问题描述
我们正在开发使用Tomcat和球衣的应用程序。结果
在这个web应用,我们需要连接到一个 HTTPS网站
与有效
,没有过期证书
。
如果我做我的通过Chrome浏览器连接到这个网站在本地,一切工作正常!
不幸的是我们的webapp Tomcat服务器会抛出异常。我们使用的Apache的HttpClient(4.0)
来连接到HTTPS站点:
We are developing an application using tomcat and jersey.
Within this webapplication we need to connect to a https Website
with a valid
, not expired certificate
. If I do connect to this website locally via my chrome browser, everything works fine!Unfortunately the tomcat server with our webapp throws an exception. We are using the Apache HttpClient (4.0)
to connect to the https site:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
服务器证书是绝对有效的,从 Thawte的
。
三种不同的在线工具成功验证证书。结果
OpenSSL 有一些问题,也和我展示三证,但抛出一个简单的错误:
The server certificate is absolutely valid and from thawte
. Three different online tools validated the certificate successfully.Openssl
has an issue, too and showing me three certificates but throwing a simple error:
Verify return code: 20 (unable to get local issuer certificate)
与OpenSSL的问题似乎是,它使用了错误的道路 / usr / lib目录/ SSL
而不是的/ etc / SSL /证书
。如果我使用指向正确的路径CApath说法,OpenSSL的正常工作,可能这与一个问题HttpClient的?
The problem with openssl seems to be that it uses the wrong path /usr/lib/ssl
instead of /etc/ssl/certs
. If I use the CApath argument pointing to the proper path, openssl works fine so may this be an issue with the httpClient?
因此,我们的code为默认客户端非常简单:
So our code for the default client is quite simple:
client = new DefaultHttpClient();
response = client.execute(url); //this throws the exception
EntityUtils.consume(response.getEntity());
这不是一个选项,通过实现自定义TrustedManager允许任何证书!
进一步的我看了,有些CA的不是JDK / JRE的一部分,所以它的证书应手动导入到密钥库
或使用自定义的,但Thawte是一个很好众所周知CA不应它默认的工作吗?
It's not an option to allow any certificates by implementing a custom TrustedManager! Futher I read, that some CA's are not part of the JDK/JRE and so it's certificates should be imported manually into the keystore
or use a custom one, but thawte is a well known CA and shouldn't it work on default?
修改
我没设置catalina.sh的javax.debug属性,使我对这个问题的详细信息:
I did set the javax.debug properties in catalina.sh so that I have further information about the problem:
http-bio-8080-exec-1, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: basic constraints check failed:
pathLenConstraint violated - this cert must be the last cert in the certification path
我想AP preciate任何帮助!
在此先感谢!
I would appreciate any help! Thanks in advance!
推荐答案
好吧,我得到它的工作!
虽然Thawte是一个众所周知的CA似乎Java的SSL确实有一些问题吧。
通过下载SSL证书后的OpenSSL
:
Okay, I got it working! Although thawte is a well known CA it seems that Java SSL did have some problems with it. After downloading the ssl Certificate via openssl
:
echo |\
openssl s_client -connect ${REMHOST}:${REMPORT} 2>&1 |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
和保存为一个PEM文件,我做了手动导入到Java密钥库:
and saving it into an pem file, I did the manual import into the java keystore:
keytool -import -alias myAlias -file theCert.pem -keystore lib/security/cacerts
我不知道为什么Java的SSL无法正确验证Thawte的证书。
I have no idea why java ssl was not able to validate the thawte certificate properly.
清单密钥库给我看,有7 Thawte的信任证书在标准密钥库,但奇怪的是它没有工作,直到我手动导入PEM文件
Listing the keystore showed me, that there are 7 thawte trusted certificates in the standard keystore but bizarrely it did not work until I manually imported the pem file
这篇关于Apache的HTTP客户端javax.net.ssl.SSLPeerUnverifiedException:同行不认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!