两种模式:
1:升级Java版本:TLS1.0已经被认为是不安全的协议版本,建议升级到Java 8或更高版本,以支持更安全的TLS协议版本。
2: 绕过ssl
简介:需要告诉client使用一个不同的TrustManager。TrustManager是一个检查给定的证书是否有效的类。SSL使用的模式是X.509,对于该模式Java有一个特定的TrustManager,称为X509TrustManager。首先我们需要创建这样的TrustManager。将TrustManager设置到我们的HttpClient。TrustManager只是被SSL的Socket所使用。Socket通过SocketFactory创建。对于SSL Socket,有一个SSLSocketFactory。当创建新的SSLSocketFactory时,你需要传入SSLContext到它的构造方法中。在SSLContext中,我们将包含我们新创建的TrustManager。
创建的TrustManager
创建SSLContext:TLS是SSL的继承者,但是它们使用相同的SSLContext。
创建SSLSocketFactory
将SSLSocketFactory注册到我们的HttpClient上。这是在SchemeRegistry中完成的。
创建ClientConnectionManager,创建SchemeRegistry。
生成HttpClient
http忽略ssl认证
忽略https认证,就是自己构建一个x509认证,默认通过,再传到ssl配置工厂中
原文链接:https://blog.csdn.net/weixin_54505261/article/details/138182696
一、升级JDK
linux 安装jdk1.8
官网下载:https://www.oracle.com/java/technologies/downloads/#java8
1、下载对应版本linux-x64.tar.gz
查看Java版本
java -version
查看是否有自带的openJDK
rpm -qa|grep jdk
如果有则卸载
rpm -e --nodeps xxx xxx:文件名
验证是否卸载干净
rpm -qa|grep jdk
服务器上传解压安装包
安装包:jdk-8u401-linux-x64.tar.gz
我这边的目录地址是/usr/local/java
cd /usr/local/java
tar -zxvf jdk-8u401-linux-x64.tar.gz
vim /etc/profile
在文件尾部添加如下信息:
export JAVA_HOME=/usr/local/java/jdk1.8.0_401
export JRE_HOME=/usr/local/java/jdk1.8.0_401/jre
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JRE_HOME/lib:$CLASSPATH
export PATH=$JAVA_HOME/bin:$PATH
更新linux环境设置
source /etc/profile
=======
验证
java -version
二、绕过ssl
除了信任验证和客户端身份验证在SSL/TLS协议层进行之外,HttpClient可以有选择的验证目标主机名是否跟服务端存储在X.509认证里的一致,一旦连接已经建立,这种验证可以为服务器认证提供额外的保障,javax.net.ssl.HostnameVerifier 接口代表了主机名验证的一种策略,HttpClient附带了两中javax.net.ssl.HostnameVerifier的实现,注意:不要把主机名验证跟SSL信任验证混淆
DefaultHostnameVerifier: HttpClient使用的默认实现,与RFC2818兼容,主机名必须匹配证书指定的任何可替换的名称,或者没有可替换名称下证书主体中指定的具体的CN,CN和可替换名称中都可能有通配符。
NoopHostnameVerifier: 这个主机名验证器基本上就是把主机名验证关闭了,它接受任何有效的SSL会话来匹配目标主机。
默认HttpClient使用DefaultHostnameVerifier实现,如果有需要的话你可以指定一个不同的主机名验证器
SSLContext sslContext = SSLContexts.createSystemDefault();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory( sslContext, NoopHostnameVerifier.INSTANCE);
HttpClient4.4使用Mozilla基金会维护的公共后缀列表去确保SSL证书的通配符不会被多个通用顶级域名误用,HttpClient会附带一个该列表的最新的拷贝,最新的修正版在https://publicsuffix.org/list/,强烈建议从源数据每天更新一次并且保持一份本地拷贝。
PublicSuffixMatcher publicSuffixMatcher = PublicSuffixMatcherLoader.load( PublicSuffixMatcher.class.getResource("my-copy-effective_tld_names.dat"));
DefaultHostnameVerifier hostnameVerifier = new DefaultHostnameVerifier(publicSuffixMatcher);
你可以通过使用null匹配来关闭公共后缀列表验证
DefaultHostnameVerifier hostnameVerifier = new DefaultHostnameVerifier(null);
public String sendAttachment(String url, Map<String, String> param, List<File> files)
throws KeyManagementException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, Exception {
// String url =
// "http://1f667997x7.iask.in/lpyxcj_outer/attachment/jybgAttachment";
String resultMsg = "";
// CloseableHttpClient httpClient = HttpClients.createDefault();
// httpClient=HttpClients.custom().setConnectionManager(connManager).build();
CloseableHttpClient httpClient = createHttpsClient();
try {
HttpPost httpPost = new HttpPost(url);
// 设置传输参数
MultipartEntityBuilder multipartEntity = MultipartEntityBuilder.create();
multipartEntity.setCharset(StandardCharsets.UTF_8).setMode(HttpMultipartMode.BROWSER_COMPATIBLE);
// 将附件包装成FileBody并存入EntityBuilder中
for (File file : files) {
FileBody fundFileBin = new FileBody(file);
multipartEntity.addPart("files", fundFileBin);
}
// 存入其他参数
Set<String> keySet = param.keySet();
for (String key : keySet) {
multipartEntity.addPart(key,
new StringBody(param.get(key), ContentType.create("text/plain", Consts.UTF_8)));
}
HttpEntity reqEntity = multipartEntity.build();
httpPost.setEntity(reqEntity);
// 发起请求并获取返回结果
try (CloseableHttpResponse response = httpClient.execute(httpPost)) {
HttpEntity resEntity = response.getEntity();
if (resEntity != null) {
resultMsg = EntityUtils.toString(resEntity, StandardCharsets.UTF_8);
}
EntityUtils.consume(resEntity);
} catch (Exception e) {
e.printStackTrace();
