httpsUrlConnection 如何设置的默认sslcontext和 hostnameverifier?

最新推荐文章于 2024-07-26 12:28:02 发布
最新推荐文章于 2024-07-26 12:28:02 发布
阅读量3.3k 收藏 2
点赞数
文章标签: java
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/xiaoliuliu2050/article/details/109390595
版权 
https请求接口的时候java是什么时候默认添加ssl 上下文的? HttpURLConnection 子类HttpsURLConnection 子类HttpsURLConnectionImpl
1 url.openConnection()) 
2 https 的Handler 调用
protected URLConnection openConnection(URL var1) throws IOException {
    return this.openConnection(var1, (Proxy)null);
}

protected URLConnection openConnection(URL var1, Proxy var2) throws IOException {
    return new HttpsURLConnectionImpl(var1, var2, this);
}

3  HttpsURLConnectionImpl类实例化的时候会默认添加 sslcontext和hostnameverifier.并生成delegate对象

HttpsURLConnectionImpl(URL var1, Proxy var2, Handler var3) throws IOException {
    super(var1);
    this.delegate = new DelegateHttpsURLConnection(this.url, var2, var3, this);
}

4 HttpsURLConnection的构造方法里

protected HttpsURLConnection(URL var1) {
    super(var1);
    this.hostnameVerifier = defaultHostnameVerifier;
    this.sslSocketFactory = getDefaultSSLSocketFactory();
}

HttpsURLConnection构造方法里 就会初始化默认的sslcontext 和hostnameverifier 

默认default hostnameverifier校验是不通过的。

5 看一下getDefaultSSLSocketFactory 的源码如下:

public static SSLSocketFactory getDefaultSSLSocketFactory() {
    if (defaultSSLSocketFactory == null) {
        defaultSSLSocketFactory = (SSLSocketFactory)SSLSocketFactory.getDefault();
    }

    return defaultSSLSocketFactory;
}

所以如果想要设置一个默认的sslsocketFactory 可以调用

HttpsURLConnection.defaultSSLSocketFactory=? 设置。或者调用 HttpsURLConnection.setDefaultSSLSocketFactory(?)   方法设置

如果没有设置,就会调用系统默认的SSLSocketFactory。

6 继续看一下SSLSocketFactory.getDefault方法的源码:

public static synchronized SocketFactory getDefault() {
    if (theFactory != null) {
        return theFactory;
    } else {
        if (!propertyChecked) {
            propertyChecked = true;
            String var0 = getSecurityProperty("ssl.SocketFactory.provider");
            if (var0 != null) {
                log("setting up default SSLSocketFactory");

                try {
                    Class var1 = null;

                    try {
                        var1 = Class.forName(var0);
                    } catch (ClassNotFoundException var5) {
                        ClassLoader var3 = ClassLoader.getSystemClassLoader();
                        if (var3 != null) {
                            var1 = var3.loadClass(var0);
                        }
                    }

                    log("class " + var0 + " is loaded");
                    SSLSocketFactory var2 = (SSLSocketFactory)var1.newInstance();
                    log("instantiated an instance of class " + var0);
                    theFactory = var2;
                    return var2;
                } catch (Exception var6) {
                    log("SSLSocketFactory instantiation failed: " + var6.toString());
                    theFactory = new DefaultSSLSocketFactory(var6);
                    return theFactory;
                }
            }
        }

        try {
            return SSLContext.getDefault().getSocketFactory();
        } catch (NoSuchAlgorithmException var4) {
            return new DefaultSSLSocketFactory(var4);
        }
    }
}

如果theFactory 不为null,则直接返回theFactory,

所以我们可以通过SSLSocketFactory.theFactory=?  设置 默认的 sslsocketFactory

下面如果propertyChecked=false, 则获取java.home/lib/security/java.security  文件中的属性ssl.SocketFactory.provider,如果属性存在,则动态加载该类,并实例化为sslsocketFactory.

如果不存在,则获取默认sslsocketFactory,以下是获取默认sslcontext  的逻辑。
public static synchronized SSLContext getDefault() throws NoSuchAlgorithmException {
    if (defaultContext == null) {
        defaultContext = getInstance("Default");
    }
    return defaultContext;
}
public static SSLContext getInstance(String var0) throws NoSuchAlgorithmException {
    Instance var1 = GetInstance.getInstance("SSLContext", SSLContextSpi.class, var0);
    return new SSLContext((SSLContextSpi)var1.impl, var1.provider, var0);
}

SSLContext 类包含了四个属性

private final Provider provider;//供应商
private final SSLContextSpi contextSpi;//  sslcontext服务的某个供应商某种协议的实现
private final String protocol;//算法
private static SSLContext defaultContext;//sslcontext

sslcontext 类的主要作用就是 根据指定指定供应商 和算法 获取到一个SSLContext服务接口 Service  对象,

然后实例化这个服务接口 获取到一个SSLContextSpi 对象。

然后把SSLContextSpi 对象,供应商,算法  封装到SSLContext 里 构成了sslcontext。

sslcontext有一个方法是初始化 KeyManager和TrustManager

public final void init(KeyManager[] var1, TrustManager[] var2, SecureRandom var3) throws KeyManagementException {
    this.contextSpi.engineInit(var1, var2, var3);
}

这个方法的实现逻辑其实就是调用contextSpi服务的engineInit方法初始化而已。

SSLParameters 封装了ssl协议版本,加密套件等。
FIPS :FIPS是美国联邦信息处理标准(Federal Information Processing Standard)的缩写。
AbstractSSLContext

