我试图为客户端和服务器设置自签名TLS配置,其中服务器是Tomcat 7,客户端是Apache httpclient 4.1.服务器配置为从其中取出这里和客户端代码是取自这里.
我的tomcat配置如下所示:
<Connector clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="keys/server.jks" keystoreType="JKS" keystorePass="password"
truststoreFile="keys/server.jks" truststoreType="JKS" truststorePass="password"
SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2"
sslProtocol="TLS" />
我的客户端代码如下所示:
final HttpParams httpParams = new BasicHttpParams();
// load the keystore containing the client certificate - keystore type is probably jks or pkcs12
final KeyStore keystore = KeyStore.getInstance("pkcs12");
FileInputStream keystoreInput = = new FileInputStream("d:/dev/java/conf/keys/client.p12");;
// TODO get the keystore as an InputStream from somewhere
keystore.load(keystoreInput, "password".toCharArray());
// load …现在我正在寻找有关如何通过HttpComponentsMessageSender(不相关)重写客户端x509证书身份验证的弃用解决方案的任务的解决方案.
例如,弃用的解决方案是:
SSLSocketFactory lSchemeSocketFactory = new SSLSocketFactory(this.keyStore, this.keyStorePassword);
Scheme sch = new Scheme("https", 443, lSchemeSocketFactory);
DefaultHttpClient httpClient = (DefaultHttpClient)getHttpClient();
httpClient.getConnectionManager().getSchemeRegistry().register(sch);
作为我使用的CloseableHttpClient的新解决方案:
SSLContextBuilder sslContextBuilder = SSLContexts.custom()
// this key store must contain the key/cert of the client
.loadKeyMaterial(keyStore, keyStorePassword.toCharArray());
if (trustStore != null) {
// this key store must contain the certs needed and trusted to verify the servers cert
sslContextBuilder.loadTrustMaterial(trustStore);
}
SSLContext sslContext = sslContextBuilder.build();
LayeredConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext);
// Create a registry of custom connection socket factories for …