英文:
Java SSL Certificate Verification with a proxy
问题
我有一个关于验证 SSL 证书的问题。
我正在尝试从一个 Java 程序向服务器发送一些数据,然后服务器会将这些数据存储起来。
问题在于 SSL 证书验证失败,出现以下异常:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed [...] unable to find valid certification path to...
我可以通过将服务器的“终端用户”证书添加到我正在使用的信任库中来解决此问题。
证书链看起来像这样:
根证书 1
中间证书 11
中间证书 x
终端用户证书
关于整个链 / 过程需要注意的一点是:
通信使用了公司的代理,该代理替换了所有证书,并创建了自己的链。
回到问题:
通过添加终端用户证书,一切都可以正常运行。但只能持续一段时间,然后证书会刷新,我添加的证书就不再有效。我尝试过仅添加根证书,仅添加每个中间证书,添加所有 3 个证书,还尝试添加在代理未替换链时将使用的证书。但不知何故证书无法验证。
我是否忽视了什么?我是否需要添加其他内容以验证证书?
编辑:
也许需要注意的一点是:
我通过使用浏览器导航到该服务器,然后检查 SSL 证书来检查链。
英文:
I have an Issue with the verification of a ssl certificate.
What I am trying to do, is sending some data from a java program to a server, which then stores that data.
The issue is, that the ssl certificate validation fails with the following exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed [...] unable to find valid certification path to...
I am able to resolve this issue, by adding the "end-user" certificate of the server to the truststore I am using.
The chain looks something like this:
Root Certificate 1
Intermediate Cert 11
Intermediate Certificate x
End-User Certificate
Something to note about this whole chain / process:
The communication is using the companies proxy, which replaces all the certificates, and creates its own chain.
So back to the issue:
By adding the end-user certificate everything runs fine. But only for a little while, before that certificate gets refreshed and the one I added is no longer valid. I have tried adding just the root certificate, just each intermediate certificate, adding all 3 certificates and also adding the certificate which would be used if the proxy does not replace the chain. But somehow the certificate cannot be validated.
Is there something I might be overlooking? Do I have to add something else to be able to validate the certificate?
Edit:
Maybe something to note:
I checked the chain, by using the browser and navigating to said server, and then checking the ssl certificates.
答案1
得分: 0
这似乎是由替代证书链的公司提供的证书存在问题。
出于某种原因,链未完成,我不得不将链中的所有证书添加到信任库中才能使其正常工作。
英文:
This seemed to be an issue with the certificates provided by the company that replaced the certificate chain.
For some reason the chain was not completed, and I had to add all certificates in the chain to the truststore to make it work.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论