使用 SSLSocketFactory 绕过证书验证答案

【问题标题】：Bypass certificate validation with SSLSocketFactory使用 SSLSocketFactory 绕过证书验证
【发布时间】：2016-07-18 21:00:28
【问题描述】：

我正在构建一个客户端应用程序，它将通过肥皂消息连接到第三方服务器。我正在使用在 JBoss 4.2.3 上运行的 jax-ws 2.1.9 和 jdk 1.6_18。

问题本身是配置为仅用于测试目的的服务器正在返回一个过期的证书，因此，我的应用程序抛出了下面的异常。

13:43:26,738 ERROR [STDERR] Caused by: javax.xml.ws.WebServiceException: java.io.IOException: Could not transmit message
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientImpl.handleRemoteException(ClientImpl.java:404)
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:314)
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:172)
13:43:26,739 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:152)
13:43:26,739 ERROR [STDERR]     at $Proxy724.solicitarBaixaOperation(Unknown Source)
13:43:26,740 ERROR [STDERR]     at com.totvs.foundation.exchange.connector.ptu.implementation.v70_batch.InvoiceWriteOffConnector.process(InvoiceWriteOffConnector.java:91)
13:43:26,740 ERROR [STDERR]     ... 98 more
13:43:26,740 ERROR [STDERR] Caused by: java.io.IOException: Could not transmit message
13:43:26,740 ERROR [STDERR]     at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:255)
13:43:26,740 ERROR [STDERR]     at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:73)
13:43:26,741 ERROR [STDERR]     at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:339)
13:43:26,741 ERROR [STDERR]     at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:302)
13:43:26,741 ERROR [STDERR]     ... 102 more
13:43:26,741 ERROR [STDERR] Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker. java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 11 09:35:00 GMT-03:00 2014.
13:43:26,741 ERROR [STDERR]     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:348)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:137)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:122)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.Client.invoke(Client.java:1634)
13:43:26,742 ERROR [STDERR]     at org.jboss.remoting.Client.invoke(Client.java:548)
13:43:26,742 ERROR [STDERR]     at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:233)
13:43:26,743 ERROR [STDERR]     ... 105 more
13:43:26,743 ERROR [STDERR] Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 11 09:35:00 GMT-03:00 2014
13:43:26,743 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
13:43:26,743 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
13:43:26,744 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
13:43:26,745 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
13:43:26,746 ERROR [STDERR]     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
13:43:26,746 ERROR [STDERR]     at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:277)
13:43:26,747 ERROR [STDERR]     ... 110 more
13:43:26,747 ERROR [STDERR] Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Sep 11 09:35:00 GMT-03:00 2014
13:43:26,747 ERROR [STDERR]     at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
13:43:26,747 ERROR [STDERR]     at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570)
13:43:26,747 ERROR [STDERR]     at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:134)
13:43:26,748 ERROR [STDERR]     at sun.security.validator.Validator.validate(Validator.java:218)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
13:43:26,748 ERROR [STDERR]     at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
13:43:26,749 ERROR [STDERR]     ... 122 more

因此，出于测试目的，我试图绕过这些验证。我发现一些博客和帖子都将我带到了下面的代码 sn-p。

/**
Inner class for set a blind TrustManager
**/
public class BlindTrustManager implements X509TrustManager {
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
    public void checkClientTrusted(X509Certificate[] chain, String authType)
            throws CertificateException {
    }
    public void checkServerTrusted(X509Certificate[] chain, String authType)
            throws CertificateException {
    }
}

/*Get the port instance of the web service interface created by JAX-WS*/
SolicitarBaixaPortType port = InvoiceWriteOffWebService.getInstance(serviceName, wsdlLocation);

/*set the socket factory*/
SSLContext ctx = SSLContext.getInstance("TLSv1");
            ctx.init(null, new TrustManager[] { new BlindTrustManager() }, null);
            SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();
            ((BindingProvider) port).getRequestContext().put(BindingProviderProperties.SSL_SOCKET_FACTORY, sslSocketFactory);
((BindingProvider) port).getRequestContext().put(com.sun.xml.internal.ws.client.BindingProviderProperties.SSL_SOCKET_FACTORY, sslSocketFactory);

/*message is the Object Jax generated*/
response = port.solicitarBaixaOperation(message);

虽然我设置了 SSLSocketFactory，但 CertificateExpiredException 仍然在抛出。所以它提出了以下问题：

我做得对吗？
如何确保连接看到我的 BlindTrustManager 类？因为我在日志上看不到任何提及。
如何确定需要传递给我的 BindingProvider 请求上下文的正确字符串，以便它可以找到我的 SSLSocketFactory？
在 JBoss 中我还必须做一些其他配置吗？

谢谢

【问题讨论】：

“出于测试目的”总是让我对上帝产生敬畏之心。真正的问题是为什么证书过期了？编写“用于测试目的”代码来规避这种情况只是将“用于测试目的”代码泄漏到生产环境中的一种方式，它将在生产环境中保留多年，未经检查且不安全。解决问题。不要只治疗症状。
我同意你的观点，这并不能解决问题，但是证书已过期，因为 Web 服务的所有者没有在他的测试环境中修复它。正如我之前所说，这是我无法干预的第三方服务。有没有办法在没有业主干预的情况下妥善解决这个问题？

标签： java ssl ssl-certificate jax-ws

【解决方案1】：

这是一个猜测，因为我不熟悉框架，但如果 jboss 使用 url.openConnection() 那么我认为你需要设置 JVM 范围的默认值

javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);

n.b.这可能会产生更广泛的影响，如果可行的话，也许您可以专门将此证书列入白名单。

【讨论】：