调试SSL/TLS连接"可能看起来已过时,但在解决SSL相关问题时仍然有用. [1] http://docs .oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html [2] http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug I am trying to figure out how to send a successful HTTP GET request to a server requiring SNI.I searched on SO and other places, and found some articles that said that SNI is now supported in JDK7, as well as Apache HTTP Components.https://issues.apache.org/jira/browse/HTTPCLIENT-1119https://wiki.apache.org/HttpComponents/SNISupportRelevant SO article: Certificate chain different between HTTPSURLconnection and Apache (System) DefaultHttpClient--However, I cannot seem to find any docs that show how to get this to work.Here is the code I am using... KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); String trustedCertsPath = System.getenv("JAVA_HOME") + "/jre/lib/security/cacerts"; FileInputStream certstream = new FileInputStream(new File(trustedCertsPath)); try { trustStore.load(certstream, "changeit".toCharArray()); } finally { certstream.close(); } // Trust own CA and all self-signed certs SSLContext sslcontext = SSLContexts.custom() .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy()) .build(); // Allow TLSv1 protocol only SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory( sslcontext, new String[] { "TLSv1" }, null, SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); CloseableHttpClient httpclient2 = HttpClients.custom() .setSSLSocketFactory(sslsf) .build(); CloseableHttpClient httpclient = HttpClients.createDefault(); HttpGet httpget = new HttpGet(uri); CloseableHttpResponse response = httpclient.execute(httpget); try { HttpEntity entity = response.getEntity(); if (entity != null) { tempFile = File.createTempFile(httpFile.getTempFilePrefix(), httpFile.getTempFilePosfix()); FileOutputStream os = new FileOutputStream(tempFile); InputStream instream = entity.getContent(); try { IOUtils.copy(instream, os); } finally { try { instream.close(); } catch (Exception e) {} try { os.close(); } catch (Exception e) {} } } } finally { response.close(); }When I run this, the request fails.The server requires SNI in the request, and without it, it returns an expired cert that has the wrong CommonName, due to which it gets rejected.If I use the httpclient2 instance, that is setup using a custom SSL context to allow all hTTP certs, then the request succeeds. However, that is not something I want to enable on a server that does a lot of downloads per day against different hosts.I am using httpclient v 4.3.5Any help appreciated.Thanks. 解决方案 SNI should work completely transparently when running on Java 1.7 or newer. No configuration is required. If for whatever reason SSL handshake with SNI enabled server fails you should be able to find out why (and whether or not the SNI extension was properly employed) by turning on SSL debug logging as described here [1] and here [2] 'Debugging SSL/TLS Connections' may look outdated but it can still be useful when troubleshooting SSL related issues. [1] http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html[2] http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug 这篇关于如何使用Apache HTTPComponents HttpClient在HTTP请求中启用SNI?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 10-12 09:35