HTTPS client sends request (a)

Source: Internet
Author: User
Tags ssl connection

HTTPS Send Request (i)

Summary Jsse is a pure Java implementation of SSL and TLS, and can be easily programmed for access to HTTPS sites through Jsse. However, if the site's certificate is not verified by the authoritative authority, Jsse will deny trusting the certificate and cannot access the HTTPS site. In this paper, two methods to solve the problem are presented on the basis of brief introduction of Jsse.

Introduction


Over the past more than 10 years, a large number of Web applications have been accumulated on the web. Today, whether it's integrating legacy Web applications or new Web development, it requires programmatic access to certain Web pages. The traditional approach is to use the socket interface, but now many development platforms or tools such as. NET, Java, or PHP provide simple Web access interfaces that can be easily programmed for interactive access to Web applications. Even if you want to access Web applications that use HTTPS instead of HTTP.

HTTPS, a secure Hypertext Transfer Protocol, employs SSL technology and is widely used to ensure the security of Web application systems. The programming interface for accessing Web apps mostly encapsulates SSL, making it as easy to access HTTPS as it is to access HTTP. However, many medium and small application systems or applications based on LAN or campus network are not issued by the authoritative certification authority or verified by them, and the direct use of these programming interfaces will not be able to access HTTPS.

This article provides a brief introduction to Jsse, which describes in detail how to access HTTPS using Jsse, and how to access HTTPS sites with unverified certificates.

Jsse Introduction

The Java Secure Sockets extension (Java Secure Socket Extension, JSSE) is a collection of a series of packages that enable secure communication over the Internet. It is a pure Java implementation of SSL and TLS, can transparently provide data encryption, server authentication, information integrity and other functions, you can enable us to use the same as normal sockets using Jsse established Secure sockets. Jsse is an open standard, not only sun company can achieve a jsse, in fact, other companies have their own implementation of Jsse.

Before you dive into Jsse, you need to know a concept about Java security: The client's Truststore file. The client's Truststore file holds the certificate information for the server that is trusted by the client. When the client makes an SSL connection, Jsse determines whether to trust the server-side certificate based on the certificate in the file.

In Jsse, there is a trust manager class responsible for deciding whether to trust the remote certificate, which has the following processing rules:

⑴ if the system attribute javax.net.sll.trustStore specifies a truststore file, the trust manager looks for and uses this file to check the certificate in the lib/security/directory under the JRE installation path.

⑵asThe system attribute does not specify the Truststore file, it will go to the JRE installation path to find the default Truststore file, the relative path of this file is: Lib/security/jssecacerts.

⑶ If Jssecacerts does not exist, but cacerts exists (it is released with J2SDK with a limited number of trusted basic certificates), then this default Truststore file is Cacerts.

Access Web pages directly using class Httpsurlconnection

An example code is given below:

URL requrl = new URL ("https://www.sun.com"); Create URL object httpsurlconnection httpsconn = (httpsurlconnection) requrl.openconnection (); /* The following code implements sending data to a Web page, enabling interactive access to the page Httpsconn.setdooutput (true); OutputStreamWriter out = new OutputStreamWriter (Huc.getoutputstream (), "8859_1"); Out.write ("..."); Out.flush (); Out.close (); *///Get the input stream of the connection to read the response content InputStreamReader INSR = new InputStreamReader (Httpsconn.getinputstream ();//Reads the response contents of the server and displays the int Respint = Insr.read ();  while (respint! =-1) {System.out.print (char) respint); Respint = Insr.read (); }

Please understand this passage carefully.

This code can execute normally, but when the URL of the access is changed to https://login.bjut.edu.cn, the program throws an exception javax.net.ssl.SSLException, because https:// The security certificate for the login.bjut.edu.cn site is not trusted by Jsse. According to the analysis of trust manager in Jsse profile, one way to solve this problem is to put the certificate of the site into the library file Jssecacerts or the certificate into any Truststore file, according to the rules of the Trust manager processing. Then set the System Properties Javax.net.sll.trustStore point to the file. Another workaround is to implement the Trust manager class yourself, and let it trust the certificate we specify . These two methods are described in each of the following.

Import the certificate into the Truststore file



  Java provides command-line tools Keytool for creating certificates or importing certificates from other files into Java's own truststore files. The command line format for importing certificates from other files into the Truststore file is:

Keytool-import-file Src_cer_file–keystore Dest_cer_store

Where Src_cer_file is the source file name that holds the certificate information, Dest_cer_store is the target Truststore file.

