如何解决SAMPLE javaclient正在运行,来自JAVA-APPLICATION,表示无法找到到请求目标的有效证书路径
下面的示例javaclient正在运行..连接到服务器并获取输出[响应代码:200]
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.Certificate;
import java.io.*;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLPeerUnverifiedException;
public class HttpsClient{
public static void main(String[] args)
{
new HttpsClient().testIt();
}
private void testIt(){
String https_url = "https://sampleserver.net:443/webapp/connect.dll?Connect&time=2208282020&serial=46010&value=758.24";
URL url;
try {
url = new URL(https_url);
HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
//dumpl all cert info
print_https_cert(con);
//dump all the content
print_content(con);
} catch (MalformedURLException e) {
e.printstacktrace();
} catch (IOException e) {
e.printstacktrace();
}
}
private void print_https_cert(HttpsURLConnection con){
if(con!=null){
try {
System.out.println("Response Code : " + con.getResponseCode());
System.out.println("Cipher Suite : " + con.getCipherSuite());
System.out.println("\n");
Certificate[] certs = con.getServerCertificates();
for(Certificate cert : certs){
System.out.println("Cert Type : " + cert.getType());
System.out.println("Cert Hash Code : " + cert.hashCode());
System.out.println("Cert Public Key Algorithm : "
+ cert.getPublicKey().getAlgorithm());
System.out.println("Cert Public Key Format : "
+ cert.getPublicKey().getFormat());
System.out.println("\n");
}
} catch (SSLPeerUnverifiedException e) {
e.printstacktrace();
} catch (IOException e){
e.printstacktrace();
}
}
}
private void print_content(HttpsURLConnection con){
if(con!=null){
try {
System.out.println("****** Content of the URL ********");
BufferedReader br =
new BufferedReader(
new InputStreamReader(con.getInputStream()));
String input;
while ((input = br.readLine()) != null){
System.out.println(input);
}
br.close();
} catch (IOException e) {
e.printstacktrace();
}
}
}
}
Response Code : 200
Cipher Suite : TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Cert Type : X.509
Cert Hash Code : 31005469
Cert Public Key Algorithm : RSA
Cert Public Key Format : X.509
Cert Type : X.509
Cert Hash Code : 16813553
Cert Public Key Algorithm : RSA
Cert Public Key Format : X.509
Cert Type : X.509
Cert Hash Code : 5605913
Cert Public Key Algorithm : RSA
Cert Public Key Format : X.509
通过更改路径从jdk7和jdk8执行。[响应代码:200]
export JAVA_HOME=/usr/java/jdk1.7.0_60
export PATH=/usr/java/jdk1.7.0_60/bin:$PATH
/usr/java/jdk1.7.0_60/bin/javac HttpsClient.java
/usr/java/jdk1.7.0_60/bin/java -classpath . -Djavax.net.ssl.trustStore=/usr/java/jdk1.7.0_60/jre/lib/security/cacerts HttpsClient > output.txt
从java-application调用时,该应用程序使用jdk7以上作为其运行时文件夹。
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building Failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getResponseCode(HttpsURLConnectionOldImpl.java:308)
at com.ph.linkshared.port.socket.base.client.HttpGetThread.runThread(HttpGetThread.java:144)
at com.ph.linkshared.port.socket.base.client.HttpGetThread.run(HttpGetThread.java:77)
Caused by: sun.security.validator.ValidatorException: PKIX path building Failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.dobuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.x509trustmanagerImpl.validate(x509trustmanagerImpl.java:326)
at sun.security.ssl.x509trustmanagerImpl.checkTrusted(x509trustmanagerImpl.java:231)
at sun.security.ssl.x509trustmanagerImpl.checkServerTrusted(x509trustmanagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.dobuild(PKIXValidator.java:380)
... 20 more
- 有什么想法为什么不能从申请中失败,并出现证书问题?
- -Djavax.net.debug = all / -Djavax.net.debug = ssl:handshake:data / -Djavax.net.debug =来自JavaClient的SSL,握手,数据,trustmanager并显示响应代码“ 200”
- 通过keytool将根证书和中间证书添加到jdk
- 密码套件:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA是否同时支持jdk7和jdk8?
解决方法
有什么想法为什么不能从应用程序中失败,并出现证书问题?
应用程序使用的是默认设置以外的信任库(或者使用其他信任库来启动或修改),或者应用程序从服务器获取了不同的证书(也许通过连接到与您不同的主机)预期的结果,可能是通过某种类型的代理,或者是通过更改连接参数(导致(同一)服务器做出不同响应)的连接,例如在没有使用的地方禁用SNI或对密码套件进行限制或重新排序,以获取不同的密钥交换。
尝试使用javax.net.debug=ssl[:trustmanager:handshake]
运行 app (即失败案例)(默认情况下,这些详细信息类别已启用,因此7和8不需要使用这些详细信息类别,除了最近的8u261可能,付费的7个更新之一,9和10,但确实需要为11 up和8u261指定)。查看由trustmanager加载的证书,以查看它们是否包含您所需的证书,并查看从服务器收到的证书链,以查看它是否是您期望的或与您期望的不同,尤其是如果它与原先的不匹配加载到trustmanager中。
PS:打印cert.getType()
是没有用的; JSSE 仅支持TLS中的X.509证书。 (从技术上讲,存在其他证书的RFC,但几乎从未实现或使用。)打印cert.hashCode()
给出的内部对象标识符对任何事物都没有用,除非确定两个对象是否为同一对象,否则永远不会从服务器收到证书的情况。打印cert.getPublicKey().getFormat()
完全没有用,因为所有 JCE公钥的格式均为X.509;参见the javadoc for java.security.Key.getFormat()。此外,叶证书的算法由密码套件确定;原则上,用于CA证书的算法可以有所不同,但很少有,而且无论如何都与您的问题无关。
{em>可能的帮助是((X509Certificate)cert).getSubjectX500Principal()
和.getIssuerX500Principal()
以及有效性(.getNotBefore()
和.getNotAfter()
)以及.getBasicConstraints()
和{{ 1}}。但是调试日志已经具有相同的信息,并且格式一致。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。