一、前言
OS:Windows10 64
Tomcat:Tomcat 7.0
证书格式:.jks格式证书,因为该示例为tomcat方式
二、Tomcat相关配置
1、首先你的应用服务器是tomcat的话,需要使用jks证书,没有可以自签证书。自签证书方式可参考【Windows下自签jks格式证书】。
2、在tomcat目录下新建【cert】目录,将.jks格式证书放在该文件夹下(此步操作的目的是为了方便单应用服务情况下,证书管理的方便)。
3、配置【server.xml】,在该配置文件中添加如下配置信息:
<Connector port="设置https访问端口,默认443,可自定义"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="jks文件的存放全路径"
keystorePass="证书密码"
clientAuth="false"
SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
4、启动tomcat服务。
三、HTTPS访问程序及程序请求发起
1、没有引用证书信任库,直接发起https请求,会报如下错误信息:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at com.example.utils.RequestUtil.sendPost(RequestUtil.java:32)
at com.example.utils.RequestUtil.main(RequestUtil.java:24)
2、导入证信任,并查看证书导入的是否正确(通过证书指纹对比校验证书是否导入正确)。
# 导入.crt或者.cer证书到信任文件中,统一管理
命令:keytool -import -alias ca_cert_test -file cert.crt -keystore cacerts.truststore
输出:输入密钥库口令:
再次输入新口令:
所有者: OU=HangZhou, L=HangZhou, ST=ZheJiang, C=CN
发布者: OU=HangZhou, L=HangZhou, ST=ZheJiang, C=CN
序列号: 4af0e8374167c39db8e3a09bd8990fb56cafca0
有效期开始日期: Fri Oct 28 19:58:48 CST 2022, 截止日期: Sun Nov 27 19:58:48 CST 2022
证书指纹:
MD5: 66:C7:F4:7E:A2:F8:7E:D1:59:FC:7C:CD:73:E5:18:D7
SHA1: 99:3D:83:1F:0B:DA:E9:9A:51:78:21:A6:C9:51:72:A4:2F:58:C2:18
SHA256: 34:41:08:54:7B:A1:96:17:DE:67:26:56:88:ED:39:84:1F:E0:0E:DA:04:40:6A:D4:B3:48:13:D1:0D:34:16:DB
签名算法名称: SHA256withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#2: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
IPAddress: 192.168.1.102
]
是否信任此证书? [否]: y
证书已添加到密钥库中
#查看导入的证书信息是否正确
命令:keytool -list -keystore cacerts.truststore -storepass 密码
输出:
密钥库类型: JKS
密钥库提供方: SUN
您的密钥库包含 1 个条目
ca_cert_test, 2022-10-29, trustedCertEntry,
证书指纹 (SHA1): 99:3D:83:1F:0B:DA:E9:9A:51:78:21:A6:C9:51:72:A4:2F:58:C2:18
3、请求程序引用配置好的信任库文件,然后进行https请求,操作如下:
# 请求程序
private static final String TRUSTSTORE_PATH="证书信任文件的全路径";
private static final String TRUSTSTORE_PWD="密码";
public static void main(String[] args) throws Exception {
String url="https://192.168.1.102:8099/tt/test";
String params="{\"测试\":\"测试tt\"}";
sendPost(url,params);
}
public static void sendPost(String url,String params) throws Exception{
System.setProperty("javax.net.ssl.trustStore",TRUSTSTORE_PATH);
System.setProperty("javax.net.ssl.trustStorePassword",TRUSTSTORE_PWD);
CloseableHttpClient client= HttpClients.createDefault();
HttpPost post=new HttpPost(url);
StringEntity entity=new StringEntity(params,"UTF-8");
post.setEntity(entity);
CloseableHttpResponse response=client.execute(post);
if(response.getStatusLine().getStatusCode()==200){
String body= EntityUtils.toString(response.getEntity());
System.err.println("请求响应的响应体内容:"+body);
}
}
10:39:00.512 [main] DEBUG org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: default
10:39:00.537 [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context
10:39:00.541 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://192.168.1.102:8099][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
10:39:00.578 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {s}->https://192.168.1.102:8099][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
10:39:00.582 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->https://192.168.1.102:8099
10:39:00.590 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to /192.168.1.102:8099
10:39:00.590 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Connecting socket to /192.168.1.102:8099 with timeout 0
10:39:00.622 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
10:39:00.622 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
10:39:00.623 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting handshake
10:39:00.716 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Secure session established
10:39:00.716 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated protocol: TLSv1.2
10:39:00.716 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
10:39:00.717 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - peer principal: OU=HangZhou, L=HangZhou, ST=ZheJiang, C=CN
10:39:00.717 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - peer alternative names: [192.168.1.102]
10:39:00.717 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - issuer principal: OU=HangZhou, L=HangZhou, ST=ZheJiang, C=CN
10:39:00.722 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connection established 192.168.1.102:59949<->192.168.1.102:8099
10:39:00.722 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request POST /tt/test HTTP/1.1
10:39:00.723 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: UNCHALLENGED
10:39:00.724 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
10:39:00.726 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> POST /tt/test HTTP/1.1
10:39:00.726 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Content-Length: 21
10:39:00.726 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Content-Type: text/plain; charset=UTF-8
10:39:00.726 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: 192.168.1.102:8099
10:39:00.726 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: Keep-Alive
10:39:00.726 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_131)
10:39:00.726 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate
10:39:00.726 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "POST /tt/test HTTP/1.1[\r][\n]"
10:39:00.726 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Content-Length: 21[\r][\n]"
10:39:00.726 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Content-Type: text/plain; charset=UTF-8[\r][\n]"
10:39:00.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: 192.168.1.102:8099[\r][\n]"
10:39:00.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
10:39:00.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_131)[\r][\n]"
10:39:00.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
10:39:00.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]"
10:39:00.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "{"[0xe6][0xb5][0x8b][0xe8][0xaf][0x95]":"[0xe6][0xb5][0x8b][0xe8][0xaf][0x95]tt"}"
10:39:00.735 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 200 OK[\r][\n]"
10:39:00.735 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Server: Apache-Coyote/1.1[\r][\n]"
10:39:00.735 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Content-Length: 0[\r][\n]"
10:39:00.735 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Date: Sat, 29 Oct 2022 02:39:00 GMT[\r][\n]"
10:39:00.735 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[\r][\n]"
10:39:00.742 [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 OK
10:39:00.742 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Server: Apache-Coyote/1.1
10:39:00.742 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Length: 0
10:39:00.743 [main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Sat, 29 Oct 2022 02:39:00 GMT
10:39:00.753 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive indefinitely
10:39:00.754 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 0][route: {s}->https://192.168.1.102:8099] can be kept alive indefinitely
10:39:00.754 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: set socket timeout to 0
10:39:00.754 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://192.168.1.102:8099][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20]
请求响应的响应体内容:
Disconnected from the target VM, address: '127.0.0.1:59939', transport: 'socket'
Process finished with exit code 0
四、友情提示
1、keytool命令为jdk自带命令,jdk配置好全局变量即可。
标签:10,39,http,请求,引用,https,apache,org,main From: https://www.cnblogs.com/lightbc/p/16834119.html