HTTPClient工具访问HTTPS时证书和域名不符

如果使用HTTPClient工具时,请求的域名和颁发证书时的域名不一样时会提示:

javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.acgist.com' does not match the certificate subject provided by the peer (CN=static.acgist.com)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)

这个问题,我们只需要在构建SSLConnectionSocketFactory时忽略一下证书就可以了。

常用的如下,是需要检测证书和域名的:

private static SSLConnectionSocketFactory createSSLConnSocketFactory() {
	SSLContext sslContext = null;
	SSLConnectionSocketFactory sslFactory = null;
	try {
		sslContext = org.apache.http.ssl.SSLContextBuilder.create().loadTrustMaterial(null, new TrustStrategy() {
			// 信任所有证书
			public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
				return true;
			}
		}).build();
	} catch (Exception e) {
		logger.error("创建SSL工程异常", e);
	}
	sslFactory = new SSLConnectionSocketFactory(sslContext);
	return sslFactory;
}

修改后忽略这个检查:

private static SSLConnectionSocketFactory createSSLConnSocketFactory() {
	SSLContext sslContext = null;
	SSLConnectionSocketFactory sslFactory = null;
	try {
		sslContext = org.apache.http.ssl.SSLContextBuilder.create().loadTrustMaterial(null, new TrustStrategy() {
			// 信任所有证书
			public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
				return true;
			}
		}).build();
	} catch (Exception e) {
		logger.error("创建SSL工程异常", e);
	}
	sslFactory = new SSLConnectionSocketFactory(sslContext, new HostnameVerifier() {
		@Override
		public boolean verify(String hostname, SSLSession session) {
			return true; // 不检查证书和域名是否匹配
		}
	});
	return sslFactory;
}