Apache httpclient 4.3.3 我如何只接受一个特定的自签名证书答案

【问题标题】：Apache httpclient 4.3.3 how do I accept only one specific self signed certificateApache httpclient 4.3.3 我如何只接受一个特定的自签名证书
【发布时间】：2014-05-26 08:46:14
【问题描述】：

我正在构建一个休息客户端，它应该只接受带有一个特定证书的响应。我尝试使用响应拦截器来比较哈希以识别并检查是否使用了正确的证书。但我不知道如何从响应中获取服务器证书。我发现的方法在 httpclient 4.3.3 中都已弃用。

 CloseableHttpClient httpclient = HttpClients.custom().addInterceptorLast(new HttpResponseInterceptor() {

  @Override
  public void process(HttpResponse response, HttpContext context) throws HttpException, IOException
  {
    //how do I get the certificate here?
    String sha1Hex = DigestUtils.sha1Hex(cert.getEncoded());

    boolean check = sha1Hex.equals("xxxxxxxx");
  }

}).setSSLSocketFactory(sslsf).build();

或者有更好的方法吗？

【问题讨论】：

标签： java ssl ssl-certificate httpclient apache-httpclient-4.x

【解决方案1】：

这是可以做到的

CloseableHttpClient httpclient = HttpClients.custom().addInterceptorLast(new HttpResponseInterceptor() {

    @Override
    public void process(
            HttpResponse response, HttpContext context) throws HttpException, IOException {
        HttpCoreContext coreContext = HttpCoreContext.adapt(context);
        ManagedHttpClientConnection conn = coreContext.getConnection(ManagedHttpClientConnection.class);
        SSLSession sslSession = conn.getSSLSession();
        if (sslSession != null) {
            X509Certificate[] certs = sslSession.getPeerCertificateChain();
            if (certs.length == 1) {
                String sha1Hex = null;
                try {
                    sha1Hex = DigestUtils.sha1Hex(certs[0].getEncoded());
                } catch (CertificateEncodingException ex) {
                    throw new HttpException("Messged up cert", ex);
                }
                boolean check = sha1Hex.equals("xxxxxxxx");
            }
        }
    }

}).setSSLSocketFactory(sslsf).build();

但是，我推荐的更好的方法是使用包含您希望客户信任的证书的信任材料来初始化客户端的 SSL 上下文。

【讨论】：