JDK 11 HttpClient 抛出“没有主题替代 DNS 名称”错误

Question

我正在编写一个基于 JDK11 HttpClient 的简单 REST api 客户端，简单代码如下：

public class MyClass {

    private static final X509TrustManager TRUST_MANAGER = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] xcs, String string) {
        }

        public void checkServerTrusted(X509Certificate[] xcs, String string) {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    };

    private static HttpClient getNewHttpClient() {
        int timeout = 600;
        try {

            HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true);

            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
            sslContext.init(null, new TrustManager[]{TRUST_MANAGER}, new SecureRandom());

            // Install the all-trusting host verifier
            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

            //Set SSL parameters
            SSLParameters parameters = new SSLParameters();
            parameters.setEndpointIdentificationAlgorithm("HTTPS");
                HttpClient httpClient = HttpClient.newBuilder()
                    .connectTimeout(Duration.ofMillis(timeout * 1000))
                    .sslContext(sslContext)
                    .sslParameters(parameters)
                    .build();
            return httpClient;
        } catch (Exception e) {
            logger.warn("Unable to create HttpClient with disabled SSL Certificate verifying, default client will be used", e);
            return HttpClient.newHttpClient();
        }
    }

    public static void main(String[] args) {
        HttpRequest requestBuilder = HttpRequest.newBuilder()
                .uri(URI.create("https://somehostname.xx.xxx.net"))
                .GET()
                .build();

        getNewHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
    }
}

问题是，当我尝试打开某个 SSL 域时，出现错误：

引起：java.security.cert.CertificateException：找不到与 somehostname.xx.xxx.net 匹配的主题替代 DNS 名称。

我怎么解决这个问题？

Answer 1

虽然完全关闭主机名验证（即针对整个 VM）可能是一种选择，但它可能很危险。 如果从 javax.net.ssl.X509ExtendedTrustManager 派生 TRUST_MANAGER，也可以禁用主机名验证。

    private static final TrustManager DUMMY_TRUST_MANAGER = new X509ExtendedTrustManager() {        
    @Override
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return new java.security.cert.X509Certificate[0];
    }
    @Override
    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }
    @Override
    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { }
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { }
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { }
    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { }
};

当然，这也将完全禁用对提供给您的客户的证书的任何检查。

在https://bugs.openjdk.java.net/browse/JDK-8213309上还有一个 open Issue，用于向 JDK 添加 API 以专门关闭主机名验证。 如果您也可以访问 openjdk 错误数据库，则可以为该问题投票。

JDK 11 HttpClient 抛出“没有主题替代 DNS 名称”错误

问题描述

1 个解决方案

解决方案1
1 2021-05-21 06:54:40

JDK 11 HttpClient 抛出“没有主题替代 DNS 名称”错误

问题描述

1 个解决方案

解决方案1 1 2021-05-21 06:54:40

解决方案1
1 2021-05-21 06:54:40