}
} finally {
try {
httpClient.close();
} catch (IOException e) {
e.printStackTrace();
}
}
return resultMsg;
}
public static CloseableHttpClient createHttpsClient()
throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException, NoSuchProviderException, IOException {
SSLContext sslContext11 = SSLContext.getInstance("TLS");
sslContext11.init(null, null,null);
SSLSocketFactory factory = (SSLSocketFactory) sslContext11.getSocketFactory();
SSLSocket socket = (SSLSocket) factory.createSocket();
String[] protocols = socket.getSupportedProtocols();
System.out.println("Supported Protocols: " + protocols.length);
for (int i = 0; i < protocols.length; i++) {
System.out.println(" " + protocols[i]);
}
protocols = socket.getEnabledProtocols();
System.out.println("Enabled Protocols: " + protocols.length);
for (int i = 0; i < protocols.length; i++) {
System.out.println(" " + protocols[i]);
}
TrustManager[] trustAllCerts = new TrustManager[] { (TrustManager) new TrustAllManager() };
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
// SSLContextBuilder builder = new SSLContextBuilder();
// builder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
// //4.3版本之前用这个
/// //SSLConnectionSocketFactory sslcsf = new SSLConnectionSocketFactory(
/// //builder.build(), SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
/// //4.3版本之后用这个
// SSLConnectionSocketFactory sslcsf = new //SSLConnectionSocketFactory(builder.build(),
// new String[] {"SSLv3"}, null,new NoopHostnameVerifier());
///
Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", PlainConnectionSocketFactory.INSTANCE)
.register("https", new SSLConnectionSocketFactory(sslContext,
SSLConnectionSocketFactory.getDefaultHostnameVerifier()))
.build();
PoolingHttpClientConnectionManager connManager = new PoolingHttpClientConnectionManager(registry);
connManager.setMaxTotal(1000); // 连接池最大连接数
connManager.setDefaultMaxPerRoute(20); // 每个路由最大连接数
// CloseableHttpClient httpClient = HttpClients.createDefault();
CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(connManager).build();
return httpClient;
};
----------------------------------------------------------------------------
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
@SuppressWarnings("deprecation")
public class TrustAllManager implements TrustManager,X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
// TODO Auto-generated method stub
return ;
}
@Override
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
// TODO Auto-generated method stub
return;
}
@Override
public X509Certificate[] getAcceptedIssuers() {
// TODO Auto-generated method stub
return null;
}
public boolean isServerTrusted(java.security.cert.X509Certificate[] certs) {
return true;
}
public boolean isClientTrusted(java.security.cert.X509Certificate[] certs) {
return true;
}
}
出现的问题:
3、javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protocol version is not enabled or not supported by the client.
可更改jdk参数:
C:\Program Files\Java\jdk1.8.0_60\jre\lib\security\java.security
j avax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
引用:https://www.cnblogs.com/remember-forget/p/10271248.html
更换jdk中jce的jar包
网上资料说这个应该是旧版本jdkjce中安全机制的bug,要去oracle官网下载对应的jce包替换jdk中的jce包
jce所在jdk的路径: %JAVA_HOME%\jre\lib\security里的local_policy.jar,US_export_policy.jar
JDK7 http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
JDK8 http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
云盘:https://pan.baidu.com/s/1Klr3MS8yhpEnlj7nYM1OYw
更该java 应用程序参数:
java连接sqlserver报错:The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]
在Java应用程序的启动参数中添加以下选项,指定所需的TLS协议版本:
-Dhttps.protocols=TLSv1.2,TLSv1.3
centos8 :::
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Server chose TLSv1, but that protocol version is not enabled or not supported by the client.".
# 启用TLSv1
vi /etc/crypto-policies/back-ends/opensslcnf.config
# MinProtocol = TLSv1.2
MinProtocol = TLSv1
MaxProtocol = TLSv1.3
# 更新加密策略,有效!
update-crypto-policies --set LEGACY