本文介绍了在JDK1.7及更低版本中处理HTTPS请求时遇到的SSL异常问题,以及如何通过代码配置和使用第三方库Bouncy Castle来支持TLS协议。提供了单向认证和双向认证的代码实现,以解决因JDK版本低不支持TSLv1.x导致的问题。
有没有童鞋遇到个问题,就是公司项目太老,用的是JDK1.7,JDK1.8以下的,由于需要调用HTTPS相关接口导致SSLException等异常,
解决办法尝试过的童鞋会采用升级JDK1.8以上,了解版本更新的童鞋就会知道,JDK1.8已经默认支持了HTTPS相关支持。
由于项目老,升级JDK导致很多地方出现问题。
JDK1.7 默认是 TSLv1, 但是可以支持 TSLv1.1,TSLv1.2;
JDK1.8 默认是 TSLv1.2
由于JDK1.8以下,发送https请求会导致各种SSL异常信息报错
常见的问题是:
先介绍HTTPS
HTTPS(全称:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。
即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。 它是一个URI scheme(抽象标识符体系),句法类同http:体系。
用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。
这个系统的最初研发由网景公司(Netscape)进行,并内置于其浏览器Netscape Navigator中,提供了身份验证与加密通讯方法。
现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。–百度百科
HTTPS和HTTP的区别主要为以下四点:
一、https协议需要到ca申请证书,一般免费证书很少,需要交费。
二、http是超文本传输协议,信息是明文传输,https 则是具有安全性的ssl加密传输协议。
三、http和https使用的是完全不同的连接方式,用的端口也不一样,前者是80,后者是443。
四、http的连接很简单,是无状态的;HTTPS协议是由SSL+HTTP协议构建的可进行加密传输、身份认证的网络协议,比http协议安全。
常用的方法:
1:System.setProperty(“https.protocols”,“SSLv3,TLSv1,TLSv1.1,TLSv1.2…”);
很多童鞋用这样的一段代码,可能有些灵,也有可能出现时不时可以,时不时不可以。
2:根据官网的提示替换jar 包
C:\Program Files\Java\jdk1.8.0_40\jre\lib\security local_policy.jar和 US_export_policy.jar
调用报错:javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
然后继续:
下载2个jar包: bcprov-ext-jdk15on-1.52.jar 和 bcprov-jdk15on-1.52.jar
复制两个jar包到: $JAVA_HOME/jre/lib/ext
需修改: $JAVA_HOME/jre/lib/security/java.security
添加security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
也有下载证书的等,但是太过于繁琐。
本文推荐了代码编写(继承重写源码),使用第三方Bouncy Castle,既搬既用(CV大法唯快不破)。
选择:
单向认证:是由于JDK1.8以下不支持tsl1.x协议问题导致,可以适用单向认证的代码
双向认证:假设HTTPS是第三方的,你调第三方的https,对方的证书是自制的或者CA的双向认证(具体待研究),
发起请求的的时候需要携带证书(第三方提供的)发送,就可以适用双向认证的代码。
相关JAR包
bcprov-jdk15on-1.57.jar
一:
建立两个类:
import javax.net.ssl.HttpsURLConnection;
import java.io.IOException;
import java.io.InputStream;
import java.net.*;
/**
- JDK1.7,1.8以下工具类
- Created by BugRoot
*/
public class HttpsUrlConnectionForTLS {
public HttpURLConnection createConnection(URI uri) throws IOException {
URL url = uri.toURL();
URLConnection connection = url.openConnection();
HttpsURLConnection httpsURLConnection = (HttpsURLConnection) connection;
httpsURLConnection.setSSLSocketFactory(new TLSSocketConnectionFactory());
return httpsURLConnection;
}
public static String getResponse(HttpURLConnection Conn) throws IOException {
InputStream is;
if (Conn.getResponseCode() >= 400) {
is = Conn.getErrorStream();
} else {
is = Conn.getInputStream();
}
String response = “”;
byte buff[] = new byte[512];
int b = 0;
while ((b = is.read(buff, 0, buff.length)) != -1) {
response += new String(buff, 0, b);
}
is.close();
System.out.println(response);
return response;
}
}
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.util.Hashtable;
import java.util.LinkedList;
import java.util.List;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.security.cert.X509Certificate;
import org.bouncycastle.crypto.tls.*;
import org.bouncycastle.crypto.tls.Certificate;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
/**
-
重写SSLSocketFactory
-
Created by BugRoot
*/
public class TLSSocketConnectionFactory extends SSLSocketFactory {
static {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleProvider());
}
}
@Override
public Socket createSocket(Socket socket, final String host, int port,
boolean arg3) throws IOException {
if (socket == null) {
socket = new Socket();
}
if (!socket.isConnected()) {
socket.connect(new InetSocketAddress(host, port));
}final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom());
return _createSSLSocket(host, tlsClientProtocol);
}
@Override
public String[] getDefaultCipherSuites() {
return null;
}
@Override
public String[] getSupportedCipherSuites() {
return null;
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
throw new UnsupportedOperationException();
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
throw new UnsupportedOperationException();
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return null;
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
throw new UnsupportedOperationException();
}
private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
private java.security.cert.Certificate[] peertCerts;
@Override
public InputStream getInputStream() throws IOException {
return tlsClientProtocol.getInputStream();
}
@Override
public OutputStream getOutputStream() throws IOException {
return tlsClientProtocol.getOutputStream();
}
@Override
public synchronized void close() throws IOException {
tlsClientProtocol.close();
}
@Override
