java url hostname,所有信任的HostnameVerifier都会导致HttpURLConnection出现SSL错误

最新推荐文章于 2022-10-11 23:20:00 发布
最新推荐文章于 2022-10-11 23:20:00 发布
阅读量508 收藏
点赞数
文章标签: java url hostname

I'm using HttpURLConnection to connect to SSL sites. Occasionally these use self signed certificates / otherwise badly behaved SSL so I have a mode where these an be accessed. I'm using the typical code recommended many places online:

// Create a trust manager that does not validate certificate chains

TrustManager[] trustAllCerts = new TrustManager[]{

new X509TrustManager() {

public java.security.cert.X509Certificate[] getAcceptedIssuers() {

return null;

}

public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {}

public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {}

}

};

// Install the all-trusting trust manager

SSLContext sc = SSLContext.getInstance("SSL");

sc.init(null, trustAllCerts, new java.security.SecureRandom());

HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

// Don't verify host names

HostnameVerifier hv = new HostnameVerifier() {

public boolean verify(String urlHostName, SSLSession session) {

return true;

}

};

HttpsURLConnection.setDefaultHostnameVerifier(hv);

The problem is that this causes SSL errors for many sites, e.g.:

javax.net.ssl.SSLException: Received fatal alert: internal_error

Output when javax.net.debug=all enabled:

[java] Thread-8, READ: TLSv1.2 Alert, length = 2

[java] Thread-8, RECV TLSv1.2 ALERT: fatal, internal_error

[java] Thread-8, called closeSocket()

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Output when javax.net.debug=all enabled:

[java] Thread-13, READ: TLSv1.2 Alert, length = 2

[java] Thread-13, RECV TLSv1.2 ALERT: fatal, handshake_failure

[java] Thread-13, called closeSocket()

None of these issues are related to the TrustManager, commenting out the HostnameVerifier part always allows the connection to work correctly.

Notes:

Java version: 1.8.0_111

Unfortunately I can't switch to apache httpclient (there's a lot of code built around HttpURLConnection)

解决方案

From jdk 8u66, using a custom HostnameVerifier does not send Extended server_name extension during handshake. This bug will be fixed in version 8u152.

This is the trace of handshake invoking to https://www.territrespicio.com with your code

*** ClientHello, TLSv1.2

RandomCookie: GMT: 1467981635 bytes = { 253, 197, 8, 192, 170, 180, 230, 6, 212, 233, 219, 201, 182, 39, 204, 176, 49, 215, 43, 41, 112, 204, 188, 29, 115, 235, 191, 74 }

Session ID: {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods: { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA

***

main, WRITE: TLSv1.2 Handshake, length = 233

main, READ: TLSv1.2 Alert, length = 2

main, RECV TLSv1.2 ALERT: fatal, handshake_failure

main, called closeSocket()

main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

This is the trace (working) removing

HttpsURLConnection.setDefaultHostnameVerifier(hv);

*** ClientHello, TLSv1.2

RandomCookie: GMT: 1467981305 bytes = { 187, 36, 131, 239, 148, 148, 198, 107, 89, 74, 67, 33, 127, 76, 24, 17, 108, 254, 79, 104, 242, 239, 51, 36, 180, 244, 181, 45 }

Session ID: {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods: { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA

Extension server_name, server_name: [type=host_name (0), value=www.territrespicio.com]

***

main, WRITE: TLSv1.2 Handshake, length = 264

main, READ: TLSv1.2 Handshake, length = 89

*** ServerHello, TLSv1.2

RandomCookie: GMT: -2137263708 bytes = { 105, 47, 249, 171, 64, 55, 195, 235, 198, 159, 46, 193, 42, 65, 156, 243, 134, 177, 35, 221, 75, 16, 222, 103, 42, 55, 103, 231 }

Session ID: {42, 151, 108, 66, 43, 195, 53, 201, 234, 24, 245, 14, 183, 242, 185, 128, 66, 115, 60, 35, 167, 159, 178, 238, 93, 155, 20, 195, 95, 155, 11, 79}

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Compression Method: 0

Extension renegotiation_info, renegotiated_connection:

Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]

***

You can see that adds in ClientHello the required extension

Extension server_name, server_name: [type=host_name (0), value=www.territrespicio.com]

There is no documented workaround. So consider using a JDK version <8u66 or >=8u152

Updated -- Workaround

If you use a custom SSLSocketFactory without override createSocket() (the method without parameters), the createSocket well parametrized is used and all works as expected (with client sni extension).

