java和HTTPS那些事儿

0,知识背景

    HTTPS本质上就是HTTP+SSL,作为服务端提供安全服务的一种加密协议

1,java作为客户端请求HTTPS

    一般采用HTTPClient作为客户端来请求有两种做法:

    一,绕过证书检查

    java client请求的服务端一般都是相对较固定的几个url,完全可以设置信任所有的服务端,直接略过证书验证

继承X509TrustManager,对证书验证部分直接return null 不做任何验证

X509TrustManager trustManager = new X509TrustManager() {  
        @Override  
        public void checkClientTrusted(  
                java.security.cert.X509Certificate[] paramArrayOfX509Certificate,  
                String paramString) throws CertificateException {  
        }  
  
        @Override  
        public void checkServerTrusted(  
                java.security.cert.X509Certificate[] paramArrayOfX509Certificate,  
                String paramString) throws CertificateException {  
        }  
  
        @Override  
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {  
            return null;  
        }  
    };  

    二,验证证书

1,得到证书ca.cer,可通过浏览器访问https然后导出或者下载

2,导入证书

keytool -importcert -alias test -file ca.cer -keystore test.keystore

3,编码

    public static void main(String[] args) throws ClientProtocolException, 
IOException, KeyStoreException, NoSuchAlgorithmException, 
CertificateException, KeyManagementException, UnrecoverableKeyException {  
            DefaultHttpClient client = new DefaultHttpClient();  
            client.getParams().setParameter(ClientPNames.COOKIE_POLICY,CookiePolicy.BROWSER_COMPATIBILITY);  
            client.getParams().setParameter(CoreProtocolPNames.USER_AGENT, "Mozilla/5.0 (Windows NT 6.2; rv:18.0)
Gecko/20100101 Firefox/18.0");  
            String PostFir = "https://www.xxx.com/";  
            //获得密匙库  
              KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());  
              FileInputStream instream = new FileInputStream(new File("d:/zzaa/steven.keystore"));  
              //密匙库的密码  
              trustStore.load(instream, "123456".toCharArray());  
              //注册密匙库  
              SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);  
              //不校验域名  
              socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);  
              Scheme sch = new Scheme("https", 443, socketFactory);  
              client.getConnectionManager().getSchemeRegistry().register(sch);  
            HttpPost httppost1 = new HttpPost(PostFir);  
            HttpResponse    response1 = client.execute(httppost1);  
            HttpEntity resEntity1 = response1.getEntity();  
        System.out.println(EntityUtils.toString(resEntity1,"gbk"));  
           
        }  

2,java提供https服务

    一般都是申请证书(有免费和自费的,也可以生成自签名证书),然后部署在HTTP服务器或代理服务器上即可(NGINX,Apache,tomcat,iis等),以jdk自生成证书部署在tomcat上为例

一 生成证书和秘钥

keytool -genkeypair -alias "tomcat" -keyalg "RSA" -keystore "e:\tomcat.keystore" 

            删除

keytool -delete -alias tomcat -keystore "e:\tomcat.keystore" 

            行业格式(可选)

keytool -importkeystore -srckeystore e:\tomcat.keystore -destkeystore e:\tomcat.keystore -deststoretype pkcs12


注意:“名字与姓氏”应该是域名,输成了姓名,和真正运行的时候域名不符,会出问题

二,修改sever.xml中的配置项

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"  
                  maxThreads="150" scheme="https" secure="true"  
                  clientAuth="false" sslProtocol="TLS"  
                 <span style="color:#FF6600;"> keystoreFile="F:\tomcats.keystore"</span>  
                  <span style="color:#FF6600;">keystorePass="tomcat"  
                  ciphers="tomcat"</span>  
                  />  
可修改为默认端口443




参考资料:

https://www.2cto.com/kf/201609/548236.html

https://blog.csdn.net/liuxiao723846/article/details/52695549

https://blog.csdn.net/qh_java/article/details/48206537


阅读更多

没有更多推荐了,返回首页