HttpClient 4.3 - https 免SSL认证

女爷i 2022-05-20 03:27 198阅读 0赞

# HttpClient 4.3 - https 免SSL认证 #

*  HttpClient 4.3 - https 免SSL认证
    
     *  问题出现
     *  使用DefaultHttpClient
     *  HttpClient 4.3实现
     *  Spring RestTemplate实现

## 问题出现 ##

一般来说`https`开头的网站都有`ssl`认证，打开`12306`甚至都会弹出证书过期的信息，如果直接用`HttpClient`访问有`ssl`认证的网站，会报错，这时候就要为这些网站的证书默认添加信任不做鉴定。

## 使用DefaultHttpClient ##

package com.enmo.dbaas.utils;
    
    import org.apache.http.client.HttpClient;
    import org.apache.http.client.methods.HttpGet;
    import org.apache.http.config.Registry;
    import org.apache.http.config.RegistryBuilder;
    import org.apache.http.conn.ClientConnectionManager;
    import org.apache.http.conn.scheme.Scheme;
    import org.apache.http.conn.scheme.SchemeRegistry;
    import org.apache.http.conn.socket.ConnectionSocketFactory;
    import org.apache.http.conn.socket.PlainConnectionSocketFactory;
    import org.apache.http.conn.ssl.NoopHostnameVerifier;
    import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
    import org.apache.http.conn.ssl.SSLSocketFactory;
    import org.apache.http.conn.ssl.TrustStrategy;
    import org.apache.http.impl.client.DefaultHttpClient;
    import org.apache.http.impl.client.HttpClients;
    import org.apache.http.impl.conn.PoolingClientConnectionManager;
    import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
    import org.apache.http.ssl.SSLContextBuilder;
    import org.apache.http.util.EntityUtils;
    
    import java.security.KeyManagementException;
    import java.security.KeyStoreException;
    import java.security.NoSuchAlgorithmException;
    import java.security.UnrecoverableKeyException;
    
    /** * Create by IntelliJ IDEA * * @Author chenlei * @DateTime 2018/7/11 17:00 * @Description DigestHttpClientUtil */
    public class DigestHttpClientUtil { 
    
        public static void main(String[] args) throws InterruptedException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
    
            HttpClient defaultHttpClient = defaultHttpClient();
            HttpClient digestHttpClient = sslFreeDefaultHttpClient();
    
            HttpGet httpGet = new HttpGet("https://www.12306.cn");
    
            try {
                System.out.println("=============ssl auth=====================");
                System.out.println(EntityUtils.toString(defaultHttpClient.execute(httpGet).getEntity()));
                System.out.println();
            } catch (Exception e) {
                e.printStackTrace();
            }
    
            Thread.sleep(1000);
    
            try {
                System.out.println("=============ssl free=====================");
                System.out.println(EntityUtils.toString(digestHttpClient.execute(httpGet).getEntity(),"UTF-8"));
                System.out.println();
            } catch (Exception e) {
                e.printStackTrace();
            }
    
        }
    
        public static HttpClient sslFreeDefaultHttpClient() throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
            TrustStrategy acceptingTrustStrategy = (cert, authType) -> true;
            SSLSocketFactory sf = new SSLSocketFactory(
                    acceptingTrustStrategy, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
            SchemeRegistry registry = new SchemeRegistry();
            registry.register(new Scheme("https", 8443, sf));
            ClientConnectionManager ccm = new PoolingClientConnectionManager(registry);
    
            return new DefaultHttpClient(ccm);
        }
    
        public static HttpClient defaultHttpClient(){
            return new DefaultHttpClient();
        }
    
