Testing with untrusted Https

最新推荐文章于 2025-06-15 15:32:01 发布
最新推荐文章于 2025-06-15 15:32:01 发布
阅读量1k 收藏
点赞数
分类专栏: 软件测试 文章标签: testing junit java path file microsoft
 

Testing web applications in developmental environments that attempt to utilize Https through unsigned certificates can be challenging, especially if you’ve never had the pleasure of working with Sun’s keytool utility and X.509 security certificates.

This issue manifests itself as javax.net.ssl.SSLHandshakeExceptions and sun.security.validator.ValidatorExceptions. For example, attempting to access untrusted Https through Java may yield stack traces with these tidbits: 

Javax.net.ssl.SSLHandshakeException: 
 sun.security.validator.ValidatorException: 
  PKIX path building failed: 
    sun.security.provider.certpath.SunCertPathBuilderException:
	 unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: 
 PKIX path building failed: 
  sun.security.provider.certpath.SunCertPathBuilderException:
   unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
 unable to find valid certification path to requested target

Solving this problem requires two steps. First, the web server’s certificate must be captured. Then, the certificate must be imported with Sun’s keytool utility (which comes with Java).

Obtaining a copy of the certificate in X.509 format requires Microsoft’s Internet Explorer. By placing the https URL into the browser window, a dialog will pop up requesting permission to accept the certificate. Click the View Certificate button and then the Details tab. In this tab, click the Copy to File button, then click Next and select the Base-64 encoded X.509 (.CER) option. After that, click Next to save the resulting file.

Importing the .cer file requires using the keytool utility, which can be found in bin directory of a Java installation. Via this tool, the .cer file is imported into a cacerts file, which is located in the lib/security directory of a Java installation. The easiest thing to do is to copy the .cer file obtained via Internet Explorer to my Java home dir/lib/security.

For example, if using the Java sdk for 1.4.2, the location on windows could be something like: C:/j2sdk1.4.2_05/jre/lib/security.

Once the .cer file has been copied to that directory, open a command prompt and either go to the security directory or use qualified paths. Type the following command: 

$ ../../bin/keytool.exe -import -storepass changeit -file mycert.cer 
 -keystore cacerts -alias mycert

The only aspects requiring changes is the name of the certificate (in this case mycert.cer) and the alias (mycert).
The keytool will issue a series of statements describing the certificate and finally request whether or not to trust the certificate. Type yes and hit enter.

The problem should be solved. Verifying things is as easy as writing a test case. For instance, the following JUnit test verifies an untrusted Https site can be hit via Jakarta’s HttpClient. 

package test.com.srv.rls.https.submit;

import junit.framework.TestCase;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.GetMethod;

public class HttpsSubmitTest extends TestCase {

 public void testHttpsConnection() throws Exception{
  HttpClient httpclient = new HttpClient();
  GetMethod httpget =
   new GetMethod("https://prf.acme.com:4175/invoke/ir/rve");
  try {
   httpclient.executeMethod(httpget);
   assertEquals("should have been 200",
      200, httpget.getStatusLine().getStatusCode());
  }finally {
   httpget.releaseConnection();
  }
 }
}

Now testing web applications via JUnit extensions like jWebUnit or HttpUnit is a breeze, so long as they run in the VM which contains the updated keystore.

