在Apache HttpAsyncClient中配置SSL

li9yvcax  于 2023-01-13  发布在  Apache
关注(0)|答案(4)|浏览(274)

我需要设置一个支持SSL的Apache HTTPASyncClient。我使用了下面的代码,但它似乎不起作用(获取"javax.net.ssl.SSLException:收到致命警报:握手失败")

System.setProperty("javax.net.debug", "ssl,handshake");
    System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");

    KeyStore ts = KeyStore.getInstance("JKS");
    ts.load(loadStream("C:/TrustStore/cacerts"), "trustpass".toCharArray());
    KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(loadStream("C:/KeyStore/SSL/keystore.SomeKey"), "keypass".toCharArray());

    SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(ts).loadKeyMaterial(ks, "somekey".toCharArray()).setSecureRandom(new SecureRandom());        
    SSLContext ssl = sslBuilder.build();

    PoolingNHttpClientConnectionManager cm = new PoolingNHttpClientConnectionManager(new DefaultConnectingIOReactor(IOReactorConfig.DEFAULT));        

    CloseableHttpAsyncClient clientHttps = HttpAsyncClientBuilder.create()
            .setConnectionManager(cm)    
            .setHostnameVerifier(SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)
            .setSSLContext(ssl)
            .build();

    RequestConfig.Builder b = RequestConfig.custom();        
    b.setProxy(new HttpHost("proxyHost", proxyPort));
    RequestConfig rc = b.build();

    clientHttps.start();

    HttpRequestBase req = new HttpPost("https://someurl");
    ((HttpEntityEnclosingRequestBase)req).setEntity(new StringEntity("somestring"));
    req.setConfig(rc);

    clientHttps.execute(req, new FutureCallback<HttpResponse>() {

        @Override
        public void failed(Exception ex) {
            System.out.println(ex);
        }

        @Override
        public void completed(HttpResponse result) {
            System.out.println(result);                
        }

        @Override
        public void cancelled() {
            System.out.println("Cancelled");                
        }
    });

当使用javax.net.ssl.HttpsURLConnection来实现这一点时,它可以工作(如果需要,我可以附加相关代码)。

    • 编辑**

基于@ben75的答案,我终于让它运行与以下代码

System.setProperty("javax.net.debug", "ssl,handshake");
System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");

KeyStore ts = KeyStore.getInstance("JKS");
ts.load(loadStream("C:/TrustStore/cacerts"), "trustpass".toCharArray());
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(loadStream("C:/KeyStore/SSL/keystore.SomeKey"), "keypass".toCharArray());

SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(ts).loadKeyMaterial(ks, "somekey".toCharArray()).setSecureRandom(new SecureRandom());        
SSLContext ssl = sslBuilder.build();

SSLIOSessionStrategy s = new SSLIOSessionStrategy(ssl, SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
RegistryBuilder<SchemeIOSessionStrategy> rb = RegistryBuilder.create();
rb.register("https", s).register("http", NoopIOSessionStrategy.INSTANCE);
PoolingNHttpClientConnectionManager cm = new PoolingNHttpClientConnectionManager(new DefaultConnectingIOReactor(IOReactorConfig.DEFAULT), rb.build());       

CloseableHttpAsyncClient clientHttps = HttpAsyncClientBuilder.create()
        .setConnectionManager(cm)
        .build();

RequestConfig.Builder b = RequestConfig.custom();        
b.setProxy(new HttpHost("proxyHost", proxyPort));
RequestConfig rc = b.build();

clientHttps.start();

HttpRequestBase req = new HttpPost("https://someurl");
((HttpEntityEnclosingRequestBase)req).setEntity(new StringEntity("somestring"));
req.setConfig(rc);

clientHttps.execute(req, new FutureCallback<HttpResponse>() {

    @Override
    public void failed(Exception ex) {
        System.out.println(ex);
    }

    @Override
    public void completed(HttpResponse result) {
        System.out.println(result);                
    }

    @Override
    public void cancelled() {
        System.out.println("Cancelled");                
    }
});
pxy2qtax

pxy2qtax1#

(我最近(在Android上)遇到了非常类似的问题,但我猜你也犯了和我一样的错误。)
显式设置连接管理器时:builder.setConnectionManager(cm) sslContext被忽略。
您可以做的是将SSL上下文注入到PoolingNHttpClientConnectionManager中。
为此,可以使用此构造函数:池化NHttpClient连接管理器(组织、Apache、http、nio、reactor、连接IOReact器、注册表IO会话工厂注册表)
iosessionFactoryRegistry包含使用您的SSL上下文构建的SSLIOSessionStrategy

ej83mcc0

ej83mcc02#

下面是一个工作示例:

public SSLContext getSSLContext() {
    final TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
    try {
        final SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
                .loadTrustMaterial(null, acceptingTrustStrategy)
                .build();
        sslContext.getServerSessionContext().setSessionCacheSize(1000);
        return sslContext;
    } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
    }
    return null;
}