如果是fips ,则支持的协议版本为TLSv1,TLSv1.1,TLSv1.2

如果不是fips,则还要额外支持更多协议版本,比如SSLv2Hello,SSLv3,

默认使用协议版本为

CustomizedSSLContext 
可以自己制定使用的协议  存到系统属性jdk.tls.client.protocols,如果没有指定的话,如果是fips ,则支持的协议版本为TLSv1,TLSv1.1,TLSv1.2 如果不是fips,则还要额外支持更多协议版本,比如SSLv3,
TLS12Context

如果是fips ,则支持的协议版本为TLSv1,TLSv1.1,TLSv1.2 如果不是fips,则还要额外支持更多协议版本,比如SSLv3,

TLS11Context

如果是fips ,则支持的协议版本为TLSv1,TLSv1.1 如果不是fips,则还要额外支持更多协议版本,比如SSLv3,

TLS10Context

如果是fips ,则支持的协议版本为TLSv1 如果不是fips,则还要额外支持更多协议版本,比如SSLv3,

TLSContext 和 CustomizedSSLContext一样
DefaultSSLContext

默认从系统属性javax.net.ssl.keyStore* 里读取keyManager 列表。

默认从系统属性javax.net.ssl.trustStore* 里读取trustManger列表。

return SSLContext.getDefault().getSocketFactory();

SSLContext.getDefault() 内部实现就是  根绝供应商和协议获取sslcontext 的实现类sslcontextSpi,然后使用调用实现类的getSocketFactory()方法, 这个方法内部的逻辑就是 构造一个SocketFactory对象 把sslcontextSpi  作为属性构造进去。

SSLSocketFactory 对象可以createSocket生成 SslSocket 实例。

以上的逻辑是openconnection 创建连接对象的过程,也就是初始化的过程。

httpsurlconnection.execute()方法执行以后的逻辑是什么?

截图看流程

httpsclient 的afterconnect 方法里会创建socket 然后开始握手

public void afterConnect() throws IOException, UnknownHostException {
        if (!this.isCachedConnection()) {
            SSLSocket var1 = null;
            SSLSocketFactory var2 = this.sslSocketFactory;

            try {
                if (!(this.serverSocket instanceof SSLSocket)) {
                    var1 = (SSLSocket)var2.createSocket(this.serverSocket, this.host, this.port, true);
                } else {
                    var1 = (SSLSocket)this.serverSocket;
                    if (var1 instanceof SSLSocketImpl) {
                        ((SSLSocketImpl)var1).setHost(this.host);
                    }
                }
            } catch (IOException var11) {
                try {
                    var1 = (SSLSocket)var2.createSocket(this.host, this.port);
                } catch (IOException var10) {
                    throw var11;
                }
            }

            String[] var3 = this.getProtocols();
            String[] var4 = this.getCipherSuites();
            if (var3 != null) {
                var1.setEnabledProtocols(var3);
            }

            if (var4 != null) {
                var1.setEnabledCipherSuites(var4);
            }

            var1.addHandshakeCompletedListener(this);
            boolean var5 = true;
            String var6 = var1.getSSLParameters().getEndpointIdentificationAlgorithm();
            if (var6 != null && var6.length() != 0) {
                if (var6.equalsIgnoreCase("HTTPS")) {
                    var5 = false;
                }
            } else {
                boolean var7 = false;
                if (this.hv != null) {
                    String var8 = this.hv.getClass().getCanonicalName();
                    if (var8 != null && var8.equalsIgnoreCase("javax.net.ssl.HttpsURLConnection.DefaultHostnameVerifier")) {
                        var7 = true;
                    }
                } else {
                    var7 = true;
                }

                if (var7) {
                    SSLParameters var12 = var1.getSSLParameters();
                    var12.setEndpointIdentificationAlgorithm("HTTPS");
                    var1.setSSLParameters(var12);
                    var5 = false;
                }
            }

            var1.startHandshake();
            this.session = var1.getSession();
            this.serverSocket = var1;

            try {
                this.serverOutput = new PrintStream(new BufferedOutputStream(this.serverSocket.getOutputStream()), false, encoding);
            } catch (UnsupportedEncodingException var9) {
                throw new InternalError(encoding + " encoding not found");
            }

            if (var5) {
                this.checkURLSpoofing(this.hv);
            }
        } else {
            this.session = ((SSLSocket)this.serverSocket).getSession();
        }

    }

 如上图 创建socket,添加握手完成监听器,开始握手。握手之后,如果发现不是默认的hostnameverifier ,又通过 this.checkURLSpoofing(this.hv); 这个方法实现了hostnameverifer  的自定义验证。

Httpsclient:
private void checkURLSpoofing(HostnameVerifier var1) throws IOException {
        String var2 = this.url.getHost();
        if (var2 != null && var2.startsWith("[") && var2.endsWith("]")) {
            var2 = var2.substring(1, var2.length() - 1);
        }

        Certificate[] var3 = null;
        String var4 = this.session.getCipherSuite();

        try {
            HostnameChecker var5 = HostnameChecker.getInstance((byte)1);
            if (var4.startsWith("TLS_KRB5")) {
                if (!HostnameChecker.match(var2, this.getPeerPrincipal())) {
                    throw new SSLPeerUnverifiedException("Hostname checker failed for Kerberos");
                }
            } else {
                var3 = this.session.getPeerCertificates();
                if (!(var3[0] instanceof X509Certificate)) {
                    throw new SSLPeerUnverifiedException("");
                }

                X509Certificate var6 = (X509Certificate)var3[0];
                var5.match(var2, var6);
            }

            return;
        } catch (SSLPeerUnverifiedException var7) {
            ;
        } catch (CertificateException var8) {
            ;
        }

        if (var4 == null || var4.indexOf("_anon_") == -1) {
            if (var1 == null || !var1.verify(var2, this.session)) {
                this.serverSocket.close();
                this.session.invalidate();
                throw new IOException("HTTPS hostname wrong:  should be <" + this.url.getHost() + ">");
            }
        }
    }


