是否可以为https禁用ssl?
[英]Is it possible to disable ssl for https?
问题描述
Application on java. 
在Java上的应用。 OkHttp version 2.7.5 is used. 使用OkHttp版本2.7.5。 A request is made to another service and an error occurs. 向另一个服务发出请求,并且发生错误。
SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I do not have a certificate. 我没有证书。 It seems there are solutions for the version of okHttp3. 似乎有okHttp3版本的解决方案。 But the version can not be changed. 但是版本不能更改。 How to solve a problem? 如何解决问题?
2 个解决方案
解决方案1
1 2019-05-22 13:46:46
Is it possible to disable ssl for https?
Literally, no. 从字面上看,没有。
Use of SSL is fundamental to the HTTPS protocol. SSL的使用是HTTPS协议的基础。 If you don't want to use SSL at all, configure your server with an HTTP endpoint and use that instead of HTTPS. 如果您根本不想使用SSL,请为服务器配置一个HTTP端点,然后使用它代替HTTPS。
Furthermore use of SSL requires a certificate that is (at least) syntactically well-formed. 此外,使用SSL要求(至少)在语法上格式正确的证书。 That is also fundamental to the HTTPS protocol. 这也是HTTPS协议的基础。
Now if the problem is that your server certificate has expired, then a possible solution is to use the approach described in: 现在,如果问题是您的服务器证书已过期,则可能的解决方案是使用以下方法:
- Make a connection to a HTTPS server from Java and ignore the validity of the security certificate . 从Java连接到HTTPS服务器,并忽略安全证书的有效性 。
And if the problem is that you cannot get a proper certificate for the server (eg you can't afford it) then an alternative solution is: 并且如果问题是您无法获得服务器的正确证书(例如,您负担不起),那么另一种解决方案是:
- generate a self-signed certificate ; 生成自签名证书 ; see How to generate a self-signed certificate using Java Keytool , 请参阅如何使用Java Keytool生成自签名证书 ,
- install it on the server side, 将其安装在服务器端,
- configure the client as above to ignore certificate validity. 如上配置客户端以忽略证书有效性。
But note that doing either of those things has security issues. 但是请注意,执行上述任一操作都存在安全问题。
There is a third solution that is more secure. 第三种解决方案更安全。
- generate a self-signed certificate (as above) 生成自签名证书(如上所述)
- install it on the server side, 将其安装在服务器端,
- use Keytool to add the certificate to the client app's keystore as a trusted certificate. 使用Keytool将证书作为受信任的证书添加到客户端应用程序的密钥库中。
解决方案2
0 2019-05-22 13:56:06
Why would you want to use HTTPS but do not have certificates, you should follow as Stephen mentioned above. 为什么要使用HTTPS但没有证书,您应该按照上述Stephen的指示进行操作。 However if you wanted to literally forget what https is meant for you can consider overriding the behavior 但是,如果您确实想忘记https的含义,则可以考虑覆盖此行为
private static OkHttpClient getUnprotectedClient() {
try {
// Create a trust manager that does not validate certificate chains
final TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain,
String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain,
String authType) throws CertificateException {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
};
// Install the all-trusting trust manager
final SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
// Create an ssl socket factory with our all-trusting manager
final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
return new okhttp3.OkHttpClient.Builder()
.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0])
.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
}).build();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.