http://javaweb.org/?p=1237
Java在请求某些不受信任的https网站时会报:PKIX path building failed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java: 192 ) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java: 1884 ) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java: 276 ) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java: 270 ) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java: 1341 ) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java: 153 ) at sun.security.ssl.Handshaker.processLoop(Handshaker.java: 868 ) at sun.security.ssl.Handshaker.process_record(Handshaker.java: 804 ) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java: 1016 ) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java: 1312 ) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java: 1339 ) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java: 1323 ) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java: 563 ) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java: 185 ) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java: 1300 ) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java: 254 ) at SslTest.getRequest(SslTest.java: 16 ) at SslTest.main(SslTest.java: 40 )Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java: 385 ) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java: 230 ) at sun.security.validator.Validator.validate(Validator.java: 260 ) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java: 326 ) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java: 231 ) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java: 126 ) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java: 1323 ) ... 13 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java: 196 ) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java: 268 ) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java: 380 ) ... 19 more |
解决办法:
1、导入证书到本地证书库
2、信任所有SSL证书
最好的解决办法或许是信任所有SSL证书,因为某些时候不能每次都手动的导入证书非常麻烦。现在封装了个方法,在连接openConnection的时候忽略掉证书就行了。
1 | SslUtils.ignoreSsl(); |
package com.emchat.example.httpclient.utils;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
public class SslUtils {private static void trustAllHttpsCertificates() throws Exception {
TrustManager[] trustAllCerts = new TrustManager[1];
TrustManager tm = new miTM();
trustAllCerts[0] = tm;
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
}
static class miTM implements TrustManager,X509TrustManager {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public boolean isServerTrusted(X509Certificate[] certs) {
return true;
}
public boolean isClientTrusted(X509Certificate[] certs) {
return true;
}
public void checkServerTrusted(X509Certificate[] certs, String authType)
throws CertificateException {
return;
}
public void checkClientTrusted(X509Certificate[] certs, String authType)
throws CertificateException {
return;
}
}
/**
* 忽略HTTPS请求的SSL证书,必须在openConnection之前调用
* @throws Exception
*/
public static void ignoreSsl() throws Exception{
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName, SSLSession session) {
System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());
return true;
}
};
trustAllHttpsCertificates();
HttpsURLConnection.setDefaultHostnameVerifier(hv);
}
}
SslTest.java:
import java.io.OutputStreamWriter;
import java.net.URL;
import java.net.URLConnection;
import org.apache.commons.io.IOUtils;
public class SslTest {
public String getRequest(String url,int timeOut) throws Exception{
URL u = new URL(url);
if("https".equalsIgnoreCase(u.getProtocol())){
SslUtils.ignoreSsl();
}
URLConnection conn = u.openConnection();
conn.setConnectTimeout(timeOut);
conn.setReadTimeout(timeOut);
return IOUtils.toString(conn.getInputStream());
}
public String postRequest(String urlAddress,String args,int timeOut) throws Exception{
URL url = new URL(urlAddress);
if("https".equalsIgnoreCase(url.getProtocol())){
SslUtils.ignoreSsl();
}
URLConnection u = url.openConnection();
u.setDoInput(true);
u.setDoOutput(true);
u.setConnectTimeout(timeOut);
u.setReadTimeout(timeOut);
OutputStreamWriter osw = new OutputStreamWriter(u.getOutputStream(), "UTF-8");
osw.write(args);
osw.flush();
osw.close();
u.getOutputStream();
return IOUtils.toString(u.getInputStream());
}
public static void main(String[] args) {
try {
SslTest st = new SslTest();
String a = st.getRequest("https://xxx.com/login.action", 3000);
System.out.println(a);
} catch (Exception e) {
e.printStackTrace();
}
}
}