我正在开发一个使用Netty来管理其SSL / TLS连接的应用程序。我正在尝试测试它可以正确处理各种证书错误，为此我使用badssl.com。

但是，当我尝试连接到badssl.com时，会引发异常（为简洁明了起见，已编辑并删除了完整的调用堆栈跟踪）：

 An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
    io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Handshake failed
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:372)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:358)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:350)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)

...
    Caused by: javax.net.ssl.SSLHandshakeException: Handshake failed
        at com.android.org.conscrypt.OpenSSLEngineImpl.unwrap(OpenSSLEngineImpl.java:436)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:1006)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1094)

...

    Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
        at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
        at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:219)
...
    Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
        at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318) 
        at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:219) 
        at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:113)

    sslContext = SslContextBuilder
            .forClient()
            .sslProvider(SslProvider.JDK)
            // TODO p0: Ensure all the versions we support have this algorithm installed
            //.trustManager(InsecureTrustManagerFactory.INSTANCE)
            .build();

ChannelPipeline pipeline = ch.pipeline();
pipeline.addLast(sslContext.newHandler(ch.alloc(), host.getHostName(), host.getPort()));

            ChannelFuture future = bootstrap.connect(host).addListener(new ChannelFutureListener() {
                @Override
                public void operationComplete(ChannelFuture future) throws Exception {
                    String request = "GET https://badssl.com/\n" +
                            "Host: +" + host.getHostName() + "\n" +
                            "Accept: text/html,application/xhtml+xml,application/xml;"
                            + "DNT: 1\n\n";

                    future.channel().writeAndFlush(Unpooled.copiedBuffer(
                            request, Charset.forName("ASCII")));
                }

我的猜测是您的代码不使用Server Name Indication (SNI)。在这种情况下，到badssl.com的TLS握手将产生证书：

Subject: ...CN=badssl-fallback-unknown-subdomain-or-no-sni
Issuer:  ...CN=BadSSL Intermediate Certificate Authority

Subject: ... CN=*.badssl.com
Issuer:  ... CN=COMODO RSA Domain Validation Secure Server CA