The HTTPS client sends a request (1). the https client

The HTTPS client sends a request (1). the https client

HTTPS sending request (1)

 

AbstractJSSE is a pure Java implementation of SSL and TLS. Through JSSE, you can easily program the access to HTTPS sites. However, if the certificate of the site is not verified by the Authority, JSSE will refuse to trust the certificate and thus cannot access the HTTPS site. Based on a brief introduction to JSSE, this article puts forward two methods to solve this problem.

 

Introduction

Over the past decade, a large number of Web applications have been accumulated on the Internet. Today, both the integration of the original Web application system and new Web development require programming to access some Web pages. The traditional method is to use the Socket interface, but now many development platforms or tools such. NET, Java, and PHP all provide simple Web access interfaces. Using these interfaces, you can easily program the interactive access to the Web application system, even if you want to access Web application systems that use HTTPS instead of HTTP.

HTTPS, Secure Hypertext Transfer Protocol, uses SSL technology and is widely used to ensure the security of Web application systems. Most programming interfaces for accessing Web applications encapsulate SSL, making HTTPS access as simple as HTTP access. However, the certificates used by many small and medium-sized application systems or application systems based on LAN and campus networks are not issued or verified by authoritative certification bodies, directly using these programming interfaces will not allow access to HTTPS.

Based on a brief introduction to JSSE, this article describes how to use JSSE to access HTTPS. It mainly describes how to access an HTTPS site with an unverified certificate.

JSSE Introduction

Java Secure Socket Extension (JSSE) is a collection of packages for Secure Internet communication. It is a pure Java implementation of SSL and TLS. It can transparently provide data encryption, server authentication, information integrity, and other functions, this allows us to use a secure socket established by JSSE just like a common socket. JSSE is an open standard. Not only can Sun implement a JSSE, but other companies have their own JSSE.

Before learning about JSSE, you need to understand a Java security concept: the TrustStore file of the client. The client's TrustStore file stores the certificate information of the server trusted by the client. When the client performs an SSL connection, JSSE determines whether to trust the server certificate based on the Certificate in this file.

In JSSE, a trust manager class determines whether to trust a remote certificate. This class has the following processing rules:

(1) If the system attribute javax.net. sll. trustStore specifies the TrustStore file, the trust manager searches for and uses the file in the lib/security/directory under the jre installation path to check the certificate.

(2) If the system property does not specify the TrustStore file, it will go to the jre installation path to find the default TrustStore file. The relative path of this file is lib/security/jssecacerts.

(3) If jssecacerts does not exist but cacerts exists (it is released along with J2SDK and contains a limited number of trusted Basic certificates), the default TrustStore file is cacerts.

Directly access the Web page using HttpsURLConnection

The following is an example code:

URL reqURL = new URL ("https://www.sun.com"); // create a URL object HttpsURLConnection httpsConn = (HttpsURLConnection) reqURL. openConnection ();/* the following code sends data to the Web page to enable interactive access to httpsConn. setDoOutput (true); OutputStreamWriter out = new OutputStreamWriter (huc. getOutputStream (), "8859_1"); out. write ("...... "); Out. flush (); out. close (); * // The input stream that gets the connection to read the response content InputStreamReader insr = new InputStreamReader (httpsConn. getInputStream (); // read the server's response and display int respInt = insr. read (); while (respInt! =-1) {System. out. print (char) respInt); respInt = insr. read ();}

Please carefully understand the following paragraph

This code can be executed normally, but when you change the accessed URL to a https://login.bjut.edu.cn, the program throws an exception javax.net. ssl. SSLException because the security certificate of the https://login.bjut.edu.cn site is not trusted by JSSE. According to the analysis of the trust manager in JSSE introduction, one way to solve this problem is to put the site certificate into the certificate library file jssecacerts according to the processing rules of the trust manager, or store the Certificate in any TrustStore file and set the system attribute javax.net. sll. trustStore points to the file. Another solution is to implement the trust manager class to trust the certificate we specified. The following two methods are described respectively.

