[英]JDK 11 HttpClient throws "No subject alternative DNS name" error
我正在编写一个基于 JDK11 HttpClient 的简单 REST api 客户端,简单代码如下:
public class MyClass {
private static final X509TrustManager TRUST_MANAGER = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs, String string) {
}
public void checkServerTrusted(X509Certificate[] xcs, String string) {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
private static HttpClient getNewHttpClient() {
int timeout = 600;
try {
HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true);
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, new TrustManager[]{TRUST_MANAGER}, new SecureRandom());
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
//Set SSL parameters
SSLParameters parameters = new SSLParameters();
parameters.setEndpointIdentificationAlgorithm("HTTPS");
HttpClient httpClient = HttpClient.newBuilder()
.connectTimeout(Duration.ofMillis(timeout * 1000))
.sslContext(sslContext)
.sslParameters(parameters)
.build();
return httpClient;
} catch (Exception e) {
logger.warn("Unable to create HttpClient with disabled SSL Certificate verifying, default client will be used", e);
return HttpClient.newHttpClient();
}
}
public static void main(String[] args) {
HttpRequest requestBuilder = HttpRequest.newBuilder()
.uri(URI.create("https://somehostname.xx.xxx.net"))
.GET()
.build();
getNewHttpClient().send(request, HttpResponse.BodyHandlers.ofString());
}
}
问题是,当我尝试打开某个 SSL 域时,出现错误:
引起:java.security.cert.CertificateException:找不到与 somehostname.xx.xxx.net 匹配的主题替代 DNS 名称。
我怎么解决这个问题?
虽然完全关闭主机名验证(即针对整个 VM)可能是一种选择,但它可能很危险。 如果从 javax.net.ssl.X509ExtendedTrustManager 派生 TRUST_MANAGER,也可以禁用主机名验证。
private static final TrustManager DUMMY_TRUST_MANAGER = new X509ExtendedTrustManager() {
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[0];
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { }
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { }
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException { }
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException { }
};
当然,这也将完全禁用对提供给您的客户的证书的任何检查。
在https://bugs.openjdk.java.net/browse/JDK-8213309上还有一个 open Issue,用于向 JDK 添加 API 以专门关闭主机名验证。 如果您也可以访问 openjdk 错误数据库,则可以为该问题投票。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.