public void addHandshakeCompletedListener(HandshakeCompletedListener arg0) {
}
@Override
public boolean getEnableSessionCreation() {
return false;
}
@Override
public String[] getEnabledCipherSuites() {
return null;
}
@Override
public String[] getEnabledProtocols() {
return null;
}
@Override
public boolean getNeedClientAuth() {
return false;
}
@Override
public SSLSession getSession() {
return new SSLSession() {
@Override
public int getApplicationBufferSize() {
return 0;
}
@Override
public String getCipherSuite() {
throw new UnsupportedOperationException();
}
@Override
public long getCreationTime() {
throw new UnsupportedOperationException();
}
@Override
public byte[] getId() {
throw new UnsupportedOperationException();
}
@Override
public long getLastAccessedTime() {
throw new UnsupportedOperationException();
}
@Override
public java.security.cert.Certificate[] getLocalCertificates() {
throw new UnsupportedOperationException();
}
@Override
public Principal getLocalPrincipal() {
throw new UnsupportedOperationException();
}
@Override
public int getPacketBufferSize() {
throw new UnsupportedOperationException();
}
@Override
public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException {
return null;
}
@Override
public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
return peertCerts;
}
@Override
public String getPeerHost() {
throw new UnsupportedOperationException();
}
@Override
public int getPeerPort() {
return 0;
}
@Override
public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
return null;
}
@Override
public String getProtocol() {
throw new UnsupportedOperationException();
}
@Override
public SSLSessionContext getSessionContext() {
throw new UnsupportedOperationException();
}
@Override
public Object getValue(String arg0) {
throw new UnsupportedOperationException();
}
@Override
public String[] getValueNames() {
throw new UnsupportedOperationException();
}
@Override
public void invalidate() {
throw new UnsupportedOperationException();
}
@Override
public boolean isValid() {
throw new UnsupportedOperationException();
}
@Override
public void putValue(String arg0, Object arg1) {
throw new UnsupportedOperationException();
}
@Override
public void removeValue(String arg0) {
throw new UnsupportedOperationException();
}
};
}
@Override
public String[] getSupportedProtocols() {
return null;
}
@Override
public boolean getUseClientMode() {
return false;
}
@Override
public boolean getWantClientAuth() {
return false;
}
@Override
public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) {
}
@Override
public void setEnableSessionCreation(boolean arg0) {
}
@Override
public void setEnabledCipherSuites(String[] arg0) {
}
@Override
public void setEnabledProtocols(String[] arg0) {
}
@Override
public void setNeedClientAuth(boolean arg0) {
}
@Override
public void setUseClientMode(boolean arg0) {
}
@Override
public void setWantClientAuth(boolean arg0) {
}
@Override
public String[] getSupportedCipherSuites() {
return null;
}
@Override
public void startHandshake() throws IOException {
tlsClientProtocol.connect(new DefaultTlsClient() {
@SuppressWarnings("unchecked")
@Override
public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
if (clientExtensions == null) {
clientExtensions = new Hashtable<Integer, byte[]>();
}
//Add host_name
byte[] host_name = host.getBytes();
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
final DataOutputStream dos = new DataOutputStream(baos);
dos.writeShort(host_name.length + 3);
dos.writeByte(0);
dos.writeShort(host_name.length);
dos.write(host_name);
dos.close();
clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
return clientExtensions;
}
@Override
public TlsAuthentication getAuthentication() throws IOException {
return new TlsAuthentication() {
@Override
public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
try {
KeyStore ks = _loadKeyStore();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>();
boolean trustedCertificate = false;
for (org.bouncycastle.asn1.x509.Certificate c : ((org.bouncycastle.crypto.tls.Certificate) serverCertificate).getCertificateList()) {
java.security.cert.Certificate cert = cf.generateCertificate(new ByteArrayInputStream(c.getEncoded()));
certs.add(cert);
String alias = ks.getCertificateAlias(cert);
if (alias != null) {
if (cert instanceof java.security.cert.X509Certificate) {
try {
((java.security.cert.X509Certificate) cert).checkValidity();
trustedCertificate = true;
} catch (CertificateExpiredException cee) {
// Accept all the certs!