【chromium】windows构建base库 1:gn + autoninja构建
突围
02-06 674
clang
【docker】安装redis和mysql生产实战
阿杰
11-23 565
docker安装诸如redis,mysql等程序非常方便,但是如果不是为了学习,生产环境的部署还是要注意很多问题的 redis 拉取镜像 创建映射目录 修改配置文件官网: https://github.com/redis/redis/blob/6.0.16/redis.conf下载对应本版的配置文件redis/redis.conf at 6.0.16 · redis/redis · GitHub(单独复制redis.conf或则将整个源码拉下来) 然后将配置文件放在上面创建的 /usr/docker/t
Integration Testing with HTTP, HTTPS and Maven
lining19870的博客
01-03 114
Earlier this week, I was tasked with getting automated integration tests working in my project at Overstock.com. By automated, I mean that ability to run "mvn install" and have the following process...
java httpclient https,使用Apache httpclient进行https
weixin_39964391的博客
03-02 507
I have enabled https in tomcat and have a self-signed certificate for server auth. I have created an http client using Apache httpClient. I have set a trust manager loading the server certificate. The...
OWASP Firmware Security Testing Methodology
i_can1的博客
07-13 816
OWASP Firmware Security Testing MethodologyFSTM is composed of nine stages tailored to enable security researchers, software developers, hobbyists, and Information Security professionals with conducting firmware security assessments.Whether network connect
STARK Low Degree Testing——FRI
mutourend2010@gmail.com
09-12 1503
STARK中的低度测试方案——FRI。
owncloud error : You are accessing the server from an untrusted domain
孙金华的专栏
11-21 3066
Few days back I setup Owncloud 6 on Ubuntu 14.04 . After a gap of a few days, I again started the testing server to do some new practical. But after opening the Owncloud I got this given below error
Android WebView with https loadUrl shows blank/empty page
OmelasShell的专栏
10-10 3566
Android WebView with https loadUrl shows blank/empty page September 28, 2010 I recently encountered this problem while trying to develop a WebView that is supported on Doughnut (1.6) and above
Machine and Deep Learning with Python
a1424262219的博客
08-22 2477
Machine and Deep Learning with Python Education Tutorials and courses Supervised learning superstitions cheat sheet Introduction to Deep Learning with Python How to implement a neural netw...
Configuring HTTPS on Tomcat
weixin_33878457的博客
06-15 218
2019独角兽企业重金招聘Python工程师标准>>> ...
start redid-server with config
screaming的博客
11-17 987
Start redis-server with config file up vote5down votefavorite 3 I have my config file at: root/config/redis.rb I start redis like this: redis-server H
宇宙规律与后量子多方安全计算协议的联系
AI天才研究院
11-16 1246
宇宙规律与后量子多方安全计算协议的联系 关键词:宇宙规律、后量子力学、多方安全计算协议、交叉应用、未来发展趋势 摘要:本文从宇宙规律和后量子力学的基本概念出发,深入探讨了后量子多方安全计算协议的原理及其在实际应用中的优势。通过分析宇
【区块链】量子链命令行qtum-cli全命令详解
Code Metaverse
10-11 1万+
量子链命令行qtum-cli全命令详解== Blockchain ==callcontract “address” “data” ( address )调用智能合约getaccountinfo “address”获取账户信息getbestblockhash获取最长链的hashgetblock “blockhash” ( verbose )获取块的信息getblockchaininfo获取区块的信息{
【论文阅读笔记】NeurIPS2020文章列表Part1
热门推荐
zincrain的博客
12-09 2万+
