Java 11 introduced the?HTTP Client, an API that made it easier to send HTTP requests with vanilla Java.

By default, it throws an exception if there are certificate path or hostname verification errors in the request.

Let’s see how to bypass certificate validations for cases where this is really necessary.

Disabling all certificate verifications for a specific client

To ignore both certificate path and hostname verifications, create an?X509ExtendedTrustManager?extension that doesn't do any verification and use it to init an?SSLContext?for an?HttpClient:

var trustManager = new X509ExtendedTrustManager() {
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[]{};
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) {
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) {
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) {
    }
};
var sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{trustManager}, new SecureRandom());

var client = HttpClient.newBuilder()
        .sslContext(sslContext)
        .build();

With this solution, only that client with that custom?SSLContext?specified will allow insecure requests. So in many cases this is the best option.

You can use the example URLs?https://expired.badssl.com/?and?https://wrong.host.badssl.com/?to test:

var expiredRequest = HttpRequest.newBuilder()
        .uri(URI.create("https://expired.badssl.com/"))
        .build();

var wrongHostRequest = HttpRequest.newBuilder()
        .uri(URI.create("https://wrong.host.badssl.com/"))
        .build();

client.send(expiredRequest, BodyHandlers.discarding());
client.send(wrongHostRequest, BodyHandlers.discarding());

Errors you would get

Without disabling verification, this error would occur for an expired?SSL/TLS certificate:

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

...

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sun Apr 12 20:59:59 BRT 2015

And for a wrong hostname:

javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching wrong.host.badssl.com found.

...

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching wrong.host.badssl.com found.

Disabling hostname verification by system property

You can set the?jdk.internal.httpclient.disableHostnameVerification?system property to?"true"?to disable only hostname verification, as shown in the?Javadoc.

This solution isn’t applied to certificate path verification, so an expired certificate would still cause an exception. And it has the disadvantage of disabling hostname verification for requests from all clients.

Disabling only certificate path verification

If you create an?X509TrustManager?implementation (instead of an?X509ExtendedTrustManager?extension) that doesn't do verifications and use it on a client, it will ignore only the certificate path verification:

var sslContext = SSLContext.getInstance("TLS");
var trustManager = new X509TrustManager() {
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[]{};
    }

    @Override
    public void checkClientTrusted(X509Certificate[] certs, String authType) {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] certs, String authType) {
    }
};
sslContext.init(null, new TrustManager[]{trustManager}, new SecureRandom());

var client = HttpClient.newBuilder()
        .sslContext(sslContext)
        .build();
var request = HttpRequest.newBuilder()
        .uri(URI.create("https://expired.badssl.com/"))
        .build();
client.send(request, BodyHandlers.discarding());

So this solution isn’t applied to hostname verification.

Conclusion

To disable certificate verification, the best option in most cases is to use an?X509ExtendedTrustManager?extension that doesn't do any verification, as this will bypass both certificate path and hostname verifications and will only apply to the specified client.文章來(lái)源地址http://www.zghlxwxcb.cn/news/detail-803107.html

到了這里，關(guān)于How to disable certificate validations in the Java HTTP Client的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！