堆棧內存溢出
  簡體   English   中英

如何在自定義JMX客戶端中忽略SSL證書

[英]How to ignore SSL certificate in custom JMX client

 原文  2015-04-17 14:13:33       java/ ssl/ jmx

問題描述

我想編寫一個自定義的JMX客戶端。 客戶端連接到我信任的服務器。 我絕對不想使用keytool導入密鑰。 使用SsLHandshakeException獲得連接時失敗。 

String username = "admin";
String password = "admin";
String[] credentials = new String[] { username, password };
Map<String, Object> env = new HashMap<>();
env.put(JMXConnector.CREDENTIALS, credentials);
// Only required for SSL Connections
env.put("com.sun.jndi.rmi.factory.socket", new SslRMIClientSocketFactory());
// MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://trustedhost:10010/jmxrmi");
JMXConnector jmxc = JMXConnectorFactory.connect(url, env);

我得到的異常: 

Exception in thread "main" java.io.IOException: Failed to retrieve RMIServer stub: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:369)
    at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
    at my.monitor.TestMbean.main(TestMbean.java:32)
Caused by: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:122)
    at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:205)
    at javax.naming.InitialContext.lookup(InitialContext.java:417)
    at javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1957)
    at javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1924)
    at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:287)
    ... 2 more
Caused by: java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: 
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:304)
    at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
    at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:342)
    at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
    at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:118)
    ... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:980)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:735)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at java.io.DataOutputStream.flush(DataOutputStream.java:123)
    at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229)
    ... 11 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at sun.security.ssl.InputRecord.read(InputRecord.java:505)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961)
    ... 18 more

3 個解決方案

解決方案1
 1  2015-04-17 14:56:04

我不知道有什么方法可以規避Java所需的SSL安全性,但我認為您應該重新考慮“我絕對不想使用keytool導入密鑰”的立場。 問題不在於您是否信任服務器。 重要的問題是:

  1. 您希望與服務器進行純文本通信。 有多少人可以聽呢? 如果您的客戶端在局域網內運行,則只有同一公司的每個人都可以監視您。 如果您離開受保護的網絡,則未知人數的人會突然看着您在做什么。
  2. 如果在客戶端中禁用SSL,服務器應如何確保命令來自您? 沒有SSL,某人可能會劫持您的通信並控制服務器。
  3. 沒有SSL,密碼將以純文本格式傳輸。 一個電視台最近發現 ,在接受采訪時在牆上貼上帶有密碼的便條在2015年並不是明智之舉。

因此,正確的問題應該是:如何正確設置SSL以保護JMX? 請參見http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html搜索“使用SSL”

解決方案2
 1  2015-04-17 14:56:18

客戶端連接到我信任的服務器。

你怎么知道的? 證書驗證的整個目的是確保您確實連接到想要的服務器,而不是中間人。

解決方案3
 0  2016-02-11 15:26:28

嘗試將其放在代碼之前 

TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        return null;
    }

    public void checkClientTrusted(X509Certificate[] certs, String authType) {
    }

    public void checkServerTrusted(X509Certificate[] certs, String authType) {
    }
}
};

try {
    logger.info("Hacking SSL Validation");
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    SSLContext.setDefault(sc);
    logger.info("SSL Validation hacked");
} catch (Exception e) {
    throw new RuntimeException(e);
}

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 如何使Restlet客戶端忽略SSL證書問題 如何忽略 SSL 證書 Java 帶有SSL的Java JMX客戶端 忽略Servlet中的SSL證書 JAVA SSL:如何獲取客戶端證書信息 如何在 java SSL 中加載本地客戶端證書? 使用Java忽略SSL證書錯誤 java - 忽略過期的 ssl 證書 SSL客戶端如何接受過期的SSL證書 等待任務如何忽略 SSL 證書問題?
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM