將RestTemplate與SSL一起使用

Question

我在Spring Boot應用程序中使用SSL安全性。當調用地址

final UriComponents uriComponents 
      = uriComponentsBuilder.path("/api/v1.0/register/token/{token}").buildAndExpand(token); 

    ResponseEntity<Boolean> response; 

    try { 
     response = restTemplate 
       .exchange(uriComponents.toUri(), 
          HttpMethod.PUT, 
          entity, 
          Boolean.class); 

扔掉我https://pastebin.com/A4Vb69hT仔細

I/O error on PUT request for "https://localhost:8443/api/v1.0/register/token/PBe3AzJ245W0sNyeg": java.security.cert.CertificateException: No name matching localhost found; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found 

我在互聯網上找到自己的網站http://java.globinch.com/enterprise-java/security/fix-java-security-certificate-exception-no-matching-localhost-found/

static { 
    //for localhost testing only 
    javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
      (hostname, sslSession) -> hostname.equals("localhost")); 
    } 

在加入之後，它收到進一步的錯誤https://pastebin.com/kJZCqJ6K仔細

I/O error on PUT request for "https://localhost:8443/api/v1.0/register/token/EMNy7W9jJgsMWEn0z6hFOIHoB96zzSaeHWUs": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

現在該怎麼辦？

我有兩個SSL文件https://github.com/JonkiPro/REST-Web-Services/tree/master/src/main/resources/keystore

Answer 1

這個答案是某種黑客在本地運行，雖然使在實際環境中仍然會使用證書。

只需撥打SSLContextHelper.disable()前restTemplate.exchange

import java.io.IOException; 
import java.io.InputStream; 
import java.security.KeyManagementException; 
import java.security.KeyStore; 
import java.security.KeyStoreException; 
import java.security.NoSuchAlgorithmException; 
import java.security.SecureRandom; 
import java.security.UnrecoverableKeyException; 
import java.security.cert.CertificateException; 

import javax.net.ssl.HostnameVerifier; 
import javax.net.ssl.HttpsURLConnection; 
import javax.net.ssl.KeyManager; 
import javax.net.ssl.KeyManagerFactory; 
import javax.net.ssl.SSLContext; 
import javax.net.ssl.SSLSession; 
import javax.net.ssl.TrustManager; 
import javax.net.ssl.TrustManagerFactory; 
import javax.net.ssl.X509TrustManager; 
import javax.security.cert.X509Certificate; 

import org.apache.log4j.Logger; 

public class SSLContextHelper { 

    private static final String KEY_STORE_TYPE="JKS"; 
    private static final String CLASS_NAME=SSLContextHelper.class.getName(); 
    private static final String TRANSPORT_SECURITY_PROTOCOL="TLS"; 
    private static final Logger logger=Logger.getLogger(SSLContextHelper.class); 

    public static void enable(){ 
     String keystoreType = "JKS"; 
     InputStream keystoreLocation = null; 
     char [] keystorePassword = null; 
     char [] keyPassword = null; 


     try { 
       KeyStore keystore = KeyStore.getInstance(keystoreType);  
       keystore.load(keystoreLocation, keystorePassword); 
       KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
       kmfactory.init(keystore, keyPassword); 
       InputStream truststoreLocation = null; 
       char [] truststorePassword = null; 
       String truststoreType = KEY_STORE_TYPE; 

       KeyStore truststore = KeyStore.getInstance(truststoreType); 
       truststore.load(truststoreLocation, truststorePassword); 
       TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); 

       KeyManager [] keymanagers = kmfactory.getKeyManagers(); 
      TrustManager [] trustmanagers = tmfactory.getTrustManagers(); 

      SSLContext sslContext = SSLContext.getInstance(TRANSPORT_SECURITY_PROTOCOL); 
      sslContext.init(keymanagers, trustmanagers, new SecureRandom()); 
      SSLContext.setDefault(sslContext); 
     } catch (Exception e) { 
      logger.error(CLASS_NAME+"Exception in SSL "+e.getMessage()); 
      e.printStackTrace(); 
     } 
    } 

    public static void disable() { 
     try { 
      SSLContext sslc = SSLContext.getInstance("TLS"); 
      TrustManager[] trustManagerArray = { (TrustManager) new NullX509TrustManager() }; 
      sslc.init(null, trustManagerArray, null); 
      HttpsURLConnection.setDefaultSSLSocketFactory(sslc.getSocketFactory()); 
      HttpsURLConnection.setDefaultHostnameVerifier(new NullHostnameVerifier()); 
     } catch(Exception e) { 
      e.printStackTrace(); 
     } 
    } 

    private static class NullX509TrustManager implements X509TrustManager { 
     public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { 
      System.out.println(); 
     } 
     public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { 
      System.out.println(); 
     } 

    } 

    private static class NullHostnameVerifier implements HostnameVerifier { 
     public boolean verify(String hostname, SSLSession session) { 
      return true; 
     } 
    } 

Answer 2

服務器的證書不是一個有效的證書鏈或可能是自簽名。將證書作爲可信證書添加到您的信任存儲區（僅在知道它是測試本地證書時才執行此操作），然後嘗試。

有關詳細信息，你可以看到http://nodsw.com/blog/leeland/2006/12/06-no-more-unable-find-valid-certification-path-requested-target

Answer 3

證書不匹配的主機名，在這種情況下，本地主機。請檢查您的自簽名證書是否使用正確的CN，如果不是，請重新創建它。

好文章如何修正錯誤：

http://java.globinch.com/enterprise-java/security/fix-java-security-certificate-exception-no-matching-localhost-found/