public Registry<SchemeIOSessionStrategy> getSSLRegistryAsync() {
    return RegistryBuilder.<SchemeIOSessionStrategy>create()
            .register("http", NoopIOSessionStrategy.INSTANCE)
            .register("https", new SSLIOSessionStrategy(
                    getSSLContext(), null, null, SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)).build();
}

public PoolingNHttpClientConnectionManager getPoolingNHttpClientConnectionManager() {
    try {
        final PoolingNHttpClientConnectionManager connectionManager =
                new PoolingNHttpClientConnectionManager(new DefaultConnectingIOReactor(IOReactorConfig.DEFAULT), getSSLRegistryAsync());
        connectionManager.setMaxTotal(connectionPoolMax);
        connectionManager.setDefaultMaxPerRoute(connectionPoolMaxPerRoute);

        return connectionManager;
    } catch (IOReactorException e) {
    }
    return null;
}

public RequestConfig getRequestConfig() {
    return RequestConfig.custom()
            .setConnectTimeout(connectTimeout)
            .setSocketTimeout(socketTimeout)
            .setConnectionRequestTimeout(socketTimeout)
            .setCookieSpec(CookieSpecs.IGNORE_COOKIES)
            .build();
}

public CloseableHttpAsyncClient getHttpAsyncClient() {
    final CloseableHttpAsyncClient httpAsyncClient = HttpAsyncClients.custom()
            .setConnectionManager(getPoolingNHttpClientConnectionManager())
            .setDefaultRequestConfig(getRequestConfig())
            .build();
    return httpAsyncClient;
}
vyswwuz2

vyswwuz23#

我的异步模式示例:

try {
         SSLContext sslContext = getSSLContext(X509Cert);

         CloseableHttpAsyncClient httpAsyncClient = getHttpAsyncClient(sslContext,HTTP_CLIENT_MAX_POOL_CONNECTIONS,HTTP_CLIENT_MAX_PER_ROUTE_CONN);
         setHttpAsyncClient(httpAsyncClient);

    } catch (Exception e) {
        LOG.error("Generic SSL Error Adapter: {} - {}", e.getMessage(), e.getLocalizedMessage());
    }

}

private SSLContext getSSLContext(X509CertificateValidator trustStrategy) {
    try {
        final SSLContext sslContext = SSLContexts.custom()
                .loadTrustMaterial(null, trustStrategy)
                .build();
        sslContext.getServerSessionContext().setSessionCacheSize(1000);
        return sslContext;
    } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
        LOG.error("SSL Context creation error: {} - {}", e.getMessage(), e.getLocalizedMessage());
    }
    return null;
}

private Registry<SchemeIOSessionStrategy> getSSLRegistryAsync(SSLContext sslContext) {
    Registry<SchemeIOSessionStrategy> defaultRegistry = RegistryBuilder.<SchemeIOSessionStrategy> create()
            .register("http", NoopIOSessionStrategy.INSTANCE)
            .register("https", new SSLIOSessionStrategy(sslContext, NoopHostnameVerifier.INSTANCE))
            .build();

    return defaultRegistry;

}

private PoolingNHttpClientConnectionManager getPoolingNHttpClientConnectionManager(SSLContext sslContext, int connectionPoolMax, int connectionPoolMaxPerRoute) {
    try {
        PoolingNHttpClientConnectionManager connectionManager =
                new PoolingNHttpClientConnectionManager(new DefaultConnectingIOReactor(IOReactorConfig.DEFAULT), getSSLRegistryAsync(sslContext));
        connectionManager.setMaxTotal(connectionPoolMax);
        connectionManager.setDefaultMaxPerRoute(connectionPoolMaxPerRoute);
        return connectionManager;
    } catch (IOReactorException e) {
        LOG.error("NHttp Connectio Manager error: {} - {}", e.getMessage(), e.getLocalizedMessage());
    }
    return null;
}

public CloseableHttpAsyncClient getHttpAsyncClient(SSLContext sslContext, int connectionPoolMax, int connectionPoolMaxPerRoute) {
    final CloseableHttpAsyncClient httpAsyncClient = HttpAsyncClients.custom()
            .setConnectionManager(getPoolingNHttpClientConnectionManager(sslContext, connectionPoolMax, connectionPoolMaxPerRoute))
            //.setSSLHostnameVerifier(new NoopHostnameVerifier())
            .build();
    return httpAsyncClient;
}
dw1jzc5e

dw1jzc5e4#

这里有很多很好的答案,但是在写这个答案的时候,我在httpcomponents库中找到了很多方便的构建器,例如,为了创建一个基于信任的sslcontext,我使用了以下方法:

HttpAsyncClients.custom()
                    .setConnectionManager(PoolingAsyncClientConnectionManagerBuilder.create()
                            .setTlsStrategy(ClientTlsStrategyBuilder.create()
                                    .setSslContext(SSLContextBuilder.create()
                                            .loadTrustMaterial(null, new TrustAllStrategy())
                                            .build())
                                    .build())
                            .build())
                    .build()

相关问题