获取访问目标主机的有效SSL/TLS证书 (无法直接得到证书时)
2012-05-20 06:11
525 查看
现在,很多网站或者服务,都实现成基于SSL,并且提供证书下载安装才能访问。如果它能提供下载,当然什么问题有没有。
可是,如果你无权下载,并且它不是CA证书,只是自签名的Server端证书。只知道它的端口和地址,你强行通过程序访问,可能会得到这样的错误:
没想到,Sun提供了一个工具程序,能够能过程序调用,得到Server端的证书。
这里以12306某部分购票需要证书为例:
这样,把这个证书都可以导出来:
导成可见文本:(密码是默认的changeit)
这样,你随时可以用上边的证书建立到目标主机的SSL连接。
可是,如果你无权下载,并且它不是CA证书,只是自签名的Server端证书。只知道它的端口和地址,你强行通过程序访问,可能会得到这样的错误:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
没想到,Sun提供了一个工具程序,能够能过程序调用,得到Server端的证书。
这里以12306某部分购票需要证书为例:
E:\learn\security>java TestFetchingCert dynamic.12306.cn
Loading KeyStore C:\shared\jdk1.6.0_18\jre\lib\security\cacerts...
Opening connection to dynamic.12306.cn:443...
Starting SSL handshake...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at InstallCert.main(InstallCert.java:97)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:192)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1027)
... 8 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 14 more
Server sent 2 certificate(s):
1 Subject CN=dynamic.12306.cn, OU=铁路客户服务中心, O=Sinorail Certification Authority, C=CN
Issuer CN=SRCA, O=Sinorail Certification Authority, C=CN
sha1 f6 2e c7 e4 12 d1 aa b3 f0 7f ac b7 f7 20 e6 77 da e5 b9 b7
md5 cb 3b 65 19 fe b4 88 28 5b 0c 81 f8 bc ef ba 93
2 Subject CN=SRCA, O=Sinorail Certification Authority, C=CN
Issuer CN=SRCA, O=Sinorail Certification Authority, C=CN
sha1 ae 3f 2e 66 d4 8f c6 bd 1d f1 31 e8 9d 76 8d 50 5d f1 43 02
md5 60 13 24 f0 9a e9 88 49 58 1b 37 c9 a1 90 57 24
Enter certificate to add to trusted keystore or 'q' to quit: [1]
[
[
Version: V3
Subject: CN=dynamic.12306.cn, OU=铁路客户服务中心, O=Sinorail Certification Authority, C=CN
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus: 131877243788581441455453893594344470200831819323761004983028382908123170744716274924195017274254124953756531355671448830163684168356232189427657515240155383489455640758012703375457674009273923267881490333363099952573578023750920902134321577573362887935276807781022292107338956095769504324054527406579242046053
public exponent: 65537
Validity: [From: Wed Jun 01 17:56:35 CST 2011,
To: Sat May 31 17:56:35 CST 2014]
Issuer: CN=SRCA, O=Sinorail Certification Authority, C=CN
SerialNumber: [ 205cfb9e 4a12b557]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9C 0F FE C1 B2 9D 07 6D 9F 88 EC E1 77 3D DF 41 .......m....w=.A
0010: 1D 4E 8E 43 .N.C
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 79 5E B6 77 B7 E2 52 83 43 ED C7 51 88 4C 63 85 y^.w..R.C..Q.Lc.
0010: 2C 00 43 58 ,.CX
]
]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
]
Unparseable certificate extensions: 1
[1]: ObjectId: 2.5.29.31 Criticality=false
Unparseable CRLDistributionPoints extension due to
java.io.IOException: invalid URI name:ldap://210.75.98.102:390/cn=crl3,OU=CRL,O=Sinorail Certification Authority,C=CN?certificateRevocationList?base?objectclass=idaPerson
0000: 30 81 90 30 81 8D A0 81 8A A0 81 87 86 81 84 6C 0..0...........l
0010: 64 61 70 3A 2F 2F 32 31 30 2E 37 35 2E 39 38 2E dap://210.75.98.
0020: 31 30 32 3A 33 39 30 2F 63 6E 3D 63 72 6C 33 2C 102:390/cn=crl3,
0030: 4F 55 3D 43 52 4C 2C 4F 3D 53 69 6E 6F 72 61 69 OU=CRL,O=Sinorai
0040: 6C 20 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 l Certification
0050: 41 75 74 68 6F 72 69 74 79 2C 43 3D 43 4E 3F 63 Authority,C=CN?c
0060: 65 72 74 69 66 69 63 61 74 65 52 65 76 6F 63 61 ertificateRevoca
0070: 74 69 6F 6E 4C 69 73 74 3F 62 61 73 65 3F 6F 62 tionList?base?ob
0080: 6A 65 63 74 63 6C 61 73 73 3D 69 64 61 50 65 72 jectclass=idaPer
0090: 73 6F 6E son
]
Algorithm: [SHA1withRSA]
Signature:
0000: AC 2F FA 07 7B 8F 92 8B 51 2D A4 8A E3 FE AA 56 ./......Q-.....V
0010: 16 AD 38 DC E0 87 4B ED 47 05 B4 4B D6 4E 73 5E ..8...K.G..K.Ns^
0020: 19 66 8B 2C BB 1D 7B 6A A5 23 E1 8E 79 25 DD 9D .f.,...j.#..y%..
