Java http(s)客户端没有失败

时间:2017-09-01 18:12:08

标签: java ssl ssl-certificate x509certificate apache-httpclient-4.x

我有一个使用Apache HTTP components库的Java SE桌面(控制台)应用程序:

<dependency org="org.apache.httpcomponents" name="httpcore" rev="4.4.5"/>

在最低层我只是做了一个:

CloseableHttpClient httpClient = HttpClients.custom().setDefaultHeaders(headers).build();
CloseableHttpResponse response = httpClient.execute(request);

然后我使用此控制台应用程序访问通过SSL提供的Web服务,并在其中使用以下证书配置服务器:

Common Name (CN)    InCommon RSA Server CA
Organization (O)    Internet2
Organizational Unit (OU)    InCommon

我期待我的客户失败。这是因为当我查看与Java捆绑在一起的证书时,“internet2”或“inc”似乎就在其中:

$ keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list | grep -i 'internet2\|inc'
Enter keystore password:  
<no output>
$

为什么我的客户没有失败?我没有将其配置为接受所有证书。在过去(当服务器根本没有提供证书时)代码确实失败但是我期望使用新证书的情况将保持不变,因为InCommon CA没有列在Java {{1}中找到的那些中。文件。

1 个答案:

答案 0 :(得分:0)

使用keytool -printcert -sslserver hostname[:port]的建议非常有用。

我仍然不太清楚如何破译keytool -printcert -sslserver的输出以及如何连接&#34;它的输出为keytool -printcert。以下(脆弱)咒语确实找到了一些匹配:

for x in $(keytool -printcert -sslserver example.com:443 -v | grep ^Issuer | awk '{print $2}' | cut -c4- | sort | uniq); do keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list   | grep -i $x; done

...但是匹配是密钥不敏感的,只有前缀。

特别是keytool -printcert -sslserver的输出有字符串&#34; USERTrust&#34;但keytool -keystore的输出最接近的是:&#34; usertrusteccca&#34;和&#34; usertrustrsaca&#34;。

(用于`usertrust`的greping) 
$ keytool -printcert -sslserver example.com:443 -v | grep -i usertrust

 accessLocation: URIName: http://crt.usertrust.com/InCommonRSAServerCA_2.crt
 accessLocation: URIName: http://ocsp.usertrust.com
Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
 accessLocation: URIName: http://ocsp.usertrust.com
 [URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
 accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
 accessLocation: URIName: http://ocsp.usertrust.com
 [URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
(用于'usertrust`的greping) 
$ keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list   | grep -i usertrust
Enter keystore password:  

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

usertrusteccca, May 11, 2015, trustedCertEntry, 
usertrustrsaca, May 11, 2015, trustedCertEntry,
相关问题
最新问题