 其中 var1.verify(var2, this.session)这句就是调用的hostnameverifier 做校验了。

sslsocketImpl 类readRecord

private void readRecord(InputRecord var1, boolean var2) throws IOException {
        Object var4 = this.readLock;
        synchronized(this.readLock) {
            while(true) {
                int var3;
                if ((var3 = this.getConnectionState()) != 6 && var3 != 4 && var3 != 7) {
                    try {
                        var1.setAppDataValid(false);
                        var1.read(this.sockInput, this.sockOutput);
                    } catch (SSLProtocolException var12) {
                        SSLProtocolException var5 = var12;

                        try {
                            this.fatal((byte)10, (Throwable)var5);
                        } catch (IOException var11) {
                            ;
                        }

                        throw var12;
                    } catch (EOFException var13) {
                        boolean var6 = this.getConnectionState() <= 1;
                        boolean var7 = requireCloseNotify || var6;
                        if (debug != null && Debug.isOn("ssl")) {
                            System.out.println(Thread.currentThread().getName() + ", received EOFException: " + (var7 ? "error" : "ignored"));
                        }

                        if (var7) {
                            Object var8;
                            if (var6) {
                                var8 = new SSLHandshakeException("Remote host closed connection during handshake");
                            } else {
                                var8 = new SSLProtocolException("Remote host closed connection incorrectly");
                            }

                            ((SSLException)var8).initCause(var13);
                            throw var8;
                        }

                        this.closeInternal(false);
                        continue;
                    }

                    try {
                        var1.decrypt(this.readAuthenticator, this.readCipher);
                    } catch (BadPaddingException var15) {
                        int var17 = var1.contentType() == 22 ? 40 : 20;
                        this.fatal((byte)var17, var15.getMessage(), var15);
                    }

                    synchronized(this) {
                        switch(var1.contentType()) {
                        case 20:
                            if ((this.connectionState == 1 || this.connectionState == 3) && this.handshaker.sessionKeysCalculated() && !this.receivedCCS) {
                                if (var1.available() != 1 || var1.read() != 1) {
                                    this.fatal((byte)10, (String)"Malformed change cipher spec msg");
                                }
                            } else {
                                this.fatal((byte)10, (String)("illegal change cipher spec msg, conn state = " + this.connectionState + ", handshake state = " + this.handshaker.state));
                            }

                            this.receivedCCS = true;
                            this.changeReadCiphers();
                            this.expectingFinished = true;
                            continue;
                        case 21:
                            this.recvAlert(var1);
                            continue;
                        case 22:
                            this.initHandshaker();
                            if (!this.handshaker.activated()) {
                                if (this.connectionState == 3) {
                                    this.handshaker.activate(this.protocolVersion);
                                } else {
                                    this.handshaker.activate((ProtocolVersion)null);
                                }
                            }

                            this.handshaker.process_record(var1, this.expectingFinished);
                            this.expectingFinished = false;
                            if (this.handshaker.invalidated) {
                                this.handshaker = null;
                                this.receivedCCS = false;
                                if (this.connectionState == 3) {
                                    this.connectionState = 2;
                                }
                            } else if (this.handshaker.isDone()) {
                                this.secureRenegotiation = this.handshaker.isSecureRenegotiation();
                                this.clientVerifyData = this.handshaker.getClientVerifyData();
                                this.serverVerifyData = this.handshaker.getServerVerifyData();
                                this.sess = this.handshaker.getSession();
                                this.handshakeSession = null;
                                this.handshaker = null;
                                this.connectionState = 2;
                                this.receivedCCS = false;
                                if (this.handshakeListeners != null) {
                                    HandshakeCompletedEvent var18 = new HandshakeCompletedEvent(this, this.sess);
                                    SSLSocketImpl.NotifyHandshakeThread var19 = new SSLSocketImpl.NotifyHandshakeThread(this.handshakeListeners.entrySet(), var18);
                                    var19.start();
                                }
                            }

                            if (var2 || this.connectionState != 2) {
                                continue;
                            }
                            break;
                        case 23:
                            if (this.connectionState != 2 && this.connectionState != 3 && this.connectionState != 5) {
                                throw new SSLProtocolException("Data received in non-data state: " + this.connectionState);
                            }

                            if (this.expectingFinished) {
                                throw new SSLProtocolException("Expecting finished message, received data");
                            }

                            if (!var2) {
                                throw new SSLException("Discarding app data");
                            }

                            var1.setAppDataValid(true);
                            break;
                        default:
                            if (debug != null && Debug.isOn("ssl")) {
                                System.out.println(Thread.currentThread().getName() + ", Received record type: " + var1.contentType());
                            }
                            continue;
                        }

                        if (this.connectionState < 4) {
                            this.checkSequenceNumber(this.readAuthenticator, var1.contentType());
                        }
                    }

                    return;
                }

                var1.close();
                return;
            }
        }
    }

主要是有一句                             this.handshaker.process_record(var1, this.expectingFinished);处理记录