    }

output：

=============ssl auth=====================
    javax.net.ssl.SSLException: Certificate for <www.12306.cn> doesn't match any of the subject alternative names: [webssl.chinanetcenter.com, i.l.inmobicdn.net, *.fn-mart.com, www.1zhe.com, *.pinganfang.com, *.anhouse.com, dl.jphbpk.gxpan.cn, dl.givingtales.gxpan.cn, dl.toyblast.gxpan.cn, dl.sds.gxpan.cn, download.ctrip.com, mh.tiancity.com, app.4399.cn, i.4399.cn, m.4399.cn, a.4399.cn, cdn.hxjyios.iwan4399.com, ios.hxjy.iwan4399.com, gjzx.gjzq.com.cn, f.3000test.com, tj.img4399.com, *.zhe800.com, *.qiyipic.com, *.vxinyou.com, *.gdjh.vxinyou.com, *.3000.com, pay.game2.cn, static1.j.cn, static2.j.cn, static3.j.cn, static4.j.cn, video1.j.cn, video2.j.cn, video3.j.cn, online.j.cn, playback.live.j.cn, audio1.guang.j.cn, audio2.guang.j.cn, audio3.guang.j.cn, img1.guang.j.cn, img2.guang.j.cn, img3.guang.j.cn, img4.guang.j.cn, img5.guang.j.cn, img6.guang.j.cn, *.4399youpai.com, w.tancdn.com, *.3000api.com, static11.j.cn, *.kuyinyun.com, *.kuyin123.com, *.diyring.cc, 3000test.com, *.3000test.com, www.3387.com, bbs.4399.cn, *.cankaoxiaoxi.com, *.service.kugou.com, test.macauslot.com, testm.macauslot.com, testtran.macauslot.com, xiuxiu.huodong.meitu.com, *.meitu.com, *.meitudata.com, *.wheetalk.com, *.shanliaoapp.com, xiuxiu.web.meitu.com, api.account.meitu.com, open.web.meitu.com, id.api.meitu.com, api.makeup.meitu.com, im.live.meipai.com, *.meipai.com, m.macauslot.com, www.macauslot.com, web.macauslot.com, translation.macauslot.com, img1.homekoocdn.com, cdn.homekoocdn.com, cdn1.homekoocdn.com, cdn2.homekoocdn.com, cdn3.homekoocdn.com, cdn4.homekoocdn.com, img.homekoocdn.com, img2.homekoocdn.com, img3.homekoocdn.com, img4.homekoocdn.com, *.macauslot.com, *.samsungapps.com, auto.tancdn.com, *.winbo.top, static.bst.meitu.com, api.xiuxiu.meitu.com, api.photo.meituyun.com, h5.selfiecity.meitu.com, api.selfiecity.meitu.com, h5.beautymaster.meiyan.com, api.beautymaster.meiyan.com, www.yawenb.com, m.yawenb.com, www.biqugg.com, www.dawenxue.net, cpg.meitubase.com, www.qushuba.com, www.ranwena.com, www.u8xsw.com, *.4399sy.com, ms.awqsaged.cn, fanxing2.kugou.com, fanxing.kugou.com, sso.56.com, upload.qf.56.com, sso.qianfan.tv, cdn.danmu.56.com, www-ppd.hermes.cn, www-uat.hermes.cn, www-ts2.hermes.cn, www-tst.hermes.cn, *.syyx.com, img.wgeqr.cn, img.wgewa.cn, img.09mk.cn, img.85nh.cn, *.zhuoquapp.com, img.dtmpekda8.cn, img.etmpekda6.cn, *.5054399.com, *.aiwan4399.com, user.beevideo.bestv.com.cn, *.3839.com]
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:165)
        at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61)
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:141)
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114)
        at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:580)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:328)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
        at com.enmo.dbaas.utils.DigestHttpClientUtil.main(DigestHttpClientUtil.java:67)
    =============ssl free=====================
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>
    中国铁路客户服务中心
    </title>
    ...
    ...

