如何在Java 6中使用TLS 1.2和Apache HttpClient?
问题描述:
我正在使用Apache HttpClient 3.5和Spring Web Services 2.1.0开发Java 6项目。如何在Java 6中使用TLS 1.2和Apache HttpClient?
我的Spring WebServicesTemplate使用apache HttpClient发送WebServices请求。但是,我正在联系的服务已经逐步淘汰了TLS 1.0,转而采用TLS 1.2。 Java 6不支持TLS 1.2。我被带到了bouncycastle,这应该给我TLS 1.2的支持。
如何集成BouncyCastle的使用Spring或我HttpClient的,这样我就可以发送支持TLS 1.2请求?我找到了一个提供扩展SSLSocketFactory的解决方案。但是,HttpClient只接受SSLConnectionSocketFactory。
升级到Java 8是不是在短期内可行,但我可以把它的长期优先,如果有人可以证实,这将解决我的问题。
答
我想出了,不需要升级到Java 8.免责声明的解决方案,我不是很了解HTTPS的安全,我敢肯定有一些问题,一个更懂行的人可能会注意到。此方法需要使用内置的HttpsURLConnection,如果您习惯使用Unirest或甚至apache HttpClient,则这是非常原始的。
首先,您需要将BouncyCastle添加到您的pom。
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.54</version>
</dependency>
然后您将创建SSLSocketFactory的扩展。警告!此套接字工厂将接受所有证书,因此使用时风险自负。
import java.io.*;
import java.net.UnknownHostException;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
import org.bouncycastle.crypto.tls.*;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class TLSSocketConnectionFactory extends SSLSocketFactory {
static {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleProvider());
}
}
@Override
public Socket createSocket(Socket socket, final String host, int port,
boolean arg3) throws IOException {
if (socket == null) {
socket = new Socket();
}
if (!socket.isConnected()) {
socket.connect(new InetSocketAddress(host, port));
}
final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom());
return _createSSLSocket(host, tlsClientProtocol);
}
@Override public String[] getDefaultCipherSuites() { return null; }
@Override public String[] getSupportedCipherSuites() { return null; }
@Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { throw new UnsupportedOperationException(); }
@Override public Socket createSocket(InetAddress host, int port) throws IOException { throw new UnsupportedOperationException(); }
@Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return null; }
@Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { throw new UnsupportedOperationException(); }
private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
private java.security.cert.Certificate[] peertCerts;
@Override public InputStream getInputStream() throws IOException { return tlsClientProtocol.getInputStream(); }
@Override public OutputStream getOutputStream() throws IOException { return tlsClientProtocol.getOutputStream(); }
@Override public synchronized void close() throws IOException { tlsClientProtocol.close(); }
@Override public void addHandshakeCompletedListener(HandshakeCompletedListener arg0) { }
@Override public boolean getEnableSessionCreation() { return false; }
@Override public String[] getEnabledCipherSuites() { return null; }
@Override public String[] getEnabledProtocols() { return null; }
@Override public boolean getNeedClientAuth() { return false; }
@Override
public SSLSession getSession() {
return new SSLSession() {
@Override
public int getApplicationBufferSize() {
return 0;
}
@Override public String getCipherSuite() { throw new UnsupportedOperationException(); }
@Override public long getCreationTime() { throw new UnsupportedOperationException(); }
@Override public byte[] getId() { throw new UnsupportedOperationException(); }
@Override public long getLastAccessedTime() { throw new UnsupportedOperationException(); }
@Override public java.security.cert.Certificate[] getLocalCertificates() { throw new UnsupportedOperationException(); }
@Override public Principal getLocalPrincipal() { throw new UnsupportedOperationException(); }
@Override public int getPacketBufferSize() { throw new UnsupportedOperationException(); }
@Override public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { return null; }
@Override public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { return peertCerts; }
@Override public String getPeerHost() { throw new UnsupportedOperationException(); }
@Override public int getPeerPort() { return 0; }
@Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return null; }
@Override public String getProtocol() { throw new UnsupportedOperationException(); }
@Override public SSLSessionContext getSessionContext() { throw new UnsupportedOperationException(); }
@Override public Object getValue(String arg0) { throw new UnsupportedOperationException(); }
@Override public String[] getValueNames() { throw new UnsupportedOperationException(); }
@Override public void invalidate() { throw new UnsupportedOperationException(); }
@Override public boolean isValid() { throw new UnsupportedOperationException(); }
@Override public void putValue(String arg0, Object arg1) { throw new UnsupportedOperationException(); }
@Override public void removeValue(String arg0) { throw new UnsupportedOperationException(); }
};
}
@Override public String[] getSupportedProtocols() { return null; }
@Override public boolean getUseClientMode() { return false; }
@Override public boolean getWantClientAuth() { return false; }
@Override public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) { }
@Override public void setEnableSessionCreation(boolean arg0) { }
@Override public void setEnabledCipherSuites(String[] arg0) { }
@Override public void setEnabledProtocols(String[] arg0) { }
@Override public void setNeedClientAuth(boolean arg0) { }
@Override public void setUseClientMode(boolean arg0) { }
@Override public void setWantClientAuth(boolean arg0) { }
@Override public String[] getSupportedCipherSuites() { return null; }
@Override
public void startHandshake() throws IOException {
tlsClientProtocol.connect(new DefaultTlsClient() {
@SuppressWarnings("unchecked")
@Override
public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
if (clientExtensions == null) {
clientExtensions = new Hashtable<Integer, byte[]>();
}
//Add host_name
byte[] host_name = host.getBytes();
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
final DataOutputStream dos = new DataOutputStream(baos);
dos.writeShort(host_name.length + 3);
dos.writeByte(0);
dos.writeShort(host_name.length);
dos.write(host_name);
dos.close();
clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
return clientExtensions;
}
@Override
public TlsAuthentication getAuthentication() throws IOException {
return new TlsAuthentication() {
@Override
public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
try {
KeyStore ks = _loadKeyStore();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>();
boolean trustedCertificate = false;
for (org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) {
java.security.cert.Certificate cert = cf.generateCertificate(new ByteArrayInputStream(c.getEncoded()));
certs.add(cert);
String alias = ks.getCertificateAlias(cert);
if(alias != null) {
if (cert instanceof java.security.cert.X509Certificate) {
try {
((java.security.cert.X509Certificate) cert).checkValidity();
trustedCertificate = true;
} catch(CertificateExpiredException cee) {
// Accept all the certs!