ClientHandshaker 类processMessge

void processMessage(byte var1, int var2) throws IOException {
        if (this.state >= var1 && var1 != 0) {
            throw new SSLProtocolException("Handshake message sequence violation, " + var1);
        } else {
            label109:
            switch(var1) {
            case 0:
                this.serverHelloRequest(new HelloRequest(this.input));
                break;
            case 1:
            case 3:
            case 4:
            case 5:
            case 6:
            case 7:
            case 8:
            case 9:
            case 10:
            case 15:
            case 16:
            case 17:
            case 18:
            case 19:
            default:
                throw new SSLProtocolException("Illegal client handshake msg, " + var1);
            case 2:
                this.serverHello(new ServerHello(this.input, var2));
                break;
            case 11:
                if (this.keyExchange == KeyExchange.K_DH_ANON || this.keyExchange == KeyExchange.K_ECDH_ANON || this.keyExchange == KeyExchange.K_KRB5 || this.keyExchange == KeyExchange.K_KRB5_EXPORT) {
                    this.fatalSE((byte)10, "unexpected server cert chain");
                }

                this.serverCertificate(new CertificateMsg(this.input));
                this.serverKey = this.session.getPeerCertificates()[0].getPublicKey();
                break;
            case 12:
                this.serverKeyExchangeReceived = true;
                switch(this.keyExchange) {
                case K_RSA_EXPORT:
                    if (this.serverKey == null) {
                        throw new SSLProtocolException("Server did not send certificate message");
                    }

                    if (!(this.serverKey instanceof RSAPublicKey)) {
                        throw new SSLProtocolException("Protocol violation: the certificate type must be appropriate for the selected cipher suite's key exchange algorithm");
                    }

                    if (JsseJce.getRSAKeyLength(this.serverKey) <= 512) {
                        throw new SSLProtocolException("Protocol violation: server sent a server key exchange message for key exchange " + this.keyExchange + " when the public key in the server certificate" + " is less than or equal to 512 bits in length");
                    }

                    try {
                        this.serverKeyExchange(new RSA_ServerKeyExchange(this.input));
                    } catch (GeneralSecurityException var8) {
                        throwSSLException("Server key", var8);
                    }
                    break label109;
                case K_DH_ANON:
                    try {
                        this.serverKeyExchange(new DH_ServerKeyExchange(this.input, this.protocolVersion));
                    } catch (GeneralSecurityException var7) {
                        throwSSLException("Server key", var7);
                    }
                    break label109;
                case K_DHE_DSS:
                case K_DHE_RSA:
                    try {
                        this.serverKeyExchange(new DH_ServerKeyExchange(this.input, this.serverKey, this.clnt_random.random_bytes, this.svr_random.random_bytes, var2, this.localSupportedSignAlgs, this.protocolVersion));
                    } catch (GeneralSecurityException var6) {
                        throwSSLException("Server key", var6);
                    }
                    break label109;
                case K_ECDHE_ECDSA:
                case K_ECDHE_RSA:
                case K_ECDH_ANON:
                    try {
                        this.serverKeyExchange(new ECDH_ServerKeyExchange(this.input, this.serverKey, this.clnt_random.random_bytes, this.svr_random.random_bytes, this.localSupportedSignAlgs, this.protocolVersion));
                    } catch (GeneralSecurityException var5) {
                        throwSSLException("Server key", var5);
                    }
                    break label109;
                case K_RSA:
                case K_DH_RSA:
                case K_DH_DSS:
                case K_ECDH_ECDSA:
                case K_ECDH_RSA:
                    throw new SSLProtocolException("Protocol violation: server sent a server key exchangemessage for key exchange " + this.keyExchange);
                case K_KRB5:
                case K_KRB5_EXPORT:
                    throw new SSLProtocolException("unexpected receipt of server key exchange algorithm");
                default:
                    throw new SSLProtocolException("unsupported key exchange algorithm = " + this.keyExchange);
                }
            case 13:
                if (this.keyExchange != KeyExchange.K_DH_ANON && this.keyExchange != KeyExchange.K_ECDH_ANON) {
                    if (this.keyExchange != KeyExchange.K_KRB5 && this.keyExchange != KeyExchange.K_KRB5_EXPORT) {
                        this.certRequest = new CertificateRequest(this.input, this.protocolVersion);
                        if (debug != null && Debug.isOn("handshake")) {
                            this.certRequest.print(System.out);
                        }

                        if (this.protocolVersion.v < ProtocolVersion.TLS12.v) {
                            break;
                        }

                        Collection var3 = this.certRequest.getSignAlgorithms();
                        if (var3 != null && !var3.isEmpty()) {
                            Collection var4 = SignatureAndHashAlgorithm.getSupportedAlgorithms(var3);
                            if (var4.isEmpty()) {
                                throw new SSLHandshakeException("No supported signature and hash algorithm in common");
                            }

                            this.setPeerSupportedSignAlgs(var4);
                            this.session.setPeerSupportedSignatureAlgorithms(var4);
                            break;
                        }

                        throw new SSLHandshakeException("No peer supported signature algorithms");
                    }

                    throw new SSLHandshakeException("Client certificate requested for kerberos cipher suite.");
                }

                throw new SSLHandshakeException("Client authentication requested for anonymous cipher suite.");
            case 14:
                this.serverHelloDone(new ServerHelloDone(this.input));
                break;
            case 20:
                if (!this.receivedChangeCipherSpec()) {
                    this.fatalSE((byte)40, "Received Finished message before ChangeCipherSpec");
                }

                this.serverFinished(new Finished(this.protocolVersion, this.input, this.cipherSuite));
            }

            if (this.state < var1) {
                this.state = var1;
            }

        }
    }

ClientHandshaker.serverCertificate:

private void serverCertificate(CertificateMsg var1) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            var1.print(System.out);
        }

        X509Certificate[] var2 = var1.getCertificateChain();
        if (var2.length == 0) {
            this.fatalSE((byte)42, "empty certificate chain");
        }

        if (this.reservedServerCerts != null) {
            String var3 = this.getEndpointIdentificationAlgorithmSE();
            if ((var3 == null || var3.length() == 0) && !isIdentityEquivalent(var2[0], this.reservedServerCerts[0])) {
                this.fatalSE((byte)42, "server certificate change is restricted during renegotiation");
            }
        }

