Java HTTP客户端在Azure上无法与HTTPS一起使用。

huangapple go评论59阅读模式
英文:

Java http client not working with https on Azure

问题

我正在尝试修复我的(有点)旧(一点)的Java 11应用程序,该应用程序使用OKHttp3客户端连接到API时没有任何问题。

我无法控制的API已切换到不同的SSL证书,标识为:
issuer: C=US; O=DigiCert, Inc.; CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1

当我尝试通过命令行使用Curl访问它时,我得到的就是这个响应。

然而,我的Java HTTP客户端SSL握手始终卡在azureedge.net CN上,导致服务器未经验证,出现以下异常:

ERROR  [dsa] javax.net.ssl.SSLPeerUnverifiedException: Hostname myhostname.com not verified:
    certificate: sha256/Nvgcs5yexn04uRMOx3YIN1w7gT+OS4b+WlGC8kHEiqQ=
    DN: CN=*.azureedge.net, O=Microsoft Corporation, L=Redmond, ST=WA, C=US
    subjectAltNames: [*.azureedge.net, *.media.microsoftstream.com, *.origin.mediaservices.windows.net, *.streaming.mediaservices.windows.net]

我怀疑这与Azure IoT Hub有关,但是 - 不知道如何解决这个问题。

非常感谢任何帮助。

英文:

I'm trying to fix my (a bit) old (er) Java 11 app that connected to an API without problems using OKHttp3 client.

The API (that I have no control of) had switched to a different SSL certificate, identified as:
issuer: C=US; O=DigiCert, Inc.; CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1

That's what I get when trying to access it via Curl from command line, and I get the response as before.

However, my Java http client SSL handshake keeps getting stuck on azureedge.net CN that results in server not being verified with this exception:

ERROR  [dsa] javax.net.ssl.SSLPeerUnverifiedException: Hostname myhostname.com not verified:
    certificate: sha256/Nvgcs5yexn04uRMOx3YIN1w7gT+OS4b+WlGC8kHEiqQ=
    DN: CN=*.azureedge.net, O=Microsoft Corporation, L=Redmond, ST=WA, C=US
    subjectAltNames: [*.azureedge.net, *.media.microsoftstream.com, *.origin.mediaservices.windows.net, *.streaming.mediaservices.windows.net]

I suspect it has to do with an Azure IoT hub, but - no idea how to work around this.

Any help is much appreciated.

答案1

得分: 1

找到解决方法的线索经过数小时的苦思冥想,发现所有的Java客户端都无法正确获取证书,似乎与SNI有关,而且客户端默认情况下可以正常工作。

不确定是否与我正在使用的JVM有关,但HTTP客户端使用的扩展似乎默认情况下是关闭的。
在进行任何https调用之前添加以下简单代码即可解决问题:

System.setProperty("jsse.enableSNIExtension", "true");
英文:

The clue to finding the solution after hours of banging my head was that all Java clients are failing to get the cert right, and that it seems to be related to SNI that is working in the client out of the box.

Not sure if it's the JVM I'm using or not, but the extension that http clients are using seems to be off by default.
Adding the simple:

System.setProperty("jsse.enableSNIExtension", "true");

before any https calls does the trick.

huangapple
  • 本文由 发表于 2023年6月1日 05:13:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/76377347.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定