最近在工作过程中遇到使用httpClient去call https接口失败的问题， 所以就此做了个学习记录， 在这过程中可以通过一下三种方式中的任何一种都解决了上诉问题

1.ignore https certificate

通过在httpClient call https接口之前先调用如下代码即可忽略https认证

private static DefaultHttpClient httpClientTrustingAllSSLCerts() throws NoSuchAlgorithmException, KeyManagementException {
    DefaultHttpClient httpclient = new DefaultHttpClient();
    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, getTrustingManager(), new java.security.SecureRandom());
    SSLSocketFactory socketFactory = new SSLSocketFactory(sc);
    Scheme sch = new Scheme("https", 443, socketFactory);
    httpclient.getConnectionManager().getSchemeRegistry().register(sch);
    return httpclient;
}
private static TrustManager[] getTrustingManager() {
    TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
        @Override
        public void checkClientTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) throws CertificateException {
        }
        @Override
        public void checkServerTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) throws CertificateException {
        }
        @Override
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    } };
    return trustAllCerts;
}

2. 通过加载指定证书达到证书校验(在httpClient call之前调用下列代码)

• 首先需要将对应网站的cer证书从浏览器中导出， 步骤如下
  2.1 点击浏览器URL左侧图标， 然后点击证书

ssl1

2.2 点击详细信息tab， 然后点击"复制到文件选项"

ssl2

2.3 将证书导出为Base64编码格式， 继续点击下一步(比如我们保存名字为myaliyun.cer)， 选择保存位置

ssl3

这时候我们就已经将cer导出来了！

2.4 结合之前导出来的certificate文件使用如下命令生成truststore

keytool -import -alias myaliyun -trustcacerts -file myaliyun.cer -keystore myaliyuntrust.jks

然后输入指定密码， 这是我们的trustStore就生成了， 最后就是在JavaCode中指定加载这个trustStore文件(下面keystore和trustStore均为上面我们gen的myaliyuntrust.jks)

• 通过设置System环境变量加载我们刚刚生成的trust证书

        System.setProperty("javax.net.ssl.keyStore", "keyStore存放位置"));
        System.setProperty("javax.net.ssl.keyStorePassword", "keyStore密码");
        System.setProperty("javax.net.ssl.keyStoreType", "JKS");
        System.setProperty("javax.net.ssl.trustStore", "trustStore存放位置");
        System.setProperty("javax.net.ssl.trustStorePassword", "Trustore密码");
        System.setProperty("javax.net.ssl.trustType", "JKS");

3. 将安全证书导入到java的cacerts证书库(changeit为jdk cecerts证书库的默认密码)

1. 和2.3步骤一样， 将对应网站的cetificate文件导出来, 这里我将这个证书放到了这个路径下<JAVA_HOME路径>/jre/lib/security/myaliyun.cer
2. 将刚才导出来的certifate证书导入到java的cacerts证书库，切换到目录 <JAVA_HOME路径>/jre/lib/security, 执行如下命令:

keytool -import -alias myaliyun -keystore cacerts -file ${JAVA_HOME}/jre/lib/security/myaliyun.cer -storepass changeit

然后你会看到如下信息

C:\java\jdk1.8.0_251\jre\lib\security
λ keytool -import -alias myaliyun -keystore cacerts -file C:/java/jdk1.8.0_251/jre/lib/security/myaliyun.cer -storepass changeit
....
.... 
....
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4C 7A 17 49 7B 8C 31 F0   48 93 A1 FC 83 CA D7 E9  Lz.I..1.H.......
0010: E0 C5 F7 0B                                        ....
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

noted: HttpClient 使用例子

dependency

<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpclient</artifactId>
    <version>4.2.3</version>
</dependency>

            HttpClient httpClient = new DefaultHttpClient();
            httpClient.getParams().setParameter(CoreConnectionPNames.SO_TIMEOUT, 1000);
            httpClient.getParams().setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, 1000);
            HttpGet httpGet = null;
            try {
                httpGet = new HttpGet(url);
                HttpResponse response = httpClient.execute(httpGet);
                int httpStatus = response.getStatusLine().getStatusCode();
                if(httpStatus == HttpStatus.SC_OK) {
                    HttpEntity entity = response.getEntity();
                    //to avoid throw exception when new json object, if the contentType is not json, .
                    String contentType = ContentType.getOrDefault(entity).getMimeType();
                    if(contentType.contains("application/json")) {
                        String getJson = EntityUtils.toString(entity);
                        JSONObject jsonObj = new JSONObject(getJson);
                        //the json obj should contains version key
                    }
                    //Consume response content
                    EntityUtils.consume(entity);
                }
            } catch (Exception e) {
        throw e;
            } finally {
                httpGet.abort();
                httpClient.getConnectionManager().shutdown();
            }

总结

个人还是比较推荐使用第三种将安全证书导入到java的cacerts证书库， 因为我们不需要改code， 只需要通过命令就可以了

ssl4

ssl5

还有一点需要注意的是， 我在测试过程中， 需要使用上面三种中任何一种做法的前提是当所访问网站的证书是不安全的时候才需要那么做的. 如果对应网站的证书是安全的， 则不需要上诉做法。 或者还有一种情况就是： 如果我们时候用的httpClient是3.x版本的， 那么无论这个网站的证书是否安全都需要我们添加上面三种方式中的其中一种了