksin, getKeystorePw().toCharArray());
            trustKeyStore.load(tsin, getKeystorePw().toCharArray());

            KeyManagerFactory keyFactory = null;
            keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyFactory.init(keyStore, getKeystorePw().toCharArray());
            KeyManager[] keyManagers = keyFactory.getKeyManagers();

            TrustManagerFactory trustFactory = null;
            trustFactory = TrustManagerFactory.getInstance("SunX509");
            trustFactory.init(trustKeyStore);
            TrustManager[] trustManagers = trustFactory.getTrustManagers();
            //sslContext 初始化,提供SSL认证的证书管理器。
            sslContext.init(keyManagers, trustManagers, null);
        } catch (Exception e) {
            logger.error("error in create verifySsl Context", e);
            sslContext = null;
        } finally {
            try {
                ksin.close();
                tsin.close();
            } catch (Exception e) {
                logger.error("error in close file input", e);
            }
        }
        return sslContext;
    }


    public static String post(String body, String url) throws ETCChannelScException {
        CloseableHttpClient client = HttpClients.custom().setConnectionManager(connManager).build();
          ……
          ……
    }
}

参考
https://www.cnblogs.com/benwu/articles/4891758.html
https://www.cnblogs.com/huqiaoblog/p/8398009.html

你可能感兴趣的:(httpClient 实现https服务器认证)