You can find a similar workaround here. I have tried with just a wrapper and it works.

HttpsURLConnection.setDefaultSSLSocketFactory(

new SSLSocketFactoryWrapper(sc.getSocketFactory()));

SSLSocketFactoryWrapper (full code)

package test;

import java.io.IOException;

import java.net.InetAddress;

import java.net.Socket;

import java.net.UnknownHostException;

import javax.net.ssl.SSLSocketFactory;

public class SSLSocketFactoryWrapper extends SSLSocketFactory {

private SSLSocketFactory factory;

public SSLSocketFactoryWrapper(SSLSocketFactory factory){

this.factory = factory;

}

/*

@Override

public Socket createSocket() throws IOException {

return factory.createSocket();

}

*/

@Override

public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {

return factory.createSocket(s, host, port, autoClose);

}

@Override

public String[] getDefaultCipherSuites() {

return factory.getDefaultCipherSuites();

}

@Override

public String[] getSupportedCipherSuites() {

return factory.getSupportedCipherSuites();

}

@Override

public Socket createSocket(String host, int port) throws IOException, UnknownHostException {

return factory.createSocket(host, port);

}

@Override

public Socket createSocket(InetAddress host, int port) throws IOException {

return factory.createSocket(host, port);

}

@Override

public Socket createSocket(String host, int port, InetAddress localHost, int localPort)

throws IOException, UnknownHostException {

return factory.createSocket(host, port, localHost, localPort);

}

@Override

public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {

return factory.createSocket(address, port, localAddress, localPort);

