java - 使用 SSLSocketFactory 绕过证书验证

Question

我正在构建一个客户端应用程序，它将通过 soap 消息连接到第三方服务器。我正在使用在 JBoss 4.2.3 上运行的 jax-ws 2.1.9 和 jdk 1.6_18。

问题本身是配置为仅用于测试目的的服务器正在返回过期的证书，因此，我的应用程序抛出以下异常。

13:43:26,738 ERROR [STDERR] Caused by: javax.xml.ws.WebServiceException: java.io.IOException: Could not transmit message
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientImpl.handleRemoteException(ClientImpl.java:404)
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:314)
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:172)
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:152)
13:43:26,739 ERROR [STDERR]     at $Proxy724.solicitarBaixaOperation(Unknown Source)
13:43:26,740 ERROR [STDERR]     at com.totvs.foundation.exchange.connector.ptu.implementation.v70_batch.InvoiceWriteOffConnector.process(InvoiceWriteOffConnector.java:91)
13:43:26,740 ERROR [STDERR]     ... 98 more
13:43:26,740 ERROR [STDERR] Caused by: java.io.IOException: Could not transmit message
13:43:26,740 ERROR [STDERR]     at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:255)
13:43:26,740 ERROR [STDERR]     at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:73)
13:43:26,741 ERROR [STDERR]     at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:339)
13:43:26,741 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:302)
13:43:26,741 ERROR [STDERR]     ... 102 more
13:43:26,741 ERROR [STDERR] Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker. java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 11 09:35:00 GMT-03:00 2014.
13:43:26,741 ERROR [STDERR]     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:348)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:137)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:122)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.Client.invoke(Client.java:1634)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.Client.invoke(Client.java:548)
13:43:26,742 ERROR [STDERR]     at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:233)
13:43:26,743 ERROR [STDERR]     ... 105 more
13:43:26,743 ERROR [STDERR] Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 11 09:35:00 GMT-03:00 2014
13:43:26,743 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
13:43:26,743 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
13:43:26,746 ERROR [STDERR]     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:277)
13:43:26,747 ERROR [STDERR]     ... 110 more
13:43:26,747 ERROR [STDERR] Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 11 09:35:00 GMT-03:00 2014
13:43:26,747 ERROR [STDERR]     at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
13:43:26,747 ERROR [STDERR]     at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570)
13:43:26,747 ERROR [STDERR]     at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:134)
13:43:26,748 ERROR [STDERR]     at sun.security.validator.Validator.validate(Validator.java:218)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
13:43:26,749 ERROR [STDERR]     ... 122 more

因此，出于测试目的，我试图绕过这些验证。我发现了一些博客和帖子，它们都促使我找到下面的代码片段。

/**
Inner class for set a blind TrustManager
**/
public class BlindTrustManager implements X509TrustManager {
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
    public void checkClientTrusted(X509Certificate[] chain, String authType)
            throws CertificateException {
    }
    public void checkServerTrusted(X509Certificate[] chain, String authType)
            throws CertificateException {
    }
}

/*Get the port instance of the web service interface created by JAX-WS*/
SolicitarBaixaPortType port = InvoiceWriteOffWebService.getInstance(serviceName, wsdlLocation);

/*set the socket factory*/
SSLContext ctx = SSLContext.getInstance("TLSv1");
            ctx.init(null, new TrustManager[] { new BlindTrustManager() }, null);
            SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
            ((BindingProvider) port).getRequestContext().put(BindingProviderProperties.SSL_SOCKET_FACTORY, sslSocketFactory);
((BindingProvider) port).getRequestContext().put(com.sun.xml.internal.ws.client.BindingProviderProperties.SSL_SOCKET_FACTORY, sslSocketFactory);

/*message is the Object Jax generated*/
response = port.solicitarBaixaOperation(message);

虽然我已经设置了 SSLSocketFactory CertificateExpiredException 仍然会抛出。所以它提出了以下问题:

1. 我做的对吗？
2. 我如何确定连接看到我的 BlindTrustManager 类？因为我在日志中看不到任何提及。
3. 我如何确定我需要传递给我的 BindingProvider 请求上下文的正确字符串才能找到我的 SSLSocketFactory？
4. 我必须在 JBoss 中进行一些其他配置吗？

谢谢

Answer 1

这是一个猜测，因为我不熟悉框架，但如果 jboss 使用 url.openConnection() 那么我认为你需要设置 JVM 范围的默认值

javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);

注意这可能会产生更广泛的影响，如果可行的话，也许您可​​以专门将该证书列入白名单。