Before using the Keytool, the first to obtain the source certificate file, the source file can be obtained using IE browser, IE will be visited the HTTPS site of the certificate saved to local. The way to export a certificate from IE is to open Internet options, select the Content tab, click the Certificate ... button, in the Open Certificate dialog box, select a certificate, and then click the Export ... button, and then follow the prompts to save the certificate to a file in one step. Finally, you can use Keytool to import the certificate into the Java Truststore file. In order for the Java program to find the file, the file should be copied to the lib/security/directory under the JRE installation path.

  This allows the Jsse to trust the certificate by setting System Properties Javax.net.sll.trustStore to the file Dest_cer_store in the program so that the program can access an HTTPS site that uses an unauthenticated certificate.

With this approach, programming is straightforward, but you need to manually export the server's certificate. When the server certificate changes frequently, it is necessary to manually export the certificate operations. The following approach to implementing the X509 certificate trust manager class avoids the problem of manually exporting certificates .


Implementation and application of X509 certificate trust manager class


In Jsse, the certificate trust manager class is the class that implements the interface X509trustmanager. We can implement the interface ourselves and let it trust the certificates we specify.

Interface X509trustmanager The following three public methods are required for us to implement:

⑴oid checkclienttrusted (x509certificate[] chain, String authtype)
Throws Certificateexception

This method checks the client's certificate and throws an exception if the certificate is not trusted. Since we do not need to authenticate the client, we only need to execute this method of the default trust manager. Jsse, the default trust manager class is TrustManager.

⑵oid checkservertrusted (x509certificate[] chain, String authtype)
Throws Certificateexception

This method checks the server's certificate and throws an exception if the certificate is not trusted. By implementing this method yourself, you can trust any certificate that we specify. When implementing this method, you can also simply do nothing, i.e. an empty function body that trusts any certificate because it does not throw an exception.

⑶x509certificate[] Getacceptedissuers ()

Returns an array of trusted X509 certificatesthe Trust manager class is implemented by itself, how to use it? Class Httpsurlconnection does not seem to provide a way to set the trust manager. In fact, httpsurlconnection through Sslsocket to establish a secure connection with HTTPS, Sslsocket object is generated by Sslsocketfactory. Httpsurlconnection provides a method Setsslsocketfactory (sslsocketfactory) to set the Sslsocketfactory object it uses. Sslsocketfactory is obtained through the Sslcontext object, which specifies the trust manager object when initializing the Sslcontext object.

Assuming that you implement the class name of the X509trustmanager class: Myx509trustmanager, the following code snippet illustrates how to use Myx509trustmanager:

//Create Sslcontext object and initialize trustmanager[] tm = {new Myx509trustmanager ()} using our specified trust manager; Sslcontext Sslcontext = sslcontext.getinstance ("SSL", "Sunjsse"); Sslcontext.init (NULL, TM, New Java.security.SecureRandom ()); Sslsocketfactory object Sslsocketfactory SSF = Sslcontext.getsocketfactory () obtained from the above Sslcontext object; Creates a Httpsurlconnection object and sets its Sslsocketfactory object httpsurlconnection httpsconn = (httpsurlconnection) Myurl.openconnection (); Httpsconn.setsslsocketfactory (SSF); 


In this way, the Httpsurlconnection object can connect to HTTPS normally, regardless of whether its certificate is authenticated by the authority, as long as the class that implements the interface X509trustmanager Myx509trustmanager trusts the certificate.
In this way, the Httpsurlconnection object can connect to HTTPS normally, regardless of whether its certificate is authenticated by the authority, as long as the class that implements the interface X509trustmanager Myx509trustmanager trusts the certificate.
In this way, the Httpsurlconnection object can connect to HTTPS normally, regardless of whether its certificate is authenticated by the authority, as long as the class that implements the interface X509trustmanager Myx509trustmanager trusts the certificate.
 In this way, the Httpsurlconnection object can connect to HTTPS normally, regardless of whether its certificate is authenticated by the authority, as long as the class that implements the interface X509trustmanager Myx509trustmanager trusts the certificate.

Do not understand the above procedures, there will be a full explanation of the procedure ******************************

Summary

This article mainly introduces two methods of accessing the HTTPS site in cases where the certificate of HTTPS is not authorized by the authority, one method is to import the certificate into Java Truststore file, and the other is to implement and overwrite the Jsse default certificate trust manager class. Both methods have advantages and disadvantages, the first method does not affect the security of the Jsse, but the need to manually import the certificate; The second method does not have to import the certificate manually, but you need to use it carefully, otherwise it will bring some security risks.

The next article will implement the full HTTPS development

HTTPS client sends request (a)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.