        X509TrustManager var6 = this.sslContext.getX509TrustManager();

        try {
            String var4;
            if (this.keyExchange == KeyExchange.K_RSA_EXPORT && !this.serverKeyExchangeReceived) {
                var4 = KeyExchange.K_RSA.name;
            } else {
                var4 = this.keyExchange.name;
            }

            if (!(var6 instanceof X509ExtendedTrustManager)) {
                throw new CertificateException("Improper X509TrustManager implementation");
            }

            if (this.conn != null) {
                ((X509ExtendedTrustManager)var6).checkServerTrusted((X509Certificate[])var2.clone(), var4, this.conn);
            } else {
                ((X509ExtendedTrustManager)var6).checkServerTrusted((X509Certificate[])var2.clone(), var4, this.engine);
            }
        } catch (CertificateException var5) {
            this.fatalSE((byte)46, var5);
        }

        this.session.setPeerCertificates(var2);
    }

X509TrustManagerImpl 类 checkServerTrusted:

X509TrustManagerImpl 类checkTrusted:(校验dns 和 证书)
    private void checkTrusted(X509Certificate[] var1, String var2, Socket var3, boolean var4) throws CertificateException {
        Validator var5 = this.checkTrustedInit(var1, var2, var4);
        SSLAlgorithmConstraints var6 = null;
        SSLSocket var7;
        if (var3 != null && var3.isConnected() && var3 instanceof SSLSocket) {
            var7 = (SSLSocket)var3;
            SSLSession var8 = var7.getHandshakeSession();
            if (var8 == null) {
                throw new CertificateException("No handshake session");
            }

            String var9 = var7.getSSLParameters().getEndpointIdentificationAlgorithm();
            if (var9 != null && var9.length() != 0) {
                checkIdentity(var8, var1[0], var9, var4, getRequestedServerNames(var3));
            }

            ProtocolVersion var10 = ProtocolVersion.valueOf(var8.getProtocol());
            if (var10.v >= ProtocolVersion.TLS12.v) {
                if (var8 instanceof ExtendedSSLSession) {
                    ExtendedSSLSession var11 = (ExtendedSSLSession)var8;
                    String[] var12 = var11.getLocalSupportedSignatureAlgorithms();
                    var6 = new SSLAlgorithmConstraints(var7, var12, false);
                } else {
                    var6 = new SSLAlgorithmConstraints(var7, false);
                }
            } else {
                var6 = new SSLAlgorithmConstraints(var7, false);
            }
        }

        var7 = null;
        X509Certificate[] var13;
        if (var4) {
            var13 = validate(var5, var1, var6, (String)null);
        } else {
            var13 = validate(var5, var1, var6, var2);
        }

        if (debug != null && Debug.isOn("trustmanager")) {
            System.out.println("Found trusted certificate:");
            System.out.println(var13[var13.length - 1]);
        }

    }

X509TrustManagerImpl 类 checkIdentity

private static void checkIdentity(SSLSession var0, X509Certificate var1, String var2, boolean var3, List<SNIServerName> var4) throws CertificateException {
        boolean var5 = false;
        String var6 = var0.getPeerHost();
        if (var3) {
            String var7 = getHostNameInSNI(var4);
            if (var7 != null) {
                try {
                    checkIdentity(var7, var1, var2);
                    var5 = true;
                } catch (CertificateException var9) {
                    if (var7.equalsIgnoreCase(var6)) {
                        throw var9;
                    }
                }
            }
        }

        if (!var5) {
            checkIdentity(var6, var1, var2);
        }

    }


static void checkIdentity(String var0, X509Certificate var1, String var2) throws CertificateException {
        if (var2 != null && var2.length() != 0) {
            if (var0 != null && var0.startsWith("[") && var0.endsWith("]")) {
                var0 = var0.substring(1, var0.length() - 1);
            }

            if (var2.equalsIgnoreCase("HTTPS")) {
                HostnameChecker.getInstance((byte)1).match(var0, var1);
            } else {
                if (!var2.equalsIgnoreCase("LDAP") && !var2.equalsIgnoreCase("LDAPS")) {
                    throw new CertificateException("Unknown identification algorithm: " + var2);
                }

                HostnameChecker.getInstance((byte)2).match(var0, var1);
            }
        }

    }

HostnameChecker.getInstance((byte)1).match(var0, var1);


    private static final HostnameChecker INSTANCE_TLS = new HostnameChecker((byte)1);
    public static final byte TYPE_LDAP = 2;
    private static final HostnameChecker INSTANCE_LDAP = new HostnameChecker((byte)2);

 public static HostnameChecker getInstance(byte var0) {
        if (var0 == 1) {
            return INSTANCE_TLS;
        } else if (var0 == 2) {
            return INSTANCE_LDAP;
        } else {
            throw new IllegalArgumentException("Unknown check type: " + var0);
        }
    }

    private void matchDNS(String var1, X509Certificate var2) throws CertificateException {
        Collection var3 = var2.getSubjectAlternativeNames();
        if (var3 != null) {
            boolean var4 = false;
            Iterator var5 = var3.iterator();

            while(var5.hasNext()) {
                List var6 = (List)var5.next();
                if (((Integer)var6.get(0)).intValue() == 2) {
                    var4 = true;
                    String var7 = (String)var6.get(1);
                    if (this.isMatched(var1, var7)) {
                        return;
                    }
                }
            }

            if (var4) {
                throw new CertificateException("No subject alternative DNS name matching " + var1 + " found.");
            }
        }

        X500Name var9 = getSubjectX500Name(var2);
        DerValue var10 = var9.findMostSpecificAttribute(X500Name.commonName_oid);
        if (var10 != null) {
            try {
                if (this.isMatched(var1, var10.getAsString())) {
                    return;
                }
            } catch (IOException var8) {
                ;
            }
        }

        String var11 = "No name matching " + var1 + " found";
        throw new CertificateException(var11);
    }

