我有一个通过SSL连接到SAP系统的应用程序 . 该应用程序使用JAX-WS(用于Web服务调用)和Apache HttPComponent 4.5.3用于所有其他SSL调用 . 除非我使用Java 1.8 131或144运行应用程序,否则一切正常 . 我遇到以下异常:
javax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException:证书不符合sun.security.ssl.Alrts.getSSLException(未知来源)sun.security.ssl.SSLSocketImpl.fatal(未知)的算法约束来自sun.security.ssl.Handshaker.fatalSE(未知来源)的sun.security.ssl.Handshaker.fatalSE(未知来源)sun.security.ssl.ClientHandshaker.serverCertificate(未知来源)sun.security.ssl Sun.security.ssl.Handshaker.process_oord(未知来源)sun.security.ssl.Handshaker.process_record(未知来源)sun.security.ssl.SSLSocketImpl.readRecord(未知来源)的.ClientHandshaker.processMessage(未知来源) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(未知来源)at sun.security.ssl.SSLSocketImpl.startHandshake(未知来源)sun.security.ssl.SSLSocketImpl.startHandshake(未知来源)引起:java.security.cert .CertificateException:证书不符合secur的算法约束ity.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(未知在security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(未知在sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(未知)
我已阅读java.security.cert.CertificateException: Certificates does not conform to algorithm constraints但它不适用于我的情况,因为......
-
连接到SAP服务器1时,一切正常
-
之后连接到SAP Server 2(也通过SSL)时出现"certificate does not conform"错误
-
当我颠倒序列并首先连接到SAP Server 2时,一切正常
-
但是当我连接到SAP服务器1(之前有效)时,我得到了同样的错误
-
这个问题只发生在Java 1.8 131和144上 . 它适用于1.7和Java 1.8.121
这一切向我表明,根本原因不是证书和密码的问题,但在Java 1.8.144中混合使用JAX-WS和Apache HTTPS调用时会出现问题
这是用于禁用JAX-WS的SSL检查的代码(基于https://log.rowanto.com/java-8-turning-off-ssl-certificate-check/):
public static final void disableCertificateValidationForWebServices() {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] {
new X509ExtendedTrustManager() {
@Override
public void checkClientTrusted(X509Certificate[]
x509Certificates,String s){}
@Override
public void checkServerTrusted(X509Certificate[]
x509Certificates,String s){}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkClientTrusted(X509Certificate[]
x509Certificates, String s, Socket socket) {
}
@Override
public void checkServerTrusted(X509Certificate[]
x509Certificates, String s, Socket socket) {
}
@Override
public void checkClientTrusted(X509Certificate[]
x509Certificates, String s, SSLEngine sslEngine) {
}
@Override
public void checkServerTrusted(X509Certificate[]
x509Certificates, String s, SSLEngine sslEngine) {
}
} };
// Install the all-trusting trust manager
try {
final SSLContext sc = SSLContext.getInstance("SSL"); // or TLS?
sc.init(null, trustAllCerts, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
.setDefaultHostnameVerifier(NoopHostnameVerifier.INSTANCE); } catch (Exception e) {
}
}
这是用于禁用Apache HTTPS调用的SSL检查的代码(基于http://stackoverflow.com/questions/22606579/apache-httpclient-4-3-and-x509-client-certificate-to-authenticate):
public static SSLConnectionSocketFactory getInstance() {
if (instance == null) {
Log.info("Disabling SSL Certificate Checks");
final SSLContextBuilder builder = SSLContexts.custom();
// here in the loadTrustMaterial the SSL Provider is loaded.
try {
builder.loadTrustMaterial(null, new TrustStrategy() {
@Override
public boolean isTrusted(X509Certificate[] arg0, String
arg1) {
return true;
}
});
final SSLContext sslContext = builder.build();
instance = new SSLConnectionSocketFactory(sslContext,
NoopHostnameVerifier.INSTANCE);
} catch (NoSuchAlgorithmException e) {
Log.error("disableCertificateValidation() failed with
NoSuchAlgorithmException. Detail message:", e);
listTrustManagers(null);
} catch (KeyStoreException e) {
Log.error("disableCertificateValidation() failed with
KeyStoreException. Detail message: ", e);
listTrustManagers(null);
} catch (KeyManagementException e) {
Log.error("disableCertificateValidation() failed with
KeyManagementException. Detail message: ", e);
}
}
return instance;
}
是的,我们正在使用PoolingConnectionManager:
public final class MyPoolingHttpClientConnectionManager {
private static PoolingHttpClientConnectionManager instance = null;
private final static Object LOCK = new Object();
protected MyPoolingHttpClientConnectionManager() {
// Exists only to defeat instantiation.
}
public static PoolingHttpClientConnectionManager getInstance() {
synchronized (LOCK) {
if (instance == null) {
instance = new
PoolingHttpClientConnectionManager(disableCertificateValidation());
// Increase max total connection to 50
instance.setMaxTotal(50);
// Increase default max connection per route to 20
instance.setDefaultMaxPerRoute(20);
}
}
return instance;
}
/*
* This is called when we create the HTTPConnectionPool
*
*
*/
private final static Registry<ConnectionSocketFactory>
disableCertificateValidation() {
return RegistryBuilder.<ConnectionSocketFactory>
create().register("https", MySSLContext.getInstance())
.register("http", new
PlainConnectionSocketFactory()).build();
}
}
任何想法都非常欢迎
1 回答
安装Java 1.8 161解决了这个问题 . 似乎是131版本中的Java错误,最多151个 .