本文介绍了HTTPSURLconnection 和 Apache (System) DefaultHttpClient 之间的证书链不同的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在 Apache HTTPS 客户端上遇到了一个奇怪的问题.我正在尝试连接到已打开基本身份验证的外部 HTTPS 网站(仅限 SSL 服务器身份验证).以下是我的测试总结和结论.

I am facing a weird issue wrto Apache HTTPS client. I am trying to connect to an external HTTPS website which has basic authentication turned on (SSL server authenticaion only). Here is the summary of my tests and conclusions.

  • 使用 Chrome/Firefox/IE 之一连接到网站 -> 成功

  • Use a either of Chrome/Firefox/IE to connect to the website -> success

使用javax.net.ssl.HttpsURLConnection -> 成功

使用 DefaultHttpClientSystemDefaultHttpClient -> 失败

Use either of DefaultHttpClient or SystemDefaultHttpClient -> failure

我尝试通过将javax.net.debug"启用为ssl"来进行调试.我注意到两个客户端都选择了相同的信任存储(默认 JDK 信任存储)并使用相同的协议 (TLSv1).然而,差异就在这里

I tried to debug by enabling "javax.net.debug" to "ssl". I noticed that both the clients pick up the same trust store (default JDK trust store) and use the same protocol (TLSv1).However, the differences were here

我注意到JDK返回了以下扩展

I noticed that the following extension was returned by the JDK

扩展 server_name, server_name: [host_name: websitehostname]

虽然 Apache Web 客户端调试日志中缺少上述扩展.

while the above extension was missing in the Apache web client debug log.

另外,我看到的另一个区别是证书链

Also, one more difference I saw was in the certficate chain

来自 JDK native 的以下响应

The below response from JDK native

* 证书链链 [0] = [[版本:V3主题:**CN=网站名称,OU=域控制验证 - RapidSSL(R),OU=参见 www.rapidssl.com/resources/cps (c)13,OU=GT17702541,SERIALNUMBER=Q2La1fpFlFdNy4kUCIehYlMvw6签名算法:SHA1withRSA,OID = 1.2.840.113549.1.1.5

而在 apache 客户端以下

while in apache client the following

chain [0] = [ [ 版本:V3 主题:EMAILADDRESS=root@i4319,CN=i4319,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState, C=-- 签名算法:SHA1withRSA, OID =1.2.840.113549.1.1.5

显然我在使用 apache https 客户端时遇到以下异常.

and obviously I get the following exception with apache https client.

Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

在我回去重做我的工作以使用 JDK 本机客户端之前,我想知道发生了什么.对此行为的任何见解将不胜感激.

Before I go back and redo my work to use the JDK native client, I would like to know what is happening.Any insight on this behaviour would be appreciated.

推荐答案

经过大量搜索看起来这个奇怪的问题是因为 Apache 客户端缺乏 SNI 支持.这是讨论问题和可能的解决方案的 JIRA

After a lot of searching looks like this weird issue is because of lack of SNI support in Apache Client. Here is the JIRA that discusses the problem and possible solution here

https://issues.apache.org/jira/browse/HTTPCLIENT-1119

以及可能的解决方法

https://wiki.apache.org/HttpComponents/SNISupport

这篇关于HTTPSURLconnection 和 Apache (System) DefaultHttpClient 之间的证书链不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-30 06:04