如何在自定义JMX客户端中忽略SSL证书

Question

I want to write a custom JMX client. The client connects to a server I trust. I definitely don't want to import the key using the keytool. It fails when getting the connection with a SsLHandshakeException .

String username = "admin";
String password = "admin";
String[] credentials = new String[] { username, password };
Map<String, Object> env = new HashMap<>();
env.put(JMXConnector.CREDENTIALS, credentials);
// Only required for SSL Connections
env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());
// MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://trustedhost:10010/jmxrmi");
JMXConnector jmxc = JMXConnectorFactory.connect(url, env);

The Exception I get:

Exception in thread "main" java.io.IOException: Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:369)
    at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
    at my.monitor.TestMbean.main(TestMbean.java:32)
Caused by: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:122)
    at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:205)
    at javax.naming.InitialContext.lookup(InitialContext.java:417)
    at javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1957)
    at javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1924)
    at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:287)
    ... 2 more
Caused by: java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:304)
    at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
    at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:342)
    at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
    at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:118)
    ... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:980)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:735)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at java.io.DataOutputStream.flush(DataOutputStream.java:123)
    at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229)
    ... 11 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at sun.security.ssl.InputRecord.read(InputRecord.java:505)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961)
    ... 18 more

Answer 1

I don't know a way to circumvent the SSL security which Java requires but I think you should reconsider your stance on "I definitely don't want to import the key using the keytool." The question isn't whether you trust the server. The important questions are:

1. You want plain text communication with the server. How many people will be able to listen on this? If your client runs inside the local network, then only everyone in the same company will be able to spy on you. If you leave the protected network, an unknown number of people can suddenly watch what you're doing.
2. If you disable SSL in the client, how should the server make sure that commands are coming from you? Without SSL, someone could hijack your communication and take control of the server.
3. Without SSL, the password will be transmitted as plain text. A TV station recently found that having post it notes with passwords on the wall while giving interviews is not a smart move in 2015.

So the correct question should be: How can I set up SSL correctly to secure JMX? See http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html search "Using SSL"

Answer 2

The client connects to a server I trust.

How do you know? The whole purpose of certificate validation is to make sure that you actually connect to the server you want to and not to some man-in-the-middle.

Answer 3

Try putting this before your code

TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
    }

    public void checkClientTrusted(X509Certificate[] certs, String authType) {
    }

    public void checkServerTrusted(X509Certificate[] certs, String authType) {
    }
}
};

try {
    logger.info("Hacking SSL Validation");
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    SSLContext.setDefault(sc);
    logger.info("SSL Validation hacked");
} catch (Exception e) {
    throw new RuntimeException(e);
}