 

Import the certificate to the TrustStore File

 
Java provides the command line tool keytool to create a certificate or import the certificate from other files to the Java TrustStore file. The command line format for importing certificates from other files to the TrustStore file is:

Keytool-import-file src_cer_file-keystore dest_cer_store

Src_cer_file indicates the name of the source file containing certificate information, and dest_cer_store indicates the target TrustStore file.

Before using keytool, you must first obtain the source Certificate file. This source file can be obtained using IE, which saves the certificate of the accessed HTTPS site to your local computer. To export a certificate from IE, open "Internet Options", select the "content" tab, and click "certificate ..." Click. In the displayed certificate dialog box, select a certificate and click Export ..." Click to save the certificate to a file step by step. Finally, you can use keytool to import the certificate to the Java TrustStore file. To make the Java program find the file, copy the file to the lib/security/directory under the jre installation path.

In this way, you only need to set the system attribute javax.net. sll. trustStore in the program to point to the file dest_cer_store, so that JSSE can trust the certificate, so that the program can access the HTTPS site that uses the unverified certificate.

Using this method, programming is very simple, but you need to manually export the server certificate. When the server certificate changes frequently, You need to manually export the certificate. The following describes how to implement the X509 Certificate Trust manager class to avoid the problem of manually exporting certificates.

Implementation and Application of the X509 Certificate Trust manager class

In JSSE, the certificate trust manager class is the class that implements the X509TrustManager interface. We can implement this interface by ourselves to make it trust the certificate we specified.

The X509TrustManager interface has three public methods that need to be implemented:

(1) oid checkClientTrusted (X509Certificate [] chain, String authType)
Throws CertificateException

This method checks the client certificate. If you do not trust the certificate, an exception is thrown. Because we do not need to authenticate the client, we only need to execute the default trust manager method. In JSSE, the default trust manager class is TrustManager.

(2) oid checkServerTrusted (X509Certificate [] chain, String authType)
Throws CertificateException

This method checks the server certificate. If you do not trust the certificate, an exception is thrown. You can use this method to trust any certificate we specify. When implementing this method, you can simply do nothing, that is, an empty function body. Because no exception is thrown, it will trust any certificate.

(3) X509Certificate [] getAcceptedIssuers ()

Return the trusted X509 Certificate array and implement the trust manager class. How can I use it? The HttpsURLConnection class does not seem to provide a way to set the trust manager. In fact, HttpsURLConnection uses SSLSocket to establish a secure connection with HTTPS. SSLSocket objects are generated by SSLSocketFactory. HttpsURLConnection provides the setSSLSocketFactory (SSLSocketFactory) method to set the SSLSocketFactory object it uses. SSLSocketFactory is obtained through the SSLContext object. You can specify the trust manager object when initializing the SSLContext object.

Assume that the class of the self-implemented X509TrustManager class is MyX509TrustManager. The following code snippet shows how to use MyX509TrustManager:

// Create an SSLContext object and use the trusted manager we specified to initialize TrustManager [] tm = {new MyX509TrustManager ()}; SSLContext sslContext = SSLContext. getInstance ("SSL", "SunJSSE"); sslContext. init (null, tm, new java. security. secureRandom (); // obtain the SSLSocketFactory object SSLSocketFactory ssf = SSLContext from the sslContext object. getSocketFactory (); // create the HttpsURLConnection object and set its SSLSocketFactory object HttpsURLConnection httpsConn = (HttpsURLConnection) myURL. openConnection (); httpsConn. setSSLSocketFactory (ssf );

In this way, the HttpsURLConnection object can connect to HTTPS normally. no matter whether the certificate is verified by an authority or not, as long as the interface X509TrustManager class MyX509TrustManager is implemented to trust the certificate.

 

******************************* Do not understand the above programs, all programs will be explained later ******************************

 

Summary

This article mainly introduces two methods to access the HTTPS site without the authorization of the HTTPS certificate. One is to import the certificate to the TrustStore file of Java, the other is to implement and overwrite the default certificate trust manager class of JSSE. The two methods have their own advantages and disadvantages. The first method does not affect the security of JSSE, but you need to manually import the certificate. The second method, although you do not need to manually import the certificate, must be careful to use it, otherwise, some security risks may occur.

 

The next article will implement complete https Development