}

}

weixin_39903176
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
使用HttpUrlConnection或者HttpClient做https请求时导致SSLHandshakeException异常
宇云3的博客
09-19 1万+
最近发现在做https请求时,报出SSL握手异常 javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate signature. 仔细看了下,用HttpUrlConne
JAVA中为 HttpsURLConnection 设置自定义的 HostnameVerifier 导致 SNI 失效的问题
Dancen的专栏
09-06 5963
由于我们拥有大量的域名,并且这些域名都使用了https,因此https证书的管理成了一个问题。于是我写了一个https证书的监控器,能在https证书出现问题(例如即将到期,已经到期,或者证书错误)时,主动通知管理人员。 该https证书监控器在我本机开发运行时一切正常,但当部署到监控服务器后,大量的https证书无法通过检查,出现了上图所示第2项的预警,即https证书监控器认为证书与域名...
httpsUrlConnection 如何设置的默认sslcontext和 hostnameverifier?
xiaoliuliu2050的专栏
11-02 3414
https请求接口的时候java是什么时候默认添加ssl 上下文的? HttpURLConnection 子类HttpsURLConnection 子类HttpsURLConnectionImpl 1 url.openConnection()) 2 https 的Handler 调用 protected URLConnection openConnection(URL var1) throws IOException { return this.openConnection(var1, (Pro.
Spring Data Cassandra enable ssl hostname verification
zhangmingleon的专栏
05-23 1839
现在spring data cassandra是不能通过一个开关直接开启sslhostname verification的,也就是所谓的verify-full,所以得自己改下代码. 方案1: implementsCqlSessionBuilderCustomizer import com.datastax.oss.driver.api.core.CqlSessionBuilder; import org.springframework.beans.factory.annotation.Autow.
解决使用HttpsUrlConnection请求https出现连接未复用的问题.
JiangJsf的博客
08-30 894
当没有现成的答案时, 通过源码排查问题让你恍然大悟. 处理问题原来就是这么的简单.
android_webview_ssl p12
01-11
对于自签名或由非标准CA签发的证书,Webview抛出一个SSL错误导致加载失败。为了解决这个问题,我们需要对Webview进行配置,允许它接受特定的SSL证书。 二、P12证书介绍 P12(PKCS#12)是一种文件格式,用于...
java访问https的类.rar
11-08
然后,它将该`SSLContext`的`SSLSocketFactory`设置为`HttpsURLConnection`的默认值,并设定一个总是返回`true`的`HostnameVerifier`,这样即使主机名不匹配也通过验证。 请注意,`disableSSLVerification`方法应...
java.security.cert.CertificateException: No subject alternative DNS name matching XXX found解决方案
12-21
public boolean verify(String urlHostName, SSLSession session) { return true; } }; ``` 这个`HostnameVerifier`将始终返回`true`,表明任何主机名都是有效的。 3. 初始化SSLContext并设置默认的`...
Android SSL 安全访问HTTPS服务器案例
02-12
请注意,上述代码仅用于演示目的,实际生产环境中应谨慎使用,特别是信任所有证书的`TrustManager`和`HostnameVerifier`,因为它们忽视任何证书错误,这可能导致安全风险。在生产环境中,应该正确配置信任的CA证书...
android实现登录并且加密url
05-26
.hostnameVerifier((hostname, session) -> true) .build(); ``` 2. **数据加密**:在发送登录信息前,我们可能需要对用户名和密码进行加密。常见的加密方式有MD5、SHA系列、AES等。例如,使用AES加密: ```java...
https的认证
zqj861791241的博客
10-30 532
public class MainActivity extends AppCompatActivity {     @Override     protected void onCreate(Bundle savedInstanceState) {         super.onCreate(savedInstanceState);         setContentView(R.
Java JDK1.6,HttpURLConnection获取HTTPS链接,SSL
tyasd
03-29 2894
MyX509TrustManager.java import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.ssl.X509TrustManager; public class MyX509TrustManager impl...
【JDK】Java语言中URLURLConnection类的介绍及其相关方法
最新发布
✅ Java 开发工程师,从事 Web 应用程序的研发,擅长 Spring、SpringBoot 等技术。 ✅ 热爱编程,业余时间学习新知识,通过 CSDN 记录学习心得和笔记内容。
10-11 1144
URL,它是位于【java.net】包下面的一个类,该类主要是对资源地址的一个抽象表示,URL英文全称是:【Uniform Resource Locator】,中文含义表示【统一资源定位符】。什么是统一资源定位符呢???在计算机的世界里面,我们所能够看到的所有的信息,图片,视频等等,它们都是存在不同的计算机上面的,我们把这些信息统称为:【资源】。我们要想通过浏览器就能够找到对应的资源,那就需要根据统一资源定位符找到该资源的具体位置,然后从这个位置下载到浏览器本地,这也是统一资源定位符的主要作用,即:
Https请求握手验证方式,对相应域名进行认证通过
hua245942641的专栏
11-13 1440
对于Https请求,在握手期间,如果 URL 的主机名和服务器的标识主机名不匹配,则验证机制可以回调此接口的实现程序来确定是否应该允许此连接。 策略可以是基于证书的或依赖于其他验证方案。 当验证 URL 主机名使用的默认规则失败时回调到HttpsURLConnection.setDefaultHostnameVerifier。因此,我们可以通过实现自己的HostnameVerifier子类来对
HttpsURLConnection的使用
u012591104的博客
09-20 2564
HttpURLConnection的API参见这里扩展方法及返回(毕竟英语课代表)getCipherSuite():获得此次连接过程中用到的加密算法套件getDefaultHostnameVerifier():获得被该类继承实例的默认认证域名getDefaultSSLSocketFactory():获得被该类继承实例的默认静态SSL套接字工厂getHostnameVerifier():获得该实例的认
java https
u010737670的博客
05-27 129
public class SSLSocketClient { //获取这个SSLSocketFactory public static SSLSocketFactory getSSLSocketFactory() { try { SSLContext sslContext = SSLContext.getInstance("SSL"); sslContext.init(null, getTrustManager(), new .
OkHttp3忽略所有证书
h1311454244的博客
05-05 2256
做了个工具,用到了okhttp3,利用https访问一些资源结果报错SSLHandShakeException,查了查最后给解决了,这里不讨论https,网上好不容易弄好的,这里分享一下,网上大部分是安卓的,我这里就是利用的java,做个笔记解决因为证书问题而无法访问。 就是在new OkHttpClient okHttpClient; 的时候加些自定义证书,写一些代码在okH...
javaHttpURLConnection发起HTTPS请求并跳过SSL证书,解决:unable to find valid certification path to requested targ
P_L_Wen97的博客
06-21 4371
HttpUrlConnection请求忽略SSL认证请求
关于HttpUrlConnection请求网络加载证书与不加载证书的区别
屿汐学长的博客
05-14 617
关于https网络请求这一块,个人感觉内容挺多的,多到难以理解,于是不自觉的又动手研究了下。关于https的有关介绍,我这里推荐一个博客:https原理:证书传递、验证和数据加密、解密过程解析,下面是我测试HttpUrlConnection的日志: 测试的3个网址分别为: String uri1 = "https://mportal.tianjihuifu.com/tjhf/login...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值