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//

package sun.security.util;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.StringTokenizer;
import javax.security.auth.x500.X500Principal;
import sun.net.util.IPAddressUtil;
import sun.security.ssl.Krb5Helper;
import sun.security.x509.X500Name;

public class HostnameChecker {
    public static final byte TYPE_TLS = 1;
    private static final HostnameChecker INSTANCE_TLS = new HostnameChecker((byte)1);
    public static final byte TYPE_LDAP = 2;
    private static final HostnameChecker INSTANCE_LDAP = new HostnameChecker((byte)2);
    private static final int ALTNAME_DNS = 2;
    private static final int ALTNAME_IP = 7;
    private final byte checkType;

    private HostnameChecker(byte var1) {
        this.checkType = var1;
    }

    public static HostnameChecker getInstance(byte var0) {
        if (var0 == 1) {
            return INSTANCE_TLS;
        } else if (var0 == 2) {
            return INSTANCE_LDAP;
        } else {
            throw new IllegalArgumentException("Unknown check type: " + var0);
        }
    }

    public void match(String var1, X509Certificate var2) throws CertificateException {
        if (isIpAddress(var1)) {
            matchIP(var1, var2);
        } else {
            this.matchDNS(var1, var2);
        }

    }

    public static boolean match(String var0, Principal var1) {
        String var2 = getServerName(var1);
        return var0.equalsIgnoreCase(var2);
    }

    public static String getServerName(Principal var0) {
        return Krb5Helper.getPrincipalHostName(var0);
    }

    private static boolean isIpAddress(String var0) {
        return IPAddressUtil.isIPv4LiteralAddress(var0) || IPAddressUtil.isIPv6LiteralAddress(var0);
    }

    private static void matchIP(String var0, X509Certificate var1) throws CertificateException {
        Collection var2 = var1.getSubjectAlternativeNames();
        if (var2 == null) {
            throw new CertificateException("No subject alternative names present");
        } else {
            Iterator var3 = var2.iterator();

            while(var3.hasNext()) {
                List var4 = (List)var3.next();
                if (((Integer)var4.get(0)).intValue() == 7) {
                    String var5 = (String)var4.get(1);
                    if (var0.equalsIgnoreCase(var5)) {
                        return;
                    }
                }
            }

            throw new CertificateException("No subject alternative names matching IP address " + var0 + " found");
        }
    }

    private void matchDNS(String var1, X509Certificate var2) throws CertificateException {
        Collection var3 = var2.getSubjectAlternativeNames();
        if (var3 != null) {
            boolean var4 = false;
            Iterator var5 = var3.iterator();

            while(var5.hasNext()) {
                List var6 = (List)var5.next();
                if (((Integer)var6.get(0)).intValue() == 2) {
                    var4 = true;
                    String var7 = (String)var6.get(1);
                    if (this.isMatched(var1, var7)) {
                        return;
                    }
                }
            }

            if (var4) {
                throw new CertificateException("No subject alternative DNS name matching " + var1 + " found.");
            }
        }

        X500Name var9 = getSubjectX500Name(var2);
        DerValue var10 = var9.findMostSpecificAttribute(X500Name.commonName_oid);
        if (var10 != null) {
            try {
                if (this.isMatched(var1, var10.getAsString())) {
                    return;
                }
            } catch (IOException var8) {
                ;
            }
        }

        String var11 = "No name matching " + var1 + " found";
        throw new CertificateException(var11);
    }

    public static X500Name getSubjectX500Name(X509Certificate var0) throws CertificateParsingException {
        try {
            Principal var1 = var0.getSubjectDN();
            if (var1 instanceof X500Name) {
                return (X500Name)var1;
            } else {
                X500Principal var2 = var0.getSubjectX500Principal();
                return new X500Name(var2.getEncoded());
            }
        } catch (IOException var3) {
            throw (CertificateParsingException)(new CertificateParsingException()).initCause(var3);
        }
    }

    private boolean isMatched(String var1, String var2) {
        if (this.checkType == 1) {
            return matchAllWildcards(var1, var2);
        } else {
            return this.checkType == 2 ? matchLeftmostWildcard(var1, var2) : false;
        }
    }

    private static boolean matchAllWildcards(String var0, String var1) {
        var0 = var0.toLowerCase(Locale.ENGLISH);
        var1 = var1.toLowerCase(Locale.ENGLISH);
        StringTokenizer var2 = new StringTokenizer(var0, ".");
        StringTokenizer var3 = new StringTokenizer(var1, ".");
        if (var2.countTokens() != var3.countTokens()) {
            return false;
        } else {
            do {
                if (!var2.hasMoreTokens()) {
                    return true;
                }
            } while(matchWildCards(var2.nextToken(), var3.nextToken()));

            return false;
        }
    }

    private static boolean matchLeftmostWildcard(String var0, String var1) {
        var0 = var0.toLowerCase(Locale.ENGLISH);
        var1 = var1.toLowerCase(Locale.ENGLISH);
        int var2 = var1.indexOf(".");
        int var3 = var0.indexOf(".");
        if (var2 == -1) {
            var2 = var1.length();
        }

        if (var3 == -1) {
            var3 = var0.length();
        }

        return matchWildCards(var0.substring(0, var3), var1.substring(0, var2)) ? var1.substring(var2).equals(var0.substring(var3)) : false;
    }

    private static boolean matchWildCards(String var0, String var1) {
        int var2 = var1.indexOf("*");
        if (var2 == -1) {
            return var0.equals(var1);
        } else {
            boolean var3 = true;
            String var4 = "";

            String var5;
            for(var5 = var1; var2 != -1; var2 = var5.indexOf("*")) {
                var4 = var5.substring(0, var2);
                var5 = var5.substring(var2 + 1);
                int var6 = var0.indexOf(var4);
                if (var6 == -1 || var3 && var6 != 0) {
                    return false;
                }

                var3 = false;
                var0 = var0.substring(var6 + var4.length());
            }

            return var0.endsWith(var5);
        }
    }
}

可以确定在调用HTTPS接口创建连接的时候会添加默认的sslcontextFactory和hostnameverifier,然后应用程序如果不重新设置这2个属性,则会使用默认值。默认的hostnameverifier校验不通过,默认的sslcontextFactory的校验逻辑是啥样的?

