问题描述
我正在尝试访问由 https 保护的应用程序,我有一个 p12 证书(已作为 .cer 导入到我的 jdk 的 cacerts 文件夹中)。
我已经尝试过本教程但没有成功: https://dzone.com/articles/ssl-based-feignclient-example-in-java-microcervice
而且我也在使用这个解决方案的一部分: How to use p12 client certificate with spring feign client
调试 ssl 连接时出现以下错误:
javax.net.ssl|ERROR|25|http-nio-auto-1-exec-1|2021-01-26 16:56:34.789 BRT|TransportContext.java:317|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure
我当前的 feign 配置类
@Bean
@ConditionalOnMissingBean
public Feign.Builder feignBuilder(Retryer retryer) {
return Feign.builder().retryer(retryer);
}
@Bean
public Feign.Builder feignBuilder() {
return Feign.builder()
.retryer(Retryer.NEVER_RETRY)
.client(new Client.Default(getSSLSocketFactory(),null));
}
private SSLSocketFactory getSSLSocketFactory() {
String keyStorePassword = "myPassword";
char[] allPassword = keyStorePassword.tochararray();
SSLContext sslContext = null;
try {
sslContext = SSLContextBuilder
.create()
.setKeyStoreType("PKCS12")
.loadKeyMaterial(ResourceUtils.getFile("keypath"),allPassword,allPassword)
.build();
} catch (Exception e) { }
return sslContext.getSocketFactory();
}
在代码的调试部分,我可以看到我的证书在那里,但我的 java 仍然收到握手错误。我是 ssl 概念的新手,可能有一些配置错误。
最后一点,当在 feign config 类中并通过 System 设置信任存储和密码时
System.setProperty("javax.net.ssl.trustStorePassword","pass");
System.setProperty("javax.net.ssl.trustStore","pathtocerth.p12");
错误更改为:
javax.net.ssl|ERROR|25|http-nio-auto-1-exec-1|2021-01-26 16:48:58.551 BRT|TransportContext.java:317|Fatal (CERTIFICATE_UNKNowN): PKIX path building Failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
解决方法
自从我发现问题以来,我正在回答自己。如果有人遇到同样的问题,解决方案很简单。
在应用程序属性中,您需要添加这些属性:
feign.httpclient.disableSslValidation=true
feign.httpclient.enabled=false
feign.okhttp.enabled=true
来自
<dependency>
<groupId>io.github.openfeign</groupId>
<artifactId>feign-httpclient</artifactId>
<version>9.4.0</version>
</dependency>
设置feign配置类
@Configuration
public class CustomFeignConfiguration {
@Bean
public void Config() {
System.setProperty("javax.net.ssl.keyStoreType","PKCS12");
System.setProperty("javax.net.ssl.keyStore","path to p12");
System.setProperty("javax.net.ssl.keyStorePassword","key password");
}
并在 feign 请求中使用 feign 配置
@FeignClient(name = "foo",url = "https://foo/foo",configuration = CustomFeignConfiguration.class)
public interface IFeingRequest {
request here
}
使用此解决方案,我不需要转换证书并将其存储到 Java 信任库中。