}
}
} else {
// Accept all the certs!
}
}
if (!trustedCertificate) {
// Accept all the certs!
}
peertCerts = certs.toArray(new java.security.cert.Certificate[0]);
} catch (Exception ex) {
ex.printStackTrace();
throw new IOException(ex);
}
}
@Override
public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException {
return null;
}
private KeyStore _loadKeyStore() throws Exception {
FileInputStream trustStoreFis = null;
try {
KeyStore localKeyStore = null;
String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType") != null ? System.getProperty("javax.net.ssl.trustStoreType") : KeyStore.getDefaultType();
String trustStoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider") != null ? System.getProperty("javax.net.ssl.trustStoreProvider") : "";
if (trustStoreType.length() != 0) {
if (trustStoreProvider.length() == 0) {
localKeyStore = KeyStore.getInstance(trustStoreType);
} else {
localKeyStore = KeyStore.getInstance(trustStoreType, trustStoreProvider);
}
char[] keyStorePass = null;
String str5 = System.getProperty("javax.net.ssl.trustStorePassword") != null ? System.getProperty("javax.net.ssl.trustStorePassword") : "";
if (str5.length() != 0) {
keyStorePass = str5.toCharArray();
}
localKeyStore.load(trustStoreFis, keyStorePass);
if (keyStorePass != null) {
for (int i = 0; i < keyStorePass.length; i++) {
keyStorePass[i] = 0;
}
}
}
return localKeyStore;
} finally {
if (trustStoreFis != null) {
trustStoreFis.close();
}
}
}
};
}
});
} // startHandshake
};
}
}
调用方式
/**
- httpJDK低版本请求
- Created by BugRoot
*/
public class HttpSSLUtils{
/**
* 发起get请求
* @param url 请求地址
* @return
/
public static String httpClientGet(String url) {
HttpsUrlConnectionForTLS httpsUrlConnectionMessageSender = new HttpsUrlConnectionForTLS();
HttpURLConnection connection;
String result = “”;
try {
connection = httpsUrlConnectionMessageSender.createConnection(new URI(url));
/* 设置连接方式:GET /
connection.setRequestMethod(“GET”);
/* 设置连接主机服务器超时时间:15000毫秒 /
connection.setConnectTimeout(15000);
/* 设置读取远程返回的数据时间:60000毫秒 /
connection.setReadTimeout(60000);
/* 设置通用的请求属性 /
connection.setRequestProperty(“accept”, "/*");
connection.setRequestProperty(“connection”, “Keep-Alive”);
connection.setRequestProperty(“user-agent”, “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)”);
// 设置传入参数的格式:请求参数应该是 name1=value1&name2=value2 的形式
connection.setRequestProperty(“Content-Type”, “application/x-www-form-urlencoded”);
result = getResponse(connection);
System.out.println(result);
if (connection != null) {
connection.disconnect();
}
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (URISyntaxException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return result;
}
/**
* 发起post请求
* @param url 请求地址
* @param param 请求参数
* @param token token – 如无需注释
* @return
*/
public String httpClientPost(String url ,String param,String token) {
HttpsUrlConnectionForTLS httpsUrlConnectionMessageSender = new HttpsUrlConnectionForTLS();
HttpURLConnection connection;
String result = “”;
try {
connection = httpsUrlConnectionMessageSender.createConnection(new URI(url));
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setRequestMethod(“POST”);
connection.setUseCaches(false);
connection.setInstanceFollowRedirects(true);
connection.setRequestProperty("'Accept", “application/json”);
connection.setRequestProperty(“Content-Type”, “application/json”);
connection.setRequestProperty(“token”, token);
connection.connect();
//POST请求
OutputStreamWriter os = null;
os = new OutputStreamWriter(connection.getOutputStream());
os.write(param);
os.flush();
result = getResponse(connection);
System.out.println(result);
if (connection != null) {
connection.disconnect();
}
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (URISyntaxException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return result;
}
public static String getResponse(HttpURLConnection Conn) throws IOException {
