0,知识背景
HTTPS本质上就是HTTP+SSL,作为服务端提供安全服务的一种加密协议
1,java作为客户端请求HTTPS
一般采用HTTPClient作为客户端来请求有两种做法:
一,绕过证书检查
java client请求的服务端一般都是相对较固定的几个url,完全可以设置信任所有的服务端,直接略过证书验证
继承X509TrustManager,对证书验证部分直接return null 不做任何验证
X509TrustManager trustManager = new X509TrustManager() {
@Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] paramArrayOfX509Certificate,
String paramString) throws CertificateException {
}
@Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] paramArrayOfX509Certificate,
String paramString) throws CertificateException {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
};
二,验证证书
1,得到证书ca.cer,可通过浏览器访问https然后导出或者下载
2,导入证书
keytool -importcert -alias test -file ca.cer -keystore test.keystore
3,编码
public static void main(String[] args) throws ClientProtocolException,
IOException, KeyStoreException, NoSuchAlgorithmException,
CertificateException, KeyManagementException, UnrecoverableKeyException {
DefaultHttpClient client = new DefaultHttpClient();
client.getParams().setParameter(ClientPNames.COOKIE_POLICY,CookiePolicy.BROWSER_COMPATIBILITY);
client.getParams().setParameter(CoreProtocolPNames.USER_AGENT, "Mozilla/5.0 (Windows NT 6.2; rv:18.0)
Gecko/20100101 Firefox/18.0");
String PostFir = "https://www.xxx.com/";
//获得密匙库
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new File("d:/zzaa/steven.keystore"));
//密匙库的密码
trustStore.load(instream, "123456".toCharArray());
//注册密匙库
SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
//不校验域名
socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Scheme sch = new Scheme("https", 443, socketFactory);
client.getConnectionManager().getSchemeRegistry().register(sch);
HttpPost httppost1 = new HttpPost(PostFir);
HttpResponse response1 = client.execute(httppost1);
HttpEntity resEntity1 = response1.getEntity();
System.out.println(EntityUtils.toString(resEntity1,"gbk"));
}
2,java提供https服务
一般都是申请证书(有免费和自费的,也可以生成自签名证书),然后部署在HTTP服务器或代理服务器上即可(NGINX,Apache,tomcat,iis等),以jdk自生成证书部署在tomcat上为例
一 生成证书和秘钥
keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "e:\tomcat.keystore"
删除
keytool -delete -alias tomcat -keystore "e:\tomcat.keystore"
行业格式(可选)
keytool -importkeystore -srckeystore e:\tomcat.keystore -destkeystore e:\tomcat.keystore -deststoretype pkcs12
注意:“名字与姓氏”应该是域名,输成了姓名,和真正运行的时候域名不符,会出问题
二,修改sever.xml中的配置项
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
<span style="color:#FF6600;"> keystoreFile="F:\tomcats.keystore"</span>
<span style="color:#FF6600;">keystorePass="tomcat"
ciphers="tomcat"</span>
/>
可修改为默认端口443
参考资料:
https://www.2cto.com/kf/201609/548236.html
https://blog.csdn.net/liuxiao723846/article/details/52695549
https://blog.csdn.net/qh_java/article/details/48206537