禁用 Elastic search Restclient 的 SSL 验证在 Java 中不起作用
Disabling SSL verification for Elastic search Restclient not working in Java
我正在尝试连接到 gcp 框中托管的弹性搜索。要连接到此,有一个 SSL 检查,我需要一个证书。
不过,根据这些讨论,我们有可能关闭此验证。
https://discuss.elastic.co/t/host-name-does-not-match-the-certificate/186618
我曾尝试删除验证。但它抛出以下错误
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at org.elasticsearch.client.RestClient$SyncResponseListener.get(RestClient.java:947)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:229)
at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1762)
at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1732)
at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1694)
at org.elasticsearch.client.RestHighLevelClient.search(RestHighLevelClient.java:1090)
at org.dexter.lab.elasticUtils.ESUtils.getLastIndexedTimeStamp(ESUtils.java:44)
at org.dexter.lab.druidUtils.DruidDelayChecker.main(DruidDelayChecker.java:357)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.run(Handshaker.java:970)
at sun.security.ssl.Handshaker.run(Handshaker.java:967)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 23 more
这是我所做的:
我做了一个重写来验证函数并返回 true。这样它就不会检查了。这是
的代码
restClientBuilder.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setSSLHostnameVerifier(new HostnameVerifier() {
public boolean verify(String s, SSLSession sslSession) {
return true;
}
});
}
});
我尝试了另一种方式,也和弹性线中提到的一样
restClientBuilder.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
}
});
我生成了一个自签名证书并且有效。我已启用调试日志以查看为什么需要证书。
这些是添加证书后的日志:
***
Found trusted certificate:
[
[
Version: V3
后面是关于证书的详细信息。
问题是我无法为生产环境生成自签名证书,而且即使在覆盖后我也没有使用证书。
是否有任何可能的解决方法?非常感谢任何帮助。
提前致谢
在您的示例中,您仅禁用了主机名验证。服务器(ElasticSearch 或 ElasticSearch 之上的东西)正在向您发送 public key/certificate 并且您的 Restclient 尝试在 ssl 握手期间验证它。您需要做的是告诉您的 RestClient OK 从任何人那里接收证书但是当它收到证书时 不应该真正验证它.因此,您需要一个自定义信任管理器,它的任务是验证证书,但实际上它根本不验证。您需要的是 UnsafeX509ExtendedTrustManager,请参阅下面的代码片段和 RestClient 的用法:
选项 1
public final class UnsafeX509ExtendedTrustManager extends X509ExtendedTrustManager {
private static final X509ExtendedTrustManager INSTANCE = new UnsafeX509ExtendedTrustManager();
private static final X509Certificate[] EMPTY_CERTIFICATES = new X509Certificate[0];
private UnsafeX509ExtendedTrustManager() {}
public static X509ExtendedTrustManager getInstance() {
return INSTANCE;
}
@Override
public void checkClientTrusted(X509Certificate[] certificates, String authType) {
}
@Override
public void checkClientTrusted(X509Certificate[] certificates, String authType, Socket socket) {
}
@Override
public void checkClientTrusted(X509Certificate[] certificates, String authType, SSLEngine sslEngine) {
}
@Override
public void checkServerTrusted(X509Certificate[] certificates, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] certificates, String authType, Socket socket) {
}
@Override
public void checkServerTrusted(X509Certificate[] certificates, String authType, SSLEngine sslEngine) {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return EMPTY_CERTIFICATES;
}
}
可以使用以下代码片段将上述信任管理器提供给 RestHighLevelClient:
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{ UnsafeX509ExtendedTrustManager.INSTANCE }, null);
RestClient restClient = RestClient
.builder(new HttpHost("localhost", 9200, "https"))
.setHttpClientConfigCallback(httpClientBuilder ->
httpClientBuilder.setSSLContext(sslContext)
.setSSLHostnameVerifier((host, session) -> true))
.build();
顺便说一下,我不建议您或其他任何人使用 UnsafeX509ExtendedTrustManager。它不安全,根本不应在生产中使用。
