httpclient bypass certificate validation for HTTPS request

Posted by piznac on Sun, 24 Nov 2019 16:29:11 +0100

http request is a common application layer protocol for web applications, but due to its insecurity, it is now gradually transitioning to https protocol. https protocol is based on http to tunnel encryption. There are two encryption methods: SSL and TLS. When the server uses https protocol for data exchange, the client will verify the server's certificate when requesting the server. If the server's certificate is issued by four major certification authorities or by their authorized authorities, further requests are allowed. Otherwise, it will warn that the certificate is not trusted. For more information, please refer to https://www.cnblogs.com/handsomeBoys/p/6556336.html

If you use httpclient to request https, you will be prompted that you cannot find a valid certificate path to requested target

In this case, the server certificate is not trusted. You can inherit the DefaultHttpClient class by overriding a class. The code is as follows:

 1 import org.apache.http.conn.ClientConnectionManager;
 2 import org.apache.http.conn.scheme.Scheme;
 3 import org.apache.http.conn.scheme.SchemeRegistry;
 4 import org.apache.http.conn.ssl.SSLSocketFactory;
 5 import org.apache.http.impl.client.DefaultHttpClient;
 6 
 7 import javax.net.ssl.SSLContext;
 8 import javax.net.ssl.TrustManager;
 9 import javax.net.ssl.X509TrustManager;
10 import java.security.cert.CertificateException;
11 import java.security.cert.X509Certificate;
12 
13 public class SSLClient extends DefaultHttpClient {
14     public SSLClient() throws Exception{
15         super();
16         SSLContext ctx = SSLContext.getInstance("TLS");
17         X509TrustManager tm = new X509TrustManager() {
18             @Override
19             public void checkClientTrusted(X509Certificate[] chain,
20                                            String authType) throws CertificateException {
21             }
22             @Override
23             public void checkServerTrusted(X509Certificate[] chain,
24                                            String authType) throws CertificateException {
25             }
26             @Override
27             public X509Certificate[] getAcceptedIssuers() {
28                 return null;
29             }
30         };
31         ctx.init(null, new TrustManager[]{tm}, null);
32         SSLSocketFactory ssf = new SSLSocketFactory(ctx,SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
33         ClientConnectionManager ccm = this.getConnectionManager();
34         SchemeRegistry sr = ccm.getSchemeRegistry();
35         sr.register(new Scheme("https", 443, ssf));
36     }
37 }

Then use the constructor of this class to create an HttpClient object when creating an https request. For example:

 1 import org.apache.http.Header;
 2 import org.apache.http.HttpResponse;
 3 import org.apache.http.client.methods.HttpGet;
 4 import org.apache.http.impl.client.CloseableHttpClient;
 5 
 6 public class RestApi {
 7 
 8     public static String getCsrf(){
 9         String csrfToken = "";
10         try {
11             CloseableHttpClient client = new SSLClient();
12             String url = "https://10.67.19.186";
13             HttpGet get = new HttpGet(url);
14             HttpResponse response = client.execute(get);
15             Header setCookidHeader = response.getFirstHeader("Set-Cookie");
16             csrfToken = setCookidHeader.getValue().split(";")[0].split("=")[1];
17         } catch (Exception e) {
18             e.printStackTrace();
19         }
20         return csrfToken;
21     }

Topics: Java Apache SSL