InputStream is;
if (Conn.getResponseCode() >= 400) {
is = Conn.getErrorStream();
} else {
is = Conn.getInputStream();
}
String response = “”;
byte buff[] = new byte[512];
int b = 0;
while ((b = is.read(buff, 0, buff.length)) != -1) {
response += new String(buff, 0, b);
}
is.close();
// System.out.println(response);
return response;
}
}
二:
import javax.net.ssl.;
import java.io.;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
public class HttpBidirectionalAuthentication{
private static final String pwd = “xxxxxxxxx”;// 证书密钥
private static final String certificatePath = HttpBidirectionalAuthentication(当前类名).class.getClassLoader().getResource(“xxxxxxx”).getPath();// 证书地址–src目录下
/**
* 创建SSL连接–认证(携带证书)
* @param reqUrl 请求地址
* @param reqBody 发送内容
* @param datadigest Token—如没有忽略
* @param pwd 证书密码
* @param certificatePath 证书存放地址
* @paramNoSuchAlgorithmException
/
public String createSSLConnection(String reqUrl, String reqBody,String datadigest, String pwd,String certificatePath) throws Exception{
String result = “”;
URL url = new URL(reqUrl);
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setConnectTimeout(60000); // 设置连接主机超时(单位:毫秒)
conn.setReadTimeout(60000); // 设置从主机读取数据超时(单位:毫秒)
conn.setDoOutput(true); // post请求参数要放在http正文内,顾设置成true,默认是false
conn.setDoInput(true); // 设置是否从httpUrlConnection读入,默认情况下是true
conn.setUseCaches(false); // Post 请求不能使用缓存
// 设定传送的内容类型是可序列化的java对象(如果不设此项,在传送序列化对象时,当WEB服务默认的不是这种类型时可能抛java.io.EOFException)
// conn.setRequestProperty(“Content-Type”, “application/x-www-form-urlencoded”);
conn.setRequestProperty(“Content-Type”, “application/json”);
conn.setRequestMethod(“POST”);// 设定请求的方法为"POST",默认是GET
conn.setRequestProperty(“Content-Length”, reqBody.length() + “”);
//验证主机
conn.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String s, SSLSession sslSession) {
return true;
}
});
try {
SSLSocketFactory sslSocketFactory = initCert(pwd,certificatePath);
conn.setSSLSocketFactory(sslSocketFactory);
}catch (Exception e){
throw new Exception(“证书加载错误”);
}
String encode = “utf-8”;
OutputStreamWriter out = new OutputStreamWriter(conn.getOutputStream(), encode);
out.write(reqBody);
out.flush();
out.close();
result = getResponse(conn);
System.out.println(result);
if (conn != null) {
conn.disconnect();
}
return result;
}
/*
* 加载证书
* @param pwd 证书密码
* @param path 证书存放地址
*/
private SSLSocketFactory initCert(String pwd, String path) throws Exception {
FileInputStream instream = null;
try {
instream = new FileInputStream(new File(path));
//将证书加载进证书库
KeyStore ks = KeyStore.getInstance(“PKCS12”);
ks.load(instream, pwd.toCharArray());
//初始化秘钥管理器
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(ks, pwd.toCharArray());
//信任所有证书–注意
X509TrustManager tm = new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { }
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { }
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
SSLContext sslContext = SSLContext.getInstance(“TLS”);
// 第一个参数是授权的密钥管理器,用来授权验证。TrustManager[]第二个是被授权的证书管理器,用来验证服务器端的证书。第三个参数是一个随机数值,可以填写null
sslContext.init(keyManagerFactory.getKeyManagers(), new TrustManager[]{tm}, null);
return sslContext.getSocketFactory();
}catch(Exception e){
e.printStackTrace();
throw new Exception(e.getMessage());
}finally {
if(instream != null){
try{instream.close();}catch (IOException e1){e1.printStackTrace();}
}
}
}
public static String getResponse(HttpURLConnection Conn) throws IOException {
InputStream is;
if (Conn.getResponseCode() >= 400) {
is = Conn.getErrorStream();
} else {
is = Conn.getInputStream();
}
String response = “”;
byte buff[] = new byte[512];
int b = 0;
while ((b = is.read(buff, 0, buff.length)) != -1) {
response += new String(buff, 0, b);
}
is.close();
// System.out.println(response);
return response;
}
}
扫一扫
1122
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
