0 投票

自签名证书,通俗地解释就是自己作为CA颁发者,客户端访问时信任即可正常访问,以下引用:关于SSL中证书颁发机构(CA)的一些基本概念

一般自签名证书不能用来进行身份认证,如果一个服务端使用自签名证书,客户端两种方法,一种就是无条件信任该证书,另外一种则需要将自签名证书的公钥和私钥加入受信任列表。但这样一来就增加了服务器的私钥泄露风险。

那么在一些特定环境场景中,我们需要使用ajax方式请求来自自签名证书服务器的接口,在浏览器中我们可以手动信任,在数据请求中,我们通常只能绕过证书认证来获取到数据

1、jQuery中最简单粗暴地使用jsonp方式

$.ajax({
    url : '//sslzoo.com',
    type : "POST",
    dataType : 'jsonp',
    data : params,
    jsonp: 'callback'//传递给后台程序,用来获取jsonp回调函数名的参数名
    success : function(data) {}
})

url参照非同源接口的方式请求,返回的数据格式为jsonp

参考:http://www.cnblogs.com/koleyang/p/4654439.html

http://blog.csdn.net/xiangnan129/article/details/54409089

2、PHP下解决思路还是跳过ssl认证

在curl请求时,加入以下代码

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // 跳过证书检查  
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);  // 从证书中检查SSL加密算法是否存在

原文引用来自:http://blog.csdn.net/fdipzone/article/details/39611461

<?php
/** curl 获取 https 请求
* @param String $url        请求的url
* @param Array  $data       要發送的數據
* @param Array  $header     请求时发送的header
* @param int    $timeout    超时时间,默认30s
*/
function curl_https($url, $data=array(), $header=array(), $timeout=30){

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // 跳过证书检查
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true);  // 从证书中检查SSL加密算法是否存在
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);

    $response = curl_exec($ch);

    if($error=curl_error($ch)){
        die($error);
    }

    curl_close($ch);

    return $response;

}

// 调用
$url = 'https://www.example.com/api/message.php';
$data = array('name'=>'fdipzone');
$header = array();

$response = curl_https($url, $data, $header, 5);

echo $response;
?>

3、JAVA中绕过SSL认证

JAVA中主要使用HttpClient进行POST请求(HTTPS),用一个类继承DefaultHttpClient类,忽略校验过程。

原文来自:http://blog.csdn.net/rongyongfeikai2/article/details/41659353#

a. 写一个SSLClient类,继承至HttpClient

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
//用于进行Https请求的HttpClient
public class SSLClient extends DefaultHttpClient{
	public SSLClient() throws Exception{
        super();
        SSLContext ctx = SSLContext.getInstance("TLS");
        X509TrustManager tm = new X509TrustManager() {
                @Override
                public void checkClientTrusted(X509Certificate[] chain,
                        String authType) throws CertificateException {
                }
                @Override
                public void checkServerTrusted(X509Certificate[] chain,
                        String authType) throws CertificateException {
                }
                @Override
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
        };
        ctx.init(null, new TrustManager[]{tm}, null);
        SSLSocketFactory ssf = new SSLSocketFactory(ctx,SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
        ClientConnectionManager ccm = this.getConnectionManager();
        SchemeRegistry sr = ccm.getSchemeRegistry();
        sr.register(new Scheme("https", 443, ssf));
    }
}

b. 写一个利用HttpClient发送post请求的类

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.HttpClient;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
/*
 * 利用HttpClient进行post请求的工具类
 */
public class HttpClientUtil {
	public String doPost(String url,Map<String,String> map,String charset){
		HttpClient httpClient = null;
		HttpPost httpPost = null;
		String result = null;
		try{
			httpClient = new SSLClient();
			httpPost = new HttpPost(url);
			//设置参数
			List<NameValuePair> list = new ArrayList<NameValuePair>();
			Iterator iterator = map.entrySet().iterator();
			while(iterator.hasNext()){
				Entry<String,String> elem = (Entry<String, String>) iterator.next();
				list.add(new BasicNameValuePair(elem.getKey(),elem.getValue()));
			}
			if(list.size() > 0){
				UrlEncodedFormEntity entity = new UrlEncodedFormEntity(list,charset);
				httpPost.setEntity(entity);
			}
			HttpResponse response = httpClient.execute(httpPost);
			if(response != null){
				HttpEntity resEntity = response.getEntity();
				if(resEntity != null){
					result = EntityUtils.toString(resEntity,charset);
				}
			}
		}catch(Exception ex){
			ex.printStackTrace();
		}
		return result;
	}
}

 

当然了,大费周折只是为了绕过ssl认证,而廉价的DV数字证书足以应付基本的安全需求,又何来自签名证书场景呢。

最新提问 6月 29, 2017 分类:SSL | 用户: shionphan (900 分)
修改于 6月 29, 2017 用户:unknow

登录 或者 注册 后回答这个问题。

39 问题
29 回答
15 留言
1,864 用户