默认sslcontextFactory  的trustManager  的校验逻辑是 判断请求服务器的证书的根证书是否在我们信任的根证书列表内,如果在,则通过,如果不在,则拒绝。然后判断请求服务器的域名是否在下发证书的可选别名列表内。如果在,则通过,否则拒绝。

所以即使我们没有把请求服务器的证书添加到信任列表也是可以通过证书校验的。

当使用默认的hostnameverifier 的 时候,java 会判断如果是默认hostnameverifier 就跳过验证,所以会https接口调用会通过。

问题:

1 在restTemplate使用SimpleClientHttpRequestFactory的情况下,按理说是不应该掉的通腾讯接口的,为什么能调通?

没有被hostnameverifier  拦截掉?因为默认的hostnameverifier 别忽略了,没有执行,所以不会被拦截。而服务器证书校验会通过是因为信任管理器 校验的逻辑是如果请求服务器的根证书在信任的根证书列表内,则通过,然后如果请求服务器的域名在证书的别名列表内,则通过,否则不通过。

2 同一套代码,为什么本地的restTemplate 校验通过,服务器的证书校验不通过?提示Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching testapi.telesafe.qq.com found.

无论使用什么协议,算法,通讯,应该不影响才对。

1 因为jdk 版本有所不同,1.8.0_271 和1.8.0_40 的 ssl握手这块代码的逻辑变动很大。

2 本地可以是因为本地请求了正确的服务器,测试不可以是因为测试环境请求被拦截,然后转发到了错误的服务器,所以握手失败。 如果是这个逻辑,测试服务器上curl post 出去的请求应该也会提示握手失败。

curl -X POST -d '' https://testapi.telesafe.qq.com/BlackLibQuery/

如果curl    握手成功,则确定没有被拦截,如果也失败,可以查看ping testapi.telesafe.qq.com 返回的IP 和服务端确认是否是 对方的IP地址。

3 为什么测试服务器之前接口是通的,为什么突然就不行了呢?然后突然又好了(确定jdk没有变化)

