1. Overview
1.概述
In this tutorial, we’ll see how to create and configure an OkHttpClient to trust all certificates.
在本教程中,我们将看到如何创建和配置一个OkHttpClient以信任所有证书。
Take a look at our articles about OkHttp for more specifics on the library.
请看我们的关于OkHttp的文章,以了解关于该库的更多细节信息。
2. Maven Dependency
2.Maven的依赖性
Let’s start by adding the OkHttp dependency to our pom.xml file:
让我们首先将OkHttp依赖性添加到我们的pom.xml文件中。
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp</artifactId>
<version>4.9.2</version>
</dependency>3. Use a Normal OkHttpClient
3.使用一个普通的OkHttpClient
First, let’s take a standard OkHttpClient object and call a web page with an expired certificate:
首先,让我们采取一个标准的OkHttpClient对象,并调用一个有过期证书的网页。
OkHttpClient client = new OkHttpClient.Builder().build();
client.newCall(new Request.Builder().url("https://expired.badssl.com/").build()).execute();The stack trace output will look like this:
堆栈跟踪输出将看起来像这样。
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failedNow, let’s see the error received when we try another website with a self-signed certificate:
现在,让我们看看当我们尝试另一个有自签名证书的网站时收到的错误。
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetAnd let’s try a website with a wrong-host certificate:
我们再来试试一个有错误主机证书的网站。
Hostname wrong.host.badssl.com not verifiedAs we see, by default, OkHttpClient will throw errors if calling sites to have bad certificates. So next, we’ll see how to create and configure an OkHttpClient to trust all certificates.
正如我们所看到的,默认情况下,OkHttpClient如果调用网站有坏的证书,会抛出错误。所以接下来,我们将看到如何创建和配置一个OkHttpClient以信任所有的证书。
4. Set Up an OkHttpClient to Trust All Certificates
4.设置一个OkHttpClient以信任所有证书
Let’s create our array of TrustManager containing a single X509TrustManager that disables the default certificate validations by overriding their methods:
让我们创建我们的TrustManager数组,其中包含一个X509TrustManager,通过覆盖其方法来禁用默认证书验证。
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[]{};
}
}
};We’ll use this array of TrustManager to create an SSLContext:
我们将使用这个TrustManager阵列来创建一个SSLContext。
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());And then, we’ll use this SSLContext to set the OkHttpClient builder’s SSLSocketFactory:
然后,我们将使用这个SSLContext来设置OkHttpClient构建程序的SSLSocketFactory。
OkHttpClient.Builder newBuilder = new OkHttpClient.Builder();
newBuilder.sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustAllCerts[0]);
newBuilder.hostnameVerifier((hostname, session) -> true);We also set the new Builder‘s HostnameVerifier to a new HostnameVerifier object whose verification method always returns true.
我们还将新Builder的HostnameVerifier设置为一个新HostnameVerifier对象,其验证方法总是返回true。
Finally, we can get a new OkHttpClient object and call the sites with bad certificates again without any error:
最后,我们可以得到一个新的OkHttpClient对象,并再次调用有不良证书的网站,而不会出现任何错误。
OkHttpClient newClient = newBuilder.build();
newClient.newCall(new Request.Builder().url("https://expired.badssl.com/").build()).execute();5. Conclusion
5.总结
In this short article, we’ve seen how to create and configure an OkHttpClient to trust all certificates. Of course, trusting all certificates is not recommended. However, there may be some cases where we will need it.
在这篇短文中,我们已经看到了如何创建和配置一个OkHttpClient以信任所有证书。当然,不建议信任所有的证书。然而,可能在某些情况下我们会需要它。
The complete code for this article is available over on GitHub.
本文的完整代码可在GitHub上获得,。