}
}
} else {
// Accept all the certs!
}
}
if (!trustedCertificate) {
// Accept all the certs!
}
peertCerts = certs.toArray(new java.security.cert.Certificate[0]);
} catch (Exception ex) {
ex.printStackTrace();
throw new IOException(ex);
}
}
@Override
public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException {
return null;
}
private KeyStore _loadKeyStore() throws Exception {
FileInputStream trustStoreFis = null;
try {
KeyStore localKeyStore = null;
String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType")!=null?System.getProperty("javax.net.ssl.trustStoreType"):KeyStore.getDefaultType();
String trustStoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider")!=null?System.getProperty("javax.net.ssl.trustStoreProvider"):"";
if (trustStoreType.length() != 0) {
if (trustStoreProvider.length() == 0) {
localKeyStore = KeyStore.getInstance(trustStoreType);
} else {
localKeyStore = KeyStore.getInstance(trustStoreType, trustStoreProvider);
}
char[] keyStorePass = null;
String str5 = System.getProperty("javax.net.ssl.trustStorePassword")!=null?System.getProperty("javax.net.ssl.trustStorePassword"):"";
if (str5.length() != 0) {
keyStorePass = str5.toCharArray();
}
localKeyStore.load(trustStoreFis, keyStorePass);
if (keyStorePass != null) {
for (int i = 0; i < keyStorePass.length; i++) {
keyStorePass[i] = 0;
}
}
}
return localKeyStore;
} finally {
if (trustStoreFis != null) {
trustStoreFis.close();
}
}
}
};
}
});
} // startHandshake
};
}
}
接下来,您需要使用您的新套接字工厂。如果您使用Spring处理Web服务调用,则可以扩展现有的HttpUrlConnectionMessageSender以便为您发送呼叫。只要确保在你的spring配置文件中更新你的消息sender bean就可以使用这个类。
import java.io.IOException;
import java.net.*;
import javax.net.ssl.HttpsURLConnection;
import org.springframework.ws.transport.WebServiceConnection;
import org.springframework.ws.transport.http.*;
public class HttpsUrlConnectionMessageSender extends HttpUrlConnectionMessageSender {
@Override
public WebServiceConnection createConnection(URI uri) throws IOException {
URL url = uri.toURL();
URLConnection connection = url.openConnection();
if (!(connection instanceof HttpsURLConnection)) {
throw new HttpTransportException("URI [" + uri + "] is not an HTTPS URL");
} else {
HttpsURLConnection httpsURLConnection = (HttpsURLConnection) connection;
httpsURLConnection.setSSLSocketFactory(new TLSSocketConnectionFactory());
prepareConnection(httpsURLConnection);
return new HttpsUrlConnection(httpsURLConnection);
}
}
private static class HttpsUrlConnection extends HttpUrlConnection {
private HttpsUrlConnection(HttpsURLConnection connection) {
super(connection);
}
}
}
另外,如果你不使用Spring,或者使用REST,您可以手动创建一个HttpsURLConnection的是在类以上完成,并且使用的OutputStream发送邮件。
请注意,如果您与之通信的服务使用了Cookie,则需要设置系统范围的Cookie管理器。但是,Java 6的Cookie管理器却充满了bug。您可能需要复制Java 8 CookieManager中的源代码才能使Cookie正常工作。
if (CookieHandler.getDefault() == null) {
CookieHandler.setDefault(new CookieManager());
}
答
Bouncy Castle将面临的主要问题是其TLS实现不实现JSSE API。实际上,这意味着您不会得到SSLSocket,SSLSocketFactory(或HttpsURLConnection,但在使用Apache HTTP客户端时无关紧要)的任何支持。
此外,TLS并不是Bouncy Castle的最佳文档记录功能,这会使您的工作更加困难。在this other question的答案中有一些例子。
你可能以某种方式能够为您编写自定义Socket实现换到充气城堡的TLS API的调用所需。然后,您可以从您的自定义org.apache.http.conn.ssl.SSLConnectionSocketFactory实现中返回这样的套接字(如果您的子类对于其方法返回Socket的方法完全不同,则可以在构造函数中使用虚拟值)。
这可能是可行的,但它可能需要大量的努力。升级到Java 8(支持TLS 1.2与传统的JSSE类)通常会更容易(取决于您的约束)。
+0
升级jdk 8可能会更容易(更不用说太急需了)。我知道我的项目会有一些兼容性问题,但我会开始调查。感谢您的反馈。 – zalpha314
您确定您的意思是Apache HttpClient 3.5吗? – Bruno
@布鲁诺,对不起,我的项目有commons-httpclient和httpcomponents ApacheClient。我把他们弄混了。 Spring使用的HttpClient是httpcomponents ApacheClient 4.3.5。 – zalpha314
标记为接受的答案并不真正回答这个问题,它通过“仅”升级到Java 8来避免此问题。我们中的一些人不能“仅”这样做。您是否有机会在不升级到Java 8的情况下解决此问题? – ThatAintWorking