首先不建议在生产中这样使用。如果是在开发环境,为了方便调试,则可以忽略SSL证书验证。
一般SSL证书验证不通过,会出现如下异常
1 |
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target |
自定义TrustManager
创建一个TrustManager,它实际上并不验证证书,而只是传递所有内容。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
/* * 不要在生产环境下这样使用 */ private static final TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { @Override public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { } @Override public java.security.cert.X509Certificate[] getAcceptedIssuers() { return new java.security.cert.X509Certificate[]{}; } } }; private static final SSLContext trustAllSslContext; static { try { trustAllSslContext = SSLContext.getInstance("SSL"); trustAllSslContext.init(null, trustAllCerts, new java.security.SecureRandom()); } catch (NoSuchAlgorithmException | KeyManagementException e) { throw new RuntimeException(e); } } private static final SSLSocketFactory trustAllSslSocketFactory = trustAllSslContext.getSocketFactory(); |
OkHttpClient信任所有SSL证书
我们可以方便地用OkHttpClient从现有客户端创建新的Builder。再自定义配置覆盖默认处理SSL的方式。
1 2 3 4 5 6 7 8 9 10 11 12 |
public static OkHttpClient trustAllSslClient(OkHttpClient client) { log.warn("Using the trustAllSslClient is highly discouraged and should not be used in Production!"); Builder builder = client.newBuilder(); builder.sslSocketFactory(trustAllSslSocketFactory, (X509TrustManager)trustAllCerts[0]); builder.hostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { return true; } }); return builder.build(); } |
创建忽略所有SSL证书的客户端,如下所示。
1 |
OkHttpClient client = HttpClient.trustAllSslClient(preconfiguredClient); |
0