如何使用自签名证书进行https请求-阿里云开发者社区

如何使用自签名证书进行https请求

2023-02-21 380

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

本文涉及的产品

云解析 DNS，旗舰版 1个月

全局流量管理 GTM，标准版 1个月

公共DNS（含HTTPDNS解析），每月1000万次HTTP解析

简介： 如何使用自签名证书进行https请求

1.生成自签名证书

生成私钥

openssl genrsa -out private.key

生成自签名证书

openssl req -new -key private.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey private.key -out ca.pem

365为天数

第一条命令只需填Common Name（域名）, 如下：

❯ openssl req -new -key private.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:*.kq-qzj.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

2.配置nginx

将生成的private.key和ca.pem放入/etc/nginx/cert下

配置nginx

server {
    listen 30443 ssl;
    server_name *.kq-qzj.cn;
    ssl_certificate  /etc/nginx/cert/ca.pem;
    ssl_certificate_key /etc/nginx/cert/private.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
      root /etc/nginx/conf.d;
    }
}

3. Java客户端跳过SSL和配置DNS解析

自定义DNS解析

import org.apache.http.conn.DnsResolver;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Component;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
/**
 * @author Zijian Liao
 * @since 2.9.0
 */
@Component
public class HisResolver implements DnsResolver, InitializingBean {
    private Map<String, InetAddress[]> dnsMap = new ConcurrentHashMap<>();
    @Override
    public InetAddress[] resolve(String host) throws UnknownHostException {
        final InetAddress[] resolvedAddresses = dnsMap.get(host);
        if(resolvedAddresses != null){
            return resolvedAddresses;
        }
        return InetAddress.getAllByName(host);
    }
    // 初始化
    @Override
    public void afterPropertiesSet() throws Exception {
        this.refreshAddress();
    }
    // 定时刷新
    @Scheduled(fixedRateString = "PT5M")
    public void refreshTask() throws UnknownHostException {
        this.refreshAddress();
    }
    private void refreshAddress() throws UnknownHostException {
        // 模拟查询数据库
        Map<String, InetAddress[]> dnsMap = new ConcurrentHashMap<>();
        InetAddress[] inetAddress = InetAddress.getAllByName("127.0.0.1");
        dnsMap.put("a.kqqzj.cn", inetAddress);
        dnsMap.put("b.kqqzj.cn", inetAddress);
        dnsMap.put("c.kqqzj.cn", inetAddress);
        dnsMap.put("d.kqqzj.cn", inetAddress);
        this.dnsMap = dnsMap;
    }
}

跳过SSL

import lombok.extern.slf4j.Slf4j;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;
import javax.annotation.Resource;
import javax.net.ssl.SSLContext;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
/**
 * @author Zijian Liao
 * @since 2.9.0
 */
@Slf4j
@SpringBootTest
public class RestTemplateTest {
    @Resource
    private HisResolver hisResolver;
    private RestTemplate restTemplate;
    @BeforeEach
    public void init() throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
        // SSL
        TrustStrategy acceptingTrustStrategy = (x509Certificates, authType) -> true;
        SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
        SSLConnectionSocketFactory connectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
                new NoopHostnameVerifier());
        HttpClient httpClient = HttpClientBuilder.create()
                .setDnsResolver(hisResolver)
                .setSSLSocketFactory(connectionSocketFactory)
                .build();
        ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
        this.restTemplate = new RestTemplate(requestFactory);
    }
    @Test
    public void testSsl(){
        System.out.println(restTemplate.getForObject("https://a.kq-qzj.cn:30443/a.html", String.class));
        System.out.println(restTemplate.getForObject("https://b.kq-qzj.cn:30443/a.html", String.class));
        System.out.println(restTemplate.getForObject("https://c.kq-qzj.cn:30443/a.html", String.class));
        System.out.println(restTemplate.getForObject("https://d.kq-qzj.cn:30443/a.html", String.class));
        System.out.println(restTemplate.getForObject("http://127.0.0.1:10000/a.html", String.class));
    }
}

如何使用自签名证书进行https请求

1.生成自签名证书

2.配置nginx

3. Java客户端跳过SSL和配置DNS解析

热门文章

最新文章

相关课程

相关电子书

相关实验场景