0030: DF 8F 6D F0 5C E6 79 36 41 0F 0A AF 90 72 D5 CD ..m.\.y6A....r..
0040: B1 1D 20 DB 6E 27 8D 56 42 29 8D 18 E8 D3 6D EF .. .n'.VB)....m.
0050: 99 EE 83 7B 68 16 49 00 A2 B9 FD 82 9E 76 07 A3 ....h.I......v..
0060: 45 60 C7 D6 04 68 14 39 1F 8D 89 EA 4C 5C 38 8C E`...h.9....L\8.
0070: 9A BD 18 FC DD 9E BC EA 27 DC C7 05 5A 0D 41 F5 ........'...Z.A.
]
Added certificate to keystore 'jssecacerts' using alias 'dynamic.12306.cn-1'
E:\learn\security>
这样,把这个证书都可以导出来:
导成可见文本:(密码是默认的changeit)
E:\learn\security>keytool -export -alias dynamic.12306.cn-1 -keystore jssecacerts -rfc -file 12306.cer 输入keystore密码: 保存在文件中的认证 <12306.cer>
E:\learn\security>cat 12306.cer -----BEGIN CERTIFICATE----- MIIDITCCAoqgAwIBAgIIIFz7nkoStVcwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ04xKTAn BgNVBAoTIFNpbm9yYWlsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRTUkNBMB4X DTExMDYwMTA5NTYzNVoXDTE0MDUzMTA5NTYzNVowbjELMAkGA1UEBhMCQ04xKTAnBgNVBAoTIFNp bm9yYWlsIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRkwFwYDVQQLHhCUwY3vW6JiN2cNUqFOLV/D MRkwFwYDVQQDExBkeW5hbWljLjEyMzA2LmNuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7 zKdfpqBX5VlDwU7QLfV3e3+J2c10UpRbexwhFuLCsGGxFsO7e5XHU+cXMv2EcZ1D8la2go4bkOUF ylvJ/odu5jx8968kvcUHwa67F52SU9QqHpPekVI8VBJwSdd6iv9QY2P8l7fI9hw8bh9bsrLN1sqe WmnKB9INOxqAAYUSZQIDAQABo4HuMIHrMB8GA1UdIwQYMBaAFHletne34lKDQ+3HUYhMY4UsAENY MIGbBgNVHR8EgZMwgZAwgY2ggYqggYeGgYRsZGFwOi8vMjEwLjc1Ljk4LjEwMjozOTAvY249Y3Js MyxPVT1DUkwsTz1TaW5vcmFpbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSxDPUNOP2NlcnRpZmlj YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RjbGFzcz1pZGFQZXJzb24wCwYDVR0PBAQDAgbA MB0GA1UdDgQWBBScD/7Bsp0HbZ+I7OF3Pd9BHU6OQzANBgkqhkiG9w0BAQUFAAOBgQCsL/oHe4+S i1EtpIrj/qpWFq043OCHS+1HBbRL1k5zXhlmiyy7HXtqpSPhjnkl3Z3fj23wXOZ5NkEPCq+QctXN sR0g224njVZCKY0Y6NNt75nug3toFkkAorn9gp52B6NFYMfWBGgUOR+NiepMXDiMmr0Y/N2evOon 3McFWg1B9Q== -----END CERTIFICATE-----
这样,你随时可以用上边的证书建立到目标主机的SSL连接。
相关文章推荐
- ping 不通。无法访问目标主机
- Ubuntu Linux服务器搭建SSL/TLS(https)(在StartSSL可以得到免费证书)
- Ping无法访问目标主机
- httpsclient 自动获取证书 无证书访问 验证过能直接用
- asp.net在IIS环境中访问第三方需数字证书接口时 报 “请求被中止: 未能创建 SSL/TLS 安全通道”
- 访问HTTPS时SSL/TLS证书拒绝问题 : unable to find valid certification path to requested target
- 宿主机( win 7 系统) ping 虚拟机VMware( cent os 6.6 ) 出现“请求超时”或者“无法访问目标主机”的解决方法
- Ping无法访问目标主机
- 0丢包但是无法访问目标主机,虚拟机可以访问主机
- 宿主机( win 7 系统) ping 虚拟机VMware( cent os 6.6 ) 出现“请求超时”或者“无法访问目标主机”的解决方法
- php-curl获取接口图片地址,在php拼接img中无法访问,报403错误,在浏览器url中直接可以访问,html页面里img也可以访问
- 主机无法访问虚拟机Linux的apache
- Spring 无法注入静态变量,直接在静态方法中获取bean
- windows下php_curl无法访问ssl加密的https地址
- Windows下Nginx配置SSL实现Https访问(包含证书生成) Windows下Nginx配置SSL实现Https访问(包含证书生成) 首先要说明为什么要实现https? HTT
- 主机无法访问虚拟机linux上启动的tomcat服务
- mmc控制台,访问不了目标主机
- VCenter添加主机失败(无法访问指定主机)
- 从主机 Windows 上无法远程访问 Linux 的 Tomcat 服务器解决方法
- D u p l i c a t e H a n d l e函数存在的奇怪现象之一是,目标进程没有得到关于新内 核对象现在可以访问它的通知