How to disable certificate validations in the Java HTTP Client

最新推荐文章于 2024-06-21 15:14:18 发布
最新推荐文章于 2024-06-21 15:14:18 发布
阅读量967 收藏 17
点赞数 28
文章标签: java http ssl
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/mmoooodd/article/details/135549503
版权

Java 11 introduced the HTTP Client, an API that made it easier to send HTTP requests with vanilla Java.

By default, it throws an exception if there are certificate path or hostname verification errors in the request.

Let’s see how to bypass certificate validations for cases where this is really necessary.

Disabling all certificate verifications for a specific client

To ignore both certificate path and hostname verifications, create an X509ExtendedTrustManager extension that doesn't do any verification and use it to init an SSLContext for an HttpClient:

var trustManager = new X509ExtendedTrustManager() {
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[]{};
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) {
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) {
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) {
    }
};
var sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{trustManager}, new SecureRandom());

var client = HttpClient.newBuilder()
        .sslContext(sslContext)
        .build();

With this solution, only that client with that custom SSLContext specified will allow insecure requests. So in many cases this is the best option.

You can use the example URLs https://expired.badssl.com/ and https://wrong.host.badssl.com/ to test:

var expiredRequest = HttpRequest.newBuilder()
        .uri(URI.create("https://expired.badssl.com/"))
        .build();

var wrongHostRequest = HttpRequest.newBuilder()
        .uri(URI.create("https://wrong.host.badssl.com/"))
        .build();

client.send(expiredRequest, BodyHandlers.discarding());
client.send(wrongHostRequest, BodyHandlers.discarding());

Errors you would get

Without disabling verification, this error would occur for an expired SSL/TLS certificate:

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

...

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sun Apr 12 20:59:59 BRT 2015

And for a wrong hostname:

javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching wrong.host.badssl.com found.

...

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching wrong.host.badssl.com found.

Disabling hostname verification by system property

You can set the jdk.internal.httpclient.disableHostnameVerification system property to "true" to disable only hostname verification, as shown in the Javadoc.

This solution isn’t applied to certificate path verification, so an expired certificate would still cause an exception. And it has the disadvantage of disabling hostname verification for requests from all clients.

Disabling only certificate path verification

If you create an X509TrustManager implementation (instead of an X509ExtendedTrustManager extension) that doesn't do verifications and use it on a client, it will ignore only the certificate path verification:

var sslContext = SSLContext.getInstance("TLS");
var trustManager = new X509TrustManager() {
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[]{};
    }

    @Override
    public void checkClientTrusted(X509Certificate[] certs, String authType) {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] certs, String authType) {
    }
};
sslContext.init(null, new TrustManager[]{trustManager}, new SecureRandom());

var client = HttpClient.newBuilder()
        .sslContext(sslContext)
        .build();
var request = HttpRequest.newBuilder()
        .uri(URI.create("https://expired.badssl.com/"))
        .build();
client.send(request, BodyHandlers.discarding());

So this solution isn’t applied to hostname verification.

Conclusion

To disable certificate verification, the best option in most cases is to use an X509ExtendedTrustManager extension that doesn't do any verification, as this will bypass both certificate path and hostname verifications and will only apply to the specified client.

mmoooodd
关注
  • 28
    点赞
  • 17
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Disable Certificate Validation in Java SSL Connections
淡极始知花更艳
01-06 720
http://www.nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/
How to Setup and Install Oracle Weblogic inCentOS7
weixin_33895016的博客
09-14 268
In this tutorial, I'll guide you on how to setup and install Oracle Weblogicon CentOS 7 operation system. Oracle Weblogic is a middleware tool that is widely used by large companies to ser...
karate
vick的博客
02-26 831
karate
apache-cassandra-4.1.3单机部署及集群部署及简单操作
11-17 919
是一套开源分布式NoSQL数据库系统。它最初由Facebook开发,用于储存收件箱等简单格式数据,用于储存特别大的数据,集GoogleBigTable的数据模型与Amazon Dynamo的完全分布式的架构于一身。是一套开源分布式Key-Value存储系统。这样单机版本的cassandra安装完成了。一、apache-cassandra介绍。二、apache-cassandra下载。六、进入cassandra。五、启动cassandra。选择一个自己喜欢的版本。四、修改python。
MuleSoft Certified Integration Architect - Level 1 Practice Exam
Rosen's
11-28 658
Which two considerations must be kept in mind while using the Serialization API?(Choose two.)A The API does not provide any flexibility to specify which classloader to use B The API passes an OutputStream when serializing and streaming C The API is not thr
Kubernetes 准入控制器: Admission Webhook
小楼一夜听春雨,深巷明朝卖杏花
07-20 3148
Admission Webhook:准入控制器Webhook是准入控制插件的一种,用于拦截所有向APISERVER发送的请求,并且可以修改请求或拒绝请求。 Admission webhook为开发者提供了非常灵活的插件模式,在kubernetes资源持久化之前,管理员通过程序可以对指定资源做校验、修改等操作。例如为资源自动打标签、pod设置默认SA,自动注入sidecar容器等。 相关Webhook准入控制器: • MutatingAdmissionWebhook:修改资源,理论上可以监
docker 离线部署seaweedfs 集群
ljy啊虎的博客
04-13 1404
本集群采用6台服务器进行部署。采用cassandra集群存储元数据,3master节点、3filer节点、3cassandra节点。
Nginx-Lua-Module Manual for ngx_lua v0.10.11
fei的专栏
12-22 1924
Name ngx_http_lua_module - Embed the power of Lua into Nginx HTTP Servers. This module is not distributed with the Nginx source. See the installation instructions. Table of Contents Na
How to disable_enable a timing check in a design.pdf
03-27
后仿
KBA_160615010248_2_how_to_disable_QC3_0_.pdf
04-07
如何关闭QC3.0
VS错误提示:To disable deprecation, use _CRT_SECURE_NO_WARNINGS.
01-07
Severity Code Description ... To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. 解决方案:更改预处理定义 右击项目名,选择Properties 在c/c++下选择Preprocessor 点击图
Disable Textbox in 3 Failure Login Attempts in Javascript.zip
11-08
JavaScript
CalendarCheck:Check-In & Checkout | 入住离店选择
05-18
日历检查介绍该项目的源代码来自Calendarlistview项目。 它提供了一种使用API​​ 10+日历选择日期的简便方法。 ,显示如何使用默认样式将DatePickerView添加到您的布局。以下是变更清单重命名一些重要变量支持选择...
HTTPLuaModule使用说明文档
fei的专栏
03-18 5504
Name ngx_http_lua_module - Embed the power of Lua into Nginx HTTP Servers. This module is not distributed with the Nginx source. See the installation instructions. Table of Contents Na
日常工作记录目录
最新发布
与海
06-21 125
EasyExcel实现二维码下载与展示
数据结构与算法-差分数组及应用
qq_36115196的博客
06-20 757
差分数组: 其实差分数组是创建一个一个辅助数组,用来表示给定数组的变化,一般用来对数组进行区间修改的操作。
Day43
m0_67496588的博客
06-20 1021
JSON,Ajax
How to disable "Allow sites to run Flash"
05-11
7. Alternatively, you can toggle the switch next to "Block sites from running Flash" to turn it on and disable Flash altogether. Keep in mind that Adobe Flash Player is no longer supported and has ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值