我有一个使用 Apache HTTP components 的 Java SE 桌面(控制台)应用程序图书馆:
<dependency org="org.apache.httpcomponents" name="httpcore" rev="4.4.5"/>
在最底层,我只是在做一个:
CloseableHttpClient httpClient = HttpClients.custom().setDefaultHeaders(headers).build();
CloseableHttpResponse response = httpClient.execute(request);
然后我使用此控制台应用程序访问通过 SSL 提供的 Web 服务,并且服务器配置了以下证书:
Common Name (CN) InCommon RSA Server CA
Organization (O) Internet2
Organizational Unit (OU) InCommon
我原以为我的客户会失败。这是因为当我查看与 Java 捆绑在一起的证书时,其中似乎没有任何带有“internet2”或“inc”的证书:
$ keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list | grep -i 'internet2\|inc'
Enter keystore password:
<no output>
$
为什么我的客户没有失败?我没有将其配置为接受所有证书。在过去(当服务器根本没有提供证书时)代码确实失败了,但我期望使用新证书情况会保持不变,因为 InCommon CA 未列在 Java 的 cacerts 中 文件。
最佳答案
使用 keytool -printcert -sslserver hostname[:port] 的建议非常有用。
我仍然不太清楚如何破译 keytool -printcert -sslserver 的输出以及如何将它与 keytool -printcert 的输出“连接”。以下(脆弱的)咒语确实找到了一些匹配项:
for x in $(keytool -printcert -sslserver example.com:443 -v | grep ^Issuer | awk '{print $2}' | cut -c4- | sort | uniq); do keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list | grep -i $x; done
... 然而,匹配对键不敏感且仅在前缀上。
特别是 keytool -printcert -sslserver 的输出有字符串“USERTrust”,但 keytool -keystore 的输出最接近的是:“usertrusteccca”和“usertrustrsaca”。
`keytool -printcert -sslserver` 的输出(greping for `usertrust`)
$ keytool -printcert -sslserver example.com:443 -v | grep -i usertrust
accessLocation: URIName: http://crt.usertrust.com/InCommonRSAServerCA_2.crt
accessLocation: URIName: http://ocsp.usertrust.com
Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
accessLocation: URIName: http://ocsp.usertrust.com
[URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
accessLocation: URIName: http://ocsp.usertrust.com
[URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
`keytool -keystore` 的输出(greping for `usertrust`)
$ keytool -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -list | grep -i usertrust
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
usertrusteccca, May 11, 2015, trustedCertEntry,
usertrustrsaca, May 11, 2015, trustedCertEntry,
关于Java http(s) 客户端没有失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46005863/