选项 2
如果您不想将自定义代码添加到您的代码库中,而只想轻松禁用 ssl 验证,您可能想尝试以下代码段。它是一个可以轻松生成 SSLContext 或其他 ssl 材料的库,并且可以选择禁用 ssl 验证。
<dependency>
<groupId>io.github.hakky54</groupId>
<artifactId>sslcontext-kickstart</artifactId>
<version>7.1.0</version>
</dependency>
用法
SSLFactory sslFactory = SSLFactory.builder()
.withUnsafeTrustMaterial()
.withUnsafeHostnameVerifier()
.build();
RestClient restClient = RestClient
.builder(new HttpHost("localhost", 9200, "https"))
.setHttpClientConfigCallback(httpClientBuilder ->
httpClientBuilder.setSSLContext(sslFactory.getSslContext())
.setSSLHostnameVerifier(sslFactory.getHostnameVerifier())
.build();
您好,有很简单的方法可以做到这一点。代码更少。
希望这对你有帮助,我遇到了同样的问题,这就是我解决的方法。
@Bean
public RestHighLevelClient createSimpleElasticClient() throws Exception {
try {
SSLContextBuilder sslBuilder = SSLContexts.custom()
.loadTrustMaterial(null, (x509Certificates, s) -> true);
final SSLContext sslContext = sslBuilder.build();
RestHighLevelClient client = new RestHighLevelClient(RestClient
.builder(new HttpHost(hostNameOrLoadbalancerURL, 443, "https"))
//port number is given as 443 since its https schema
.setHttpClientConfigCallback(new HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder
.setSSLContext(sslContext)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
}
})
.setRequestConfigCallback(new RestClientBuilder.RequestConfigCallback() {
@Override
public RequestConfig.Builder customizeRequestConfig(
RequestConfig.Builder requestConfigBuilder) {
return requestConfigBuilder.setConnectTimeout(5000)
.setSocketTimeout(120000);
}
}));
System.out.println("elasticsearch client created");
return client;
} catch (Exception e) {
System.out.println(e);
throw new Exception("Could not create an elasticsearch client!!");
}
}
我正在尝试连接到 gcp 框中托管的弹性搜索。要连接到此,有一个 SSL 检查,我需要一个证书。
不过,根据这些讨论,我们有可能关闭此验证。
https://discuss.elastic.co/t/host-name-does-not-match-the-certificate/186618
我曾尝试删除验证。但它抛出以下错误
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at org.elasticsearch.client.RestClient$SyncResponseListener.get(RestClient.java:947)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:229)
at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1762)
at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1732)
at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1694)
at org.elasticsearch.client.RestHighLevelClient.search(RestHighLevelClient.java:1090)
at org.dexter.lab.elasticUtils.ESUtils.getLastIndexedTimeStamp(ESUtils.java:44)
at org.dexter.lab.druidUtils.DruidDelayChecker.main(DruidDelayChecker.java:357)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.run(Handshaker.java:970)
at sun.security.ssl.Handshaker.run(Handshaker.java:967)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 23 more
这是我所做的:
我做了一个重写来验证函数并返回 true。这样它就不会检查了。这是
的代码restClientBuilder.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setSSLHostnameVerifier(new HostnameVerifier() {
public boolean verify(String s, SSLSession sslSession) {
return true;
}
});
}
});
我尝试了另一种方式,也和弹性线中提到的一样
restClientBuilder.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
}
});
我生成了一个自签名证书并且有效。我已启用调试日志以查看为什么需要证书。
这些是添加证书后的日志:
***
Found trusted certificate:
[
[
Version: V3
后面是关于证书的详细信息。
问题是我无法为生产环境生成自签名证书,而且即使在覆盖后我也没有使用证书。
是否有任何可能的解决方法?非常感谢任何帮助。
提前致谢
在您的示例中,您仅禁用了主机名验证。服务器(ElasticSearch 或 ElasticSearch 之上的东西)正在向您发送 public key/certificate 并且您的 Restclient 尝试在 ssl 握手期间验证它。您需要做的是告诉您的 RestClient OK 从任何人那里接收证书但是当它收到证书时 不应该真正验证它.因此,您需要一个自定义信任管理器,它的任务是验证证书,但实际上它根本不验证。您需要的是 UnsafeX509ExtendedTrustManager,请参阅下面的代码片段和 RestClient 的用法:
选项 1
public final class UnsafeX509ExtendedTrustManager extends X509ExtendedTrustManager {
private static final X509ExtendedTrustManager INSTANCE = new UnsafeX509ExtendedTrustManager();
private static final X509Certificate[] EMPTY_CERTIFICATES = new X509Certificate[0];
private UnsafeX509ExtendedTrustManager() {}
public static X509ExtendedTrustManager getInstance() {
return INSTANCE;
}
@Override
public void checkClientTrusted(X509Certificate[] certificates, String authType) {
}
@Override
public void checkClientTrusted(X509Certificate[] certificates, String authType, Socket socket) {
}
@Override
public void checkClientTrusted(X509Certificate[] certificates, String authType, SSLEngine sslEngine) {
}
@Override
public void checkServerTrusted(X509Certificate[] certificates, String authType) {
}
@Override
public void checkServerTrusted(X509Certificate[] certificates, String authType, Socket socket) {
}
@Override
public void checkServerTrusted(X509Certificate[] certificates, String authType, SSLEngine sslEngine) {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return EMPTY_CERTIFICATES;
}
}
可以使用以下代码片段将上述信任管理器提供给 RestHighLevelClient:
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{ UnsafeX509ExtendedTrustManager.INSTANCE }, null);
RestClient restClient = RestClient
.builder(new HttpHost("localhost", 9200, "https"))
.setHttpClientConfigCallback(httpClientBuilder ->
httpClientBuilder.setSSLContext(sslContext)
.setSSLHostnameVerifier((host, session) -> true))
.build();
顺便说一下,我不建议您或其他任何人使用 UnsafeX509ExtendedTrustManager。它不安全,根本不应在生产中使用。
选项 2
如果您不想将自定义代码添加到您的代码库中,而只想轻松禁用 ssl 验证,您可能想尝试以下代码段。它是一个可以轻松生成 SSLContext 或其他 ssl 材料的库,并且可以选择禁用 ssl 验证。
<dependency>
<groupId>io.github.hakky54</groupId>
<artifactId>sslcontext-kickstart</artifactId>
<version>7.1.0</version>
</dependency>
用法
SSLFactory sslFactory = SSLFactory.builder()
.withUnsafeTrustMaterial()
.withUnsafeHostnameVerifier()
.build();
RestClient restClient = RestClient
.builder(new HttpHost("localhost", 9200, "https"))
.setHttpClientConfigCallback(httpClientBuilder ->
httpClientBuilder.setSSLContext(sslFactory.getSslContext())
.setSSLHostnameVerifier(sslFactory.getHostnameVerifier())
.build();
您好,有很简单的方法可以做到这一点。代码更少。
希望这对你有帮助,我遇到了同样的问题,这就是我解决的方法。
@Bean
public RestHighLevelClient createSimpleElasticClient() throws Exception {
try {
SSLContextBuilder sslBuilder = SSLContexts.custom()
.loadTrustMaterial(null, (x509Certificates, s) -> true);
final SSLContext sslContext = sslBuilder.build();
RestHighLevelClient client = new RestHighLevelClient(RestClient
.builder(new HttpHost(hostNameOrLoadbalancerURL, 443, "https"))
//port number is given as 443 since its https schema
.setHttpClientConfigCallback(new HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder
.setSSLContext(sslContext)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
}
})
.setRequestConfigCallback(new RestClientBuilder.RequestConfigCallback() {
@Override
public RequestConfig.Builder customizeRequestConfig(
RequestConfig.Builder requestConfigBuilder) {
return requestConfigBuilder.setConnectTimeout(5000)
.setSocketTimeout(120000);
}
}));
System.out.println("elasticsearch client created");
return client;
} catch (Exception e) {
System.out.println(e);
throw new Exception("Could not create an elasticsearch client!!");
}
}