## HttpClient 4.3实现 ##

package com.enmo.dbaas.utils;
    
    import org.apache.http.client.HttpClient;
    import org.apache.http.client.methods.HttpGet;
    import org.apache.http.config.Registry;
    import org.apache.http.config.RegistryBuilder;
    import org.apache.http.conn.ClientConnectionManager;
    import org.apache.http.conn.scheme.Scheme;
    import org.apache.http.conn.scheme.SchemeRegistry;
    import org.apache.http.conn.socket.ConnectionSocketFactory;
    import org.apache.http.conn.socket.PlainConnectionSocketFactory;
    import org.apache.http.conn.ssl.NoopHostnameVerifier;
    import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
    import org.apache.http.conn.ssl.SSLSocketFactory;
    import org.apache.http.conn.ssl.TrustStrategy;
    import org.apache.http.impl.client.DefaultHttpClient;
    import org.apache.http.impl.client.HttpClients;
    import org.apache.http.impl.conn.PoolingClientConnectionManager;
    import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
    import org.apache.http.ssl.SSLContextBuilder;
    import org.apache.http.util.EntityUtils;
    
    import java.security.KeyManagementException;
    import java.security.KeyStoreException;
    import java.security.NoSuchAlgorithmException;
    import java.security.UnrecoverableKeyException;
    
    /** * Create by IntelliJ IDEA * * @Author chenlei * @DateTime 2018/7/11 17:00 * @Description DigestHttpClientUtil */
    public class DigestHttpClientUtil { 
    
        private static PoolingHttpClientConnectionManager connectionManager;
        static {
            SSLConnectionSocketFactory sslsf = null;
            SSLContextBuilder builder = null;
            try {
                builder = new SSLContextBuilder();
                //全部信任 不做身份鉴定
                builder.loadTrustMaterial(null, (TrustStrategy) (x509Certificates, s) -> true);
                sslsf = new SSLConnectionSocketFactory(builder.build(), new String[]{
       "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.2"}, null, NoopHostnameVerifier.INSTANCE);
    
                Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory> create()
                        .register("https", sslsf)
                        .register("http", new PlainConnectionSocketFactory())
                        .build();
    
                connectionManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    
        public static void main(String[] args) throws InterruptedException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
    
            HttpClient defaultHttpClient = httpClient();
            HttpClient digestHttpClient = sslFreeHttpClient();
    
            HttpGet httpGet = new HttpGet("https://www.12306.cn");
    
            try {
                System.out.println("=============ssl auth=====================");
                System.out.println(EntityUtils.toString(defaultHttpClient.execute(httpGet).getEntity()));
                System.out.println();
            } catch (Exception e) {
                e.printStackTrace();
            }
    
            Thread.sleep(1000);
    
            try {
                System.out.println("=============ssl free=====================");
                System.out.println(EntityUtils.toString(digestHttpClient.execute(httpGet).getEntity(),"UTF-8"));
                System.out.println();
            } catch (Exception e) {
                e.printStackTrace();
            }
    
        }
    
        public static HttpClient sslFreeHttpClient(){
            return HttpClients.custom().setConnectionManager(connectionManager).build();
        }
    
        public static HttpClient httpClient(){
            return HttpClients.custom().build();
        }
    
    }

output：

=============ssl auth=====================
    javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.12306.cn' does not match the certificate subject provided by the peer (CN=webssl.chinanetcenter.com, OU=IT, O=Wangsu Science & Technology Co. Ltd, L=Shang Hai Shi, C=CN)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
        at com.enmo.dbaas.utils.DigestHttpClientUtil.main(DigestHttpClientUtil.java:69)
    =============ssl free=====================
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>
    中国铁路客户服务中心
    </title>
    ...
    ...

## Spring RestTemplate实现 ##

public RestTemplate restTemplate() throws ClientProtocolException, IOException {
        CloseableHttpClient httpClient
          = HttpClients.custom()
            .setSSLHostnameVerifier(new NoopHostnameVerifier())
            .build();
        HttpComponentsClientHttpRequestFactory requestFactory 
          = new HttpComponentsClientHttpRequestFactory();
        requestFactory.setHttpClient(httpClient);
    
        return new RestTemplate(requestFactory);
    }