如何使用Apache客户端接受过期的ssl证书?
问题描述:
我试图让DefaultHttpClient()
与过期的SSL证书一起使用。如何使用Apache客户端接受过期的ssl证书?
Android API 2.2
因为这条线的它不会编译:
SSLSocketFactory的SF =新的SSLSocketFactory(的SSLContext);
错误:The constructor SSLSocketFactory(SSLContext)
未定义
我在做什么错?
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.SSLSocketFactory;
{...}
SSLContext sslContext = SSLContext.getInstance("SSL");
// set up a TrustManager that trusts everything
sslContext.init(null, new TrustManager[] { new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
System.out.println("getAcceptedIssuers =============");
return null;
}
public void checkClientTrusted(X509Certificate[] certs,
String authType) {
System.out.println("checkClientTrusted =============");
}
public void checkServerTrusted(X509Certificate[] certs,
String authType) {
System.out.println("checkServerTrusted =============");
}
} }, new SecureRandom());
SSLSocketFactory sf = new SSLSocketFactory(sslContext);
Scheme httpsScheme = new Scheme("https", sf, 443);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(httpsScheme);
HttpParams params = new BasicHttpParams();
ClientConnectionManager cm = new SingleClientConnManager(params, schemeRegistry);
//DefaultHttpClient httpclient = new DefaultHttpClient();
DefaultHttpClient httpclient = new DefaultHttpClient(cm, params);
答
通过对SSLSocketFactory的文件看,似乎没有成为一个构造函数:
SSLSocketFactory(javax.net.ssl.SSLContext)
可用的构造函数为:
SSLSocketFactory(String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver)
SSLSocketFactory(KeyStore keystore, String keystorePassword, KeyStore truststore)
SSLSocketFactory(KeyStore keystore, String keystorePassword)
SSLSocketFactory(KeyStore truststore)
我在这里失去了一些东西?
答
你没做错什么(也许除了使用一些标准的Java代码)查看。
看来,Android的执行Apache的SSLSocketFactory类没有实现原来的Apache SSLSocketFactory类
的所有构造函数你只好凑合。
独立于如何将此'SSLContext'传递给HTTP客户端,您做错了什么是您使用的信任管理器不检查服务器证书。这些传递信任管理者将通过任何*证书(包括来自潜在的MITM的证书),而不仅仅是您信任的但已过期的证书。 – Bruno 2012-01-12 13:32:22