而线上环境从头至尾都是OK的。

只能是证书发生变化 ,如果是证书发生变化,为什么线上环境没有问题,而且请求服务器的证书没有到期没有理由会更换证书的,

只能理解为 测试环境和线上环境是 2套环境,2套NGINX ,所以有可能线上没有问题,测试有问题。

怎么确定是证书发生了变化? 在浏览器打开地址确认证书是否真有问题。

xiaoliuliu2050
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Android使用HttpClient和HttpsUrlConnection两种方式访问https网站
01-09
SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, trustAllCerts, new SecureRandom()); EasySSLSocketFactory socketFactory = new EasySSLSocketFactory(sslContext); ...
BYPASSING-SSL:用于绕过SSL身份验证的Java代码
05-29
这段代码创建了一个信任所有证书的`TrustManager`和一个接受所有主机名的`HostnameVerifier`,然后将这些配置应用到默认的`SSLContext`中。这样,当使用`HttpsURLConnection`进行连接时,就会跳过常规的SSL/TLS验证...
JAVA中为 HttpsURLConnection 设置自定义的 HostnameVerifier 导致 SNI 失效的问题
Dancen的专栏
09-06 5950
由于我们拥有大量的域名,并且这些域名都使用了https,因此https证书的管理成了一个问题。于是我写了一个https证书的监控器,能在https证书出现问题(例如即将到期,已经到期,或者证书错误)时,主动通知管理人员。 该https证书监控器在我本机开发运行时一切正常,但当部署到监控服务器后,大量的https证书无法通过检查,出现了上图所示第2项的预警,即https证书监控器认为证书与域名...
java url hostname_JAVA中为 HttpsURLConnection 设置自定义的 HostnameVerifier 导致 SNI 失效的问题...
weixin_39616339的博客
02-16 546
由于我们拥有大量的域名,并且这些域名都使用了https,因此https证书的管理成了一个问题。于是我写了一个https证书的监控器,能在https证书出现问题(例如即将到期,已经到期,或者证书错误)时,主动通知管理人员。该https证书监控器在我本机开发运行时一切正常,但当部署到监控服务器后,大量的https证书无法通过检查,出现了上图所示第2项的预警,即https证书监控器认为证书与域名不匹配的...
关于JAVA发送Https请求(HttpsURLConnection和HttpURLConnection
热门推荐
shumeng_xiaoyan的博客
08-01 5万+
https协议对于开发者而言其实只是多了一步证书验证的过程。这个证书正常情况下被jdk/jre/security/cacerts所管理。里面证书包含两种情况: 1、机构所颁发的被认证的证书,这种证书的网站在浏览器访问时https头显示为绿色如百度 2、个人所设定的证书,这种证书的网站在浏览器里https头显示为红色×,且需要点击信任该网站才能继续访问。而点击信任这一步的操作就是我们在jav
关于 HTTPSSSL
allway2的博客
08-05 3903
使用您尝试访问的站点的证书在您的客户端安装您自己的 Truststore 是一个很好的做法。以下是 GlobalSign 的快照,他们很好地描述了如果您安装 EV SSL 证书会发生什么,如下图所示,启用 EV SSL 的网站将有一个挂锁和一个绿色的地址栏,就像在 IE 中一样。)来证明公钥的所有权。当您需要多个证书时,在公司中,您可以设置自己的 CA 并将该 CA 的证书安装在所有客户端的根 Keystore 中。一般来说,单向 SSL 是验证您正在访问的网站的真实性并形成安全通道的常用方法。...
java网络学习之 JSSE 介绍 包含sslcontext(15)
xiaoliuliu2050的专栏
03-30 4221
java 安全套接字扩展 是 在原有的socket之上 封装了一层SSL/TLS 这样的高级网络协议的实现,使得原有的socket 通讯变得安全。 1 SSL/TLS 协议介绍: SSL 是洋文“Secure Sockets Layer”的缩写,中文叫做“安全套接层”。为啥要发明 SSL 这个协议捏?因为原先互联网上使用的 HTTP 协议是明文的,存在很多缺点——比如传输内容会被偷窥(嗅探)和...
使用RestTemplate访问https实现SSL请求操作,设置TLS版本
记录个人学习笔记总结,遇见问题等
02-14 3652
使用RestTemplate访问https实现SSL请求操作,设置TLS版本
Springboot应用设置跳过SSL证书认证
只为成功找方法 不为失败找借口
06-18 363
虽然这个类在开发和测试环境中可能有用,但在生产环境中使用是不安全的,因为它会使你的应用程序容易受到各种 SSL/TLS 攻击。请确保在生产环境中进行适当的证书验证,以保护数据传输的安全性。
使用HttpURLConnection访问https协议请求时.对SSL信任
zz153417230的博客
05-11 3万+
此篇只涉及到如果访问https链接,具体的原理不做深究. 当我们使用HttpURLConnection访问http请求的时候没有任何困难,但是当访问https协议的链接时,由于证书的问题,就涉及到此链接的证书验证.可以保证安全的通信,但是对爬虫来说,会变得非常的麻烦.所以我们需要对https协议的链接在代码层实现信任此链接. 第一步:实现X509TrustManag...
Java Web 学习笔记之七:HttpsURLConnection实现Https请求发送(基本用法)
johnson_moon的博客
12-11 1554
简单介绍HttpsURLConnection用法
Android通过https协议与服务器端进行通信
06-23
在使用 HttpsURLConnection 类时,需要初始化 X509TrustManager 中的 SSLContext,以便 javax.net.ssl.HttpsURLConnection 设置默认的 SocketFactory 和 HostnameVerifier。代码中,需要创建一个 myX509TrustManager...
WebService绕过https证书认证方法.pdf
12-17
最后,使用创建的`TrustManager`和`HostnameVerifier`初始化`SSLContext`,并将其设置为`HttpsURLConnection`的默认SSLSocketFactory和HostnameVerifier。 ```java javax.net.ssl.TrustManager[] trustAllCerts = ...
httpclient 绕开HTTPS证书校验
07-05
但是,我们可以通过创建一个信任所有证书的`TrustManager`实例,然后将其设置到`SSLContext`中,从而跳过证书验证。 以下是一个简单的示例,展示了如何使用`httpclient`实现这一功能: ```java import org.apache....
12. Hibernate 模板设计模式
这是一个web全栈开发的博客,取其精华去其糟粕,争取让大家一看就懂,一学就会,一用就成~
07-22 1262
如何运用模板设计模式重构 Hibernate 操作流程;持久化对象与序列化接口;OOP中有一个编码原则 :写仅写一次。翻译过来就是,不要重复,要重用。答案是:使用模板设计模式进一步封装Hibernate的操作。在真实项目中,Hibernate仅仅只是完成项目中的一部分工作,需要和其它,如Spring等框架联合工作,一起承担整体项目的开发。Spring框架中就提供的有Hibernate模板对象。一个常规的、频繁的操作代码中,大部分代码不需要变动,只有小部分代码需要根据需求变动。
golang 接口
m0_70982551的博客
07-24 809
接口定义了一组方法,这些方法没有具体的实现。接口类型的变量可以存储任何实现了这些方法的类型的值。// 更多方法...在Go语言中,接口值是指存储了实现某个接口的具体类型值的变量。接口值由两部分组成:1.动态类型:这是接口值当前存储的实际类型。2.动态值:这是实际存储的值,该值必须实现了接口中定义的所有方法。
Swagger使用Map接受参数时,页面如何显示具体参数及说
最新发布
a1058926697的博客
07-26 365
后端使用Map接受参数,要求在swagger页面上显示具体的参数名称、类型及说明。当Map接受参数数量少时,可以使用Swagger自带的注解。自定义注解 @ApiGlobalModel。编写处理注解对应的插件。
springboot之自动装配
weixin_50153914的博客
07-23 497
Spring Boot 通过一系列注解和条件配置实现了自动装配机制,使得开发者无需手动配置大量的 XML 文件或 Java 配置类。自动配置机制利用文件中的自动配置类,并结合条件注解和组件扫描,实现了灵活且强大的自动装配功能。这样,开发者可以专注于业务逻辑的实现,而无需处理繁琐的配置细节。
java ssl 跳过证书验证
05-27
Java 中,可以通过实现一个自定义的 TrustManager 来跳过证书验证。以下是一个简单的示例: ```java import javax.net.ssl.*; public class TrustAllManager implements X509TrustManager { public void checkClientTrusted(X509Certificate[] chain, String authType) {} public void checkServerTrusted(X509Certificate[] chain, String authType) {} public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } public static void trustAllCertificates() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, new TrustManager[] { new TrustAllManager() }, null); HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory()); HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }); } } ``` 在上面的代码中,我们实现了一个 TrustManager,并覆盖了其中的方法,使其不做任何操作。然后,我们通过调用 `SSLContext.init()` 方法来初始化 SSLContext,并将其设置默认SSL 上下文。最后,我们设置默认的主机名验证器,使其总是返回 `true`。 要使用该 TrustManager,只需要调用 `TrustAllManager.trustAllCertificates()` 方法即可。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值