amb*_*amb 2 java ssl ldap ssl-certificate
Java 8u181 引入了一项更改,在使用 Java JNDI LDAP API 连接到 LDAPS (TLS) 服务器时启用证书主机名验证。
请参阅: https: //www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html#JDK-8200666
如何禁用此主机名验证,或者更好地指定自定义 javax.net.ssl.HostnameVerifier 类。Oracle 的文档仅指定了一个 Java 环境属性来禁用验证,但没有指出任何有问题地完成此操作的方法,这对于不(或不希望)能够更改其所在 JVM 的位/开关的环境至关重要继续运行。
这个问题: 如何禁用java 1.8.181版本的端点识别 提出了类似的问题,但解决方案是通过命令行更改java环境。我问如何在没有环境切换的情况下以编程方式完成它。
还有其他关于在 Java 中禁用其他类型 SSL 连接的主机名验证的问题/答案,但这些答案不适用于 JNDI LDAP API。
小智 8
正如@Patrick-Mevzek 已经说过的:不要这样做!
但如果你真的必须这么做,你可以这样做:
您需要一个 SocketFactory,其中包含一个忽略任何内容的虚拟 TrustManager。有很多例子展示了如何创建这样的东西。不幸的是,他们中的大多数(全部?)都使用 aX509TrustManager来完成这项工作。这适用于无效的证书,但不会处理错误或丢失的主机名。为此,您需要一个“X509ExtendedTrustManager”:
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
/**
* This Socket factory will accept all certificates and all hostnames
*/
public class NonVerifyingSSLSocketFactory extends SocketFactory {
private static SocketFactory nonVerifyingSSLSochetFactory;
static {
TrustManager [] distrustManager = new TrustManager [] {new X509ExtendedTrustManager () {
@Override
public void checkClientTrusted (X509Certificate [] chain, String authType, Socket socket) {
}
@Override
public void checkServerTrusted (X509Certificate [] chain, String authType, Socket socket) {
}
@Override
public void checkClientTrusted (X509Certificate [] chain, String authType, SSLEngine engine) {
}
@Override
public void checkServerTrusted (X509Certificate [] chain, String authType, SSLEngine engine) {
}
public X509Certificate [] getAcceptedIssuers () {
return null;
}
public void checkClientTrusted (X509Certificate [] c, String a) {
}
public void checkServerTrusted (X509Certificate [] c, String a) {
}
}};
try {
SSLContext sc = SSLContext.getInstance ("SSL");
sc.init (null, distrustManager, new java.security.SecureRandom ());
nonVerifyingSSLSochetFactory = sc.getSocketFactory ();
} catch (GeneralSecurityException e) {
throw new RuntimeException (e);
}
}
/**
* This method is needed. It is called by the LDAP Context to create the connection
*
* @see SocketFactory#getDefault()
*/
@SuppressWarnings ("unused")
public static SocketFactory getDefault () {
return new NonVerifyingSSLSocketFactory ();
}
/**
* @see SocketFactory#createSocket(String, int)
*/
public Socket createSocket (String arg0, int arg1) throws IOException {
return nonVerifyingSSLSochetFactory.createSocket (arg0, arg1);
}
/**
* @see SocketFactory#createSocket(java.net.InetAddress, int)
*/
public Socket createSocket (InetAddress arg0, int arg1) throws IOException {
return nonVerifyingSSLSochetFactory.createSocket (arg0, arg1);
}
/**
* @see SocketFactory#createSocket(String, int, InetAddress, int)
*/
public Socket createSocket (String arg0, int arg1, InetAddress arg2, int arg3) throws IOException {
return nonVerifyingSSLSochetFactory.createSocket (arg0, arg1, arg2, arg3);
}
/**
* @see SocketFactory#createSocket(InetAddress, int, InetAddress, int)
*/
public Socket createSocket (InetAddress arg0, int arg1, InetAddress arg2,
int arg3) throws IOException {
return nonVerifyingSSLSochetFactory.createSocket (arg0, arg1, arg2, arg3);
}
}
在您的 InitialLdapContext 环境中使用它来激活它:
env.put ("java.naming.ldap.factory.socket", NonVerifyingSSLSocketFactory.class.getName ());
测试用:
| 归档时间: |
|
| 查看次数: |
7589 次 |
| 最近记录: |