我正在尝试访问由 https 保护的应用程序,我有一个 p12 证书(已经作为 .cer 导入到我的 jdk 的 cacerts 文件夹中)。
我已经尝试过本教程但没有成功: https://dzone.com/articles/ssl-based-feignclient-example-in-java-microcervice
我也在使用这个解决方案的一部分: spring feign客户端如何使用p12客户端证书
调试 ssl 连接时出现以下错误:
javax.net.ssl|ERROR|25|http-nio-auto-1-exec-1|2021-01-26 16:56:34.789 BRT|TransportContext.java:317|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure
我当前的 feign 配置类
@Bean
@ConditionalOnMissingBean
public Feign.Builder feignBuilder(Retryer retryer) {
return Feign.builder().retryer(retryer);
}
@Bean
public Feign.Builder feignBuilder() {
return Feign.builder()
.retryer(Retryer.NEVER_RETRY)
.client(new Client.Default(getSSLSocketFactory(), null));
}
private SSLSocketFactory getSSLSocketFactory() {
String keyStorePassword = "myPassword";
char[] allPassword = keyStorePassword.toCharArray();
SSLContext sslContext = null;
try {
sslContext = SSLContextBuilder
.create()
.setKeyStoreType("PKCS12")
.loadKeyMaterial(ResourceUtils.getFile("keypath"), allPassword, allPassword)
.build();
} catch (Exception e) { }
return sslContext.getSocketFactory();
}
在代码的调试部分,我可以看到我的证书在那里,但我的 java 仍然出现握手错误。我是 ssl 概念的新手,可能做错了一些配置。
最后一点,当在 feign 配置类中并通过系统设置信任库和密码时
System.setProperty("javax.net.ssl.trustStorePassword", "pass");
System.setProperty("javax.net.ssl.trustStore", "pathtocerth.p12");
错误改成这样:
javax.net.ssl|ERROR|25|http-nio-auto-1-exec-1|2021-01-26 16:48:58.551 BRT|TransportContext.java:317|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
自从我发现问题后,我正在回答自己。如果有人遇到同样的问题,解决方案非常简单。
在应用程序属性中,您需要添加这些属性:
feign.httpclient.disableSslValidation=true
feign.httpclient.enabled=false
feign.okhttp.enabled=true
来自
<dependency>
<groupId>io.github.openfeign</groupId>
<artifactId>feign-httpclient</artifactId>
<version>9.4.0</version>
</dependency>
设置feign配置类
@Configuration
public class CustomFeignConfiguration {
@Bean
public void Config() {
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
System.setProperty("javax.net.ssl.keyStore", "path to p12");
System.setProperty("javax.net.ssl.keyStorePassword", "key password");
}
并在伪造请求中使用伪造配置
@FeignClient(name = "foo", url = "https://foo/foo",
configuration = CustomFeignConfiguration.class)
public interface IFeingRequest {
request here
}
有了这个解决方案,我不需要转换证书并将其存储到 java 信任库中。
您可以直接通过 Spring 中的应用程序属性添加密钥(以及可选的附加信任库)。
server:
ssl:
#trust-store: path_to_your_truststore
#trust-store-password: changeit
#trust-store-type: JKS
#trust-store-provider: SUN
key-store: path_to_your_keystore
key-store-password: changeit
key-alias: 1
key-store-type: PKCS12
key-store-provider: SUN
key-password: changeit
protocol: TLS
要识别密钥别名、密钥存储类型和密钥存储提供者,您可以使用以下命令:
keytool -list -keystore path_to_keystore
但是如果你只是想关闭主机名验证,那么你不需要上面的。您可以通过添加以下属性来为 feign httpclient 配置它:
feign.httpclient.disableSslValidation=true
和这个maven依赖:
<dependency>
<groupId>io.github.openfeign</groupId>
<artifactId>feign-httpclient</artifactId>
</dependency>
不需要 okhttp.
以防有人在 2023 年面临同样的问题。我在 Feign Configurations 中将客户端配置为 Bean,并在那里设置 SSL Socket Factory 详细信息。
Gradle 导入:
implementation 'org.springframework.cloud:spring-cloud-starter-openfeign:3.1.6'
implementation 'io.github.openfeign:feign-httpclient:12.3'
Feign 配置中的客户端 Bean:
@Bean
public Client feignClient() throws Exception {
log.info("Configuring SSL Context for Feign Client");
return new Client.Default(createSSLContext(), SSLConnectionSocketFactory.getDefaultHostnameVerifier());
}
并为资源文件创建 SSL 套接字工厂,如下所示:
private SSLSocketFactory createSSLContext() throws Exception {
String trustStorePath = "classpath:cacerts"
String keyStorePath = "classpath:client-key.pfx"
log.info("Trust Store for Feign Client: " + trustStorePath);
log.info("Key Store for Feign Client: " + keyStorePath);
KeyStore keyStore = KeyStore.getInstance("PKCS12"); // PKCS12 for PFX files. Change this to 'JKS' if you are using java keystore
keyStore.load(new FileInputStream(ResourceUtils.getFile(keyStorePath)), keyStorePassword.toCharArray());
SSLContext context = SSLContextBuilder.create()
.loadTrustMaterial(ResourceUtils.getFile(trustStorePath), trustStorePassword.toCharArray())
.loadKeyMaterial(keyStore, keyStorePassword.toCharArray())
.build();
return context.getSocketFactory();
}
此问题与此特定证书未包含在受信任的证书存储中这一事实有关。 出于开发目的,我们可以像这样创建一个接受的 TrustStrategy:
TrustStrategy acceptingTrustStrategy = (cert, authType) -> true;
然后直接在 SSLContextBuilder 中像这样使用它:
.loadTrustMaterial(null, acceptingTrustStrategy)