【发布时间】:2019-10-23 14:16:33
【问题描述】:
- 我们的目标服务器 (censored.local) 具有 CN = censored.com, *.censored.com 的 HTTPS 证书
- 测试引发异常:
javax.net.ssl.SSLException: Certificate for
"censored.local" doesn't match any of the subject alternative
names: [censored.com, *.censored.com]
- 我理解为什么会发生这种情况 (RFC 2818),但我想绕过它进行测试。无法在目标服务器上安装不同的证书。
- .relaxedHTTPSValidation() 和 .allowAllHostnames() 不起作用。所以,我试着用自己的方式编写代码:
我的测试课:
...
.given().spec(reqSpec)
...
我的配置类:
public abstract class Configurator {
protected static TestEnv envConf = chooseEnv();
protected static RequestSpecification reqSpec;
static { try { reqSpec = configureRestAssured(); } catch (Exception e) {e.printStackTrace(); } }
protected static TestEnv chooseEnv() {
// Some logic following to select an instance from TestEnv (not shown here)
...
envConf = TestEnv.BETA;
return envConf;
}
protected static RequestSpecification configureRestAssured() {
RequestSpecification reqSpec = new RequestSpecBuilder().build();
reqSpec
.header("Authorization", String.format("Bearer %s", envConf.getBearerToken()))
// This gets the censored.local URI:
.baseUri(envConf.getBaseURI())
.config(getRAconfig());
return reqSpec;
}
private static RestAssuredConfig getRAconfig() {
SSLSocketFactory sslSocket = getSSLsocket (envConf.getKeystoreFile(), "keystorePassword", "PrivateKeyPassword");
RestAssuredConfig raConfig = RestAssuredConfig.config()
.sslConfig(SSLConfig.sslConfig().sslSocketFactory(sslSocket));
return raConfig;
}
private static SSLSocketFactory getSSLsocket(String ksPath, String ksPassword, String pkPassword) {
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(ksPath), ksPassword.toCharArray());
SSLContext context = SSLContexts.custom()
.loadKeyMaterial(keystore, pkPassword.toCharArray(), firstPrivateKeyStrategy())
.loadTrustMaterial(trustEveryoneStrategy())
.build();
return new SSLSocketFactory(context);
}
private static PrivateKeyStrategy firstPrivateKeyStrategy() {
return new PrivateKeyStrategy() {
@Override
public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {
return aliases.keySet().iterator().next();
}
};
}
private static TrustStrategy trustEveryoneStrategy() {
return new TrustStrategy() {
@Override
public boolean isTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
return true;
}
};
}}
- 不知道有没有帮助,但是在调试过程中,可以看到:
raConfig = {RestAssuredConfig@2752}
configs = {HashMap@2753} size = 17
...
{Class@2003} "class io.restassured.config.SSLConfig" -> {SSLConfig@3257}
key = {Class@2003} "class io.restassured.config.SSLConfig"
value = {SSLConfig@3257}
pathToKeyStore = null
pathToTrustStore = null
keyStorePassword = null
trustStorePassword = null
keyStoreType = "pkcs12"
trustStoreType = "pkcs12"
port = -1
trustStore = null
keyStore = null
x509HostnameVerifier = {StrictHostnameVerifier@3286} "STRICT"
STRICT 基本上是在显示我的问题吗? 如果是这样,如何破解非 STRICT x509HostnameVerifier?
- 另外,我知道以下内容,但不知道如何将其用于我的 Rest Assured 连接:https://tutoref.com/how-to-disable-ssl-certificat-validation-in-java/
【问题讨论】:
-
X509HostnameVerifier用于检查主机名是否与存储在服务器的(不是客户端的)X.509 证书中的名称匹配:hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/…您能否检查服务器证书中的主题是否与实际的服务器域匹配。例如。使用网络浏览器:shellhacks.com/… -
另一件事是
SSLSockerFactory的使用可能会覆盖您的SSLConfigREST-assured 类中的设置。这是因为仅在未提供SSLSockerFactory时才使用来自 SSLConfig 的配置。见:github.com/rest-assured/rest-assured/blob/… -
@dzieciou 今天我想知道我是否能以某种方式获得实际的服务器证书,哈哈!我会检查...
标签: java ssl https apache-httpclient-4.x rest-assured