A graph similarity for deep learning An Unsupervised Information-Theoretic Perceptual Quality Metric Self-Supervised MultiModal Versatile Networks Benchmarking Deep Inverse Models over time, and the Neural-Adjoint method Off-Policy Evaluation and Learning.
【热更新知识】学习三 XLua学习
zhoutao2333的博客
06-11 991
XLua 是一个为 Unity 游戏引擎设计的 Lua 脚本编程解决方案,由腾讯公司开源并维护。它主要解决了在 Unity 项目中使用 Lua 进行热更新的需求。//xlua提供的一个 路径重定向 的方法//允许我们自定义 加载Lua文件的规则//当我们执行Lua语言 require 时 相当于执行一个脚本//它就会 执行 我们自定义传入的这个函数//最终我们其实 会去AB包中加载 lua文件//自动执行//传入的参数是 require执行的lua脚本文件名。
lua版的Frpc
最新发布
宇宙精英
06-15 244
今天闲着没事干,研究了下lua,lua是个好东西刚好前几天编译了frp位动态库所以顺便就做了个lua版本的frpc 其实这玩意也没啥用主要就是学习学习。一、首先编译frp为动态库这个简单搭建go的环境添加几个导出函数编译就行没啥难的,今天学习lua就是想用lua 调用fprc的动态库启动起来。写了这么多其实没啥用,就是记录下自己学习的记录,frpc实际用处直接启动官方提供的exe就ok了。不过这里我只调用了两个接口实际可以调用上面的几个接口都是可以的,具体的参考c++那几个接口。以下是frpc的头文件。
gbase8s数据库获取jdbc/odbc协议的几种方式
wangyx01的博客
06-11 487
解析二进制协议的命令为sqliprint 该命令位置为 gbase8s数据库 csdk 安装路径/bin 下。jdbc参数,密文协议,需使用解密工具解析,解析后每个sid对应一个文件。需要使用gbase8s协议解析器进行解析,例如 gbase_8s.lua。jdbc 参数 ,明文协议,并发时 会错乱,适合单线程调试。密文协议,需使用解密工具解析,解析后每个sid对应一个文件。密文协议,需使用解密工具解析,解析后每个sid对应一个文件。wireshark 或者类似工具。日志文件路径为数据库安装路径下。
1Panel 部署 OpenResty + Redis 实现 IP 动态封禁教程
小柯的的博客
06-11 807
OpenResty动态IP封禁方案 这是一个基于OpenResty和Redis的动态IP封禁方案,适合中小网站防御CC攻击和目录扫描。
【热更新知识】学习一 Lua语法学习
zhoutao2333的博客
06-11 1198
字符串s = "aBcdEfg字符串"s = "字"--一个汉字占3个长度--英文字符 占一个长度print(#s)print(#aa)
500 SSL Peer Certificate Untrusted
05-17
### 解决方案概述 当遇到 `500 Error` 并提示 `SSL peer certificate untrusted` 时,通常是因为服务器无法验证客户端证书的有效性。这可能是由于以下几个原因引起的: 1. 客户端证书未被信任的 CA 验证。 2. 服务器配置不正确,缺少中间证书或根证书。 3. OpenSSL 或其他加密库未能正确解析或加载证书链。 以下是针对该问题的具体分析和解决方案[^1]。 --- ### 可能的原因及对应措施 #### 1. **客户端证书未被信任** 如果客户端证书是由不受信任的 CA 签发的,则服务器会拒绝连接并返回错误。可以通过以下方法解决: - 确认客户端使用的证书是否由受信 CA 签名。 - 如果使用的是自签名证书,需将其导入到服务器的信任存储中。 ```bash openssl x509 -in client-cert.pem -text -noout ``` 通过上述命令检查证书的签发者字段 (`Issuer`) 是否为已知可信 CA[^3]。 --- #### 2. **服务器配置缺失中间证书** 某些情况下,CA 提供的根证书可能不足以完成完整的证书链验证。需要额外提供中间证书来补全链条。可以按照以下步骤操作: - 获取完整的证书链文件(通常是 `.pem` 格式),其中包含根证书、中间证书以及最终实体证书。 - 将其配置到 Web 服务器中。例如,在 Nginx 中设置如下参数: ```nginx ssl_certificate /path/to/fullchain.pem; ssl_certificate_key /path/to/private.key; ``` 对于 HAProxy 用户,可参考以下配置片段[^2]: ```haproxy frontend https-in bind *:443 ssl crt /etc/haproxy/certs/ req_ssl_sni var(txn.sni) acl valid_cert ssl_crt_file(/etc/haproxy/certs/%[req.ssl_sni]) http-request deny unless valid_cert ``` 确保路径下的证书文件支持 SNI 扩展功能,并启用 TLS 扩展支持。 --- #### 3. **OpenSSL 库版本过旧** 如果运行环境中的 OpenSSL 版本较老,可能会存在兼容性问题或者缺乏必要的安全特性。建议升级至最新稳定版(如 OpenSSL 1.1.x 或更高)。更新完成后重新编译依赖的服务程序以应用新功能。 --- #### 4. **调试工具辅助排查** 为了进一步定位具体失败环节,推荐利用以下工具捕获详细的握手日志数据: - 使用 Wireshark 抓取网络流量包,观察是否存在异常断开事件。 - 启用 OpenSSL 的 verbose 日志模式查看更详尽的信息输出: ```c SSL_CTX_set_info_callback(ctx, app_info_cb); void app_info_cb(const SSL *ssl, int type, int val) { printf("Info callback called with %d:%d\n", type, val); } ``` 此回调函数能够展示每一步状态变化情况以便于诊断潜在隐患所在位置[^1]。 --- ### 总结 综上所述,“500 error SSL peer certificate untrusted”的根本原因是认证过程中出现了不可接受的情况。通过对以上几个方面的逐一核查调整即可有效消除此类故障现象。 ---
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值