Java 信任所有SSL证书(解决PKIX path building failed问题)

发布于 2014/04/29 

Java在请求某些不受信任的https网站时会报：PKIX path building failed

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)	at SslTest.getRequest(SslTest.java:16)	at SslTest.main(SslTest.java:40)Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:230)	at sun.security.validator.Validator.validate(Validator.java:260)	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)	... 13 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)	... 19 more

解决办法：

1、导入证书到本地证书库

2、信任所有SSL证书

最好的解决办法或许是信任所有SSL证书，因为某些时候不能每次都手动的导入证书非常麻烦。现在封装了个方法，在连接openConnection的时候忽略掉证书就行了。

SslUtils.ignoreSsl();

SslUtils.java:

import java.security.cert.CertificateException;import java.security.cert.X509Certificate;import javax.net.ssl.HostnameVerifier;import javax.net.ssl.HttpsURLConnection;import javax.net.ssl.SSLContext;import javax.net.ssl.SSLSession;import javax.net.ssl.TrustManager;import javax.net.ssl.X509TrustManager;public class SslUtils {	private static void trustAllHttpsCertificates() throws Exception {		TrustManager[] trustAllCerts = new TrustManager[1];		TrustManager tm = new miTM();		trustAllCerts[0] = tm;		SSLContext sc = SSLContext.getInstance("SSL");		sc.init(null, trustAllCerts, null);		HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());	}	static class miTM implements TrustManager,X509TrustManager {		public X509Certificate[] getAcceptedIssuers() {			return null;		}		public boolean isServerTrusted(X509Certificate[] certs) {			return true;		}		public boolean isClientTrusted(X509Certificate[] certs) {			return true;		}		public void checkServerTrusted(X509Certificate[] certs, String authType)				throws CertificateException {			return;		}		public void checkClientTrusted(X509Certificate[] certs, String authType)				throws CertificateException {			return;		}	}	/**	 * 忽略HTTPS请求的SSL证书，必须在openConnection之前调用	 * @throws Exception	 */	public static void ignoreSsl() throws Exception{		HostnameVerifier hv = new HostnameVerifier() {			public boolean verify(String urlHostName, SSLSession session) {				System.out.println("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());				return true;			}		};		trustAllHttpsCertificates();		HttpsURLConnection.setDefaultHostnameVerifier(hv);	}}

SslTest.java:

import java.io.OutputStreamWriter;import java.net.URL;import java.net.URLConnection;import org.apache.commons.io.IOUtils;public class SslTest {	public String getRequest(String url,int timeOut) throws Exception{		URL u = new URL(url);		if("https".equalsIgnoreCase(u.getProtocol())){			SslUtils.ignoreSsl();		}		URLConnection conn = u.openConnection();		conn.setConnectTimeout(timeOut);		conn.setReadTimeout(timeOut);		return IOUtils.toString(conn.getInputStream());	}	public String postRequest(String urlAddress,String args,int timeOut) throws Exception{		URL url = new URL(urlAddress);		if("https".equalsIgnoreCase(url.getProtocol())){			SslUtils.ignoreSsl();		}		URLConnection u = url.openConnection();		u.setDoInput(true);        u.setDoOutput(true);        u.setConnectTimeout(timeOut);        u.setReadTimeout(timeOut);        OutputStreamWriter osw = new OutputStreamWriter(u.getOutputStream(), "UTF-8");        osw.write(args);        osw.flush();        osw.close();        u.getOutputStream();		return IOUtils.toString(u.getInputStream());	}	public static void main(String[] args) {		try {			SslTest st = new SslTest();			String a = st.getRequest("https://xxx.com/login.action", 3000);			System.out.println(a);		} catch (Exception e) {			e.printStackTrace();		}	}}