w******c 发帖数: 574 | 1 我现在在用url写一个connection
http的连接没问题 一般的https使用普通的certificate的也没问题
但有时会遇到未知的certificate会有exception
然后这时我只能手动去把那个url上的certificate当下来放到keystore里面
然后就可以连接了
我想问有没有方式可以让java自动下载这些unknown certificate
然后我就不用每次手动去当了
//thx |
t*******e 发帖数: 684 | 2 KeyTool有command line和API方法,可以在runtime programmatically往keystore里添加certificates,thus, the approach you proposed is attainable. |
w******c 发帖数: 574 | 3 thx! that's exactly what I want to do.
is there any document describing such a method? what is the keyword I should
google?
//bow
添加certificates,thus, the approach you proposed is attainable.
【在 t*******e 的大作中提到】 : KeyTool有command line和API方法,可以在runtime programmatically往keystore里添加certificates,thus, the approach you proposed is attainable.
|
t*******e 发帖数: 684 | |
k***r 发帖数: 4260 | 5 This is really annoying, because most of the time you don't really care
about certificates. Is there a way to disable the exception, and just take
any certs? |
A**o 发帖数: 1550 | 6 write your own handshaker and eat whatever the cert given to you?
【在 k***r 的大作中提到】 : This is really annoying, because most of the time you don't really care : about certificates. Is there a way to disable the exception, and just take : any certs?
|
m******t 发帖数: 2416 | 7
I wonder if one of those more sophisticated libraries
like httpclient has this out of box. Never had to do it
myself, so I wouldn't know.
【在 A**o 的大作中提到】 : write your own handshaker and eat whatever the cert given to you?
|
k***r 发帖数: 4260 | 8 I've never done that, or researched that. Is it possible to inject my own
handler if I'm using a third party library that makes the HTTPS call?
【在 A**o 的大作中提到】 : write your own handshaker and eat whatever the cert given to you?
|
g*****g 发帖数: 34805 | 9 certificate is that kind of "get it once and forget about it" stuff.
What magicfat suggested is using this kind of third party to access
the url once and do the dirty work, then you can go back to your
code. You introduce some overhead but usually not a problem.
【在 k***r 的大作中提到】 : I've never done that, or researched that. Is it possible to inject my own : handler if I'm using a third party library that makes the HTTPS call?
|
k***r 发帖数: 4260 | 10 Thanks for the reply but you didn't read my post right :)
In my case, it's a third party library that I have to use, and I don't have
source for. That library is making the call to HTTPS site. Because I don't
have the source, I can not replace the http client used by that library...
【在 g*****g 的大作中提到】 : certificate is that kind of "get it once and forget about it" stuff. : What magicfat suggested is using this kind of third party to access : the url once and do the dirty work, then you can go back to your : code. You introduce some overhead but usually not a problem.
|
|
|
g*****g 发帖数: 34805 | 11 You don't get it. Java maintains a keystore, certificate is issued by CA.
Certain CAs (M$, Sun etc.) are automatically trusted, others you need to
implement a trusting process (this is like you ssh to a new site, you need
to manually accept a certificate).
Some of these third party libraries may have implemented this trusting
process. If that's the case, then by calling these libs, you are able
to import certificate to your local keystore, then you can do whatever
you need to. You don't have to
【在 k***r 的大作中提到】 : Thanks for the reply but you didn't read my post right :) : In my case, it's a third party library that I have to use, and I don't have : source for. That library is making the call to HTTPS site. Because I don't : have the source, I can not replace the http client used by that library...
|
k***r 发帖数: 4260 | 12 I'm sorry but I understand that well. My question is, is there a way to
ignore the cert (use it without verifying it) and just go ahead and get the
page, like what the http client lib of the other languages or HTTP client
applications (IE/FF/etc.) let you do. I don't want to trust them, say, https
content. I have no intention of importing the certs. |
w******c 发帖数: 574 | 13
you mean automatically import to your local keystore?
or you need to manually write some code to import?
do you know any such library?
many thanks
【在 g*****g 的大作中提到】 : You don't get it. Java maintains a keystore, certificate is issued by CA. : Certain CAs (M$, Sun etc.) are automatically trusted, others you need to : implement a trusting process (this is like you ssh to a new site, you need : to manually accept a certificate). : Some of these third party libraries may have implemented this trusting : process. If that's the case, then by calling these libs, you are able : to import certificate to your local keystore, then you can do whatever : you need to. You don't have to
|
g*****g 发帖数: 34805 | 14 Certificate is public key, you import certificate from server so that you
can
encrypt your request and the server can decrypt it. If the server doesn't
operate on non-secure mode, I am afraid you can't do that.
the
https
【在 k***r 的大作中提到】 : I'm sorry but I understand that well. My question is, is there a way to : ignore the cert (use it without verifying it) and just go ahead and get the : page, like what the http client lib of the other languages or HTTP client : applications (IE/FF/etc.) let you do. I don't want to trust them, say, https : content. I have no intention of importing the certs.
|
g*****g 发帖数: 34805 | 15 Never did this before but I found some discussion about it,
http://forums.sun.com/thread.jspa?messageID=2674364
【在 w******c 的大作中提到】 : : you mean automatically import to your local keystore? : or you need to manually write some code to import? : do you know any such library? : many thanks
|
k***r 发帖数: 4260 | 16 Let me rephrase: I'd like to download and use the cert, without explicitly
importing it to the key store. I can do this with IE/FF. Every time you
visit a site, even with self-signed certs, IE/FF let you ignore the issue
and view the page. I can do this with Python. I think Python skips the check
by default (although I haven't looked deaper.) But Java doesn't let you do
that easily.
【在 g*****g 的大作中提到】 : Certificate is public key, you import certificate from server so that you : can : encrypt your request and the server can decrypt it. If the server doesn't : operate on non-secure mode, I am afraid you can't do that. : : the : https
|