Игнорировать ошибки ssl - Исправление ошибок и поиск оптимальных решений проблем

This is how I did it —

Create my own MockSSLSocketFactory (Class attached below)
Use it to initialise DefaultHttpClient. Proxy settings need to be provided if a proxy is used.

Initialising DefaultHTTPClient —

SchemeRegistry schemeRegistry = new SchemeRegistry();
    schemeRegistry.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));
    schemeRegistry.register(new Scheme("https", 443, new MockSSLSocketFactory()));
    ClientConnectionManager cm = new SingleClientConnManager(schemeRegistry);

    DefaultHttpClient httpclient = new DefaultHttpClient(cm);

Mock SSL Factory —

public class MockSSLSocketFactory extends SSLSocketFactory {

public MockSSLSocketFactory() throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
    super(trustStrategy, hostnameVerifier);
}

private static final X509HostnameVerifier hostnameVerifier = new X509HostnameVerifier() {
    @Override
    public void verify(String host, SSLSocket ssl) throws IOException {
        // Do nothing
    }

    @Override
    public void verify(String host, X509Certificate cert) throws SSLException {
        //Do nothing
    }

    @Override
    public void verify(String host, String[] cns, String[] subjectAlts) throws SSLException {
        //Do nothing
    }

    @Override
    public boolean verify(String s, SSLSession sslSession) {
        return true; 
    }
};

private static final TrustStrategy trustStrategy = new TrustStrategy() {
    @Override
    public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        return true;
    }
};
}

If behind a proxy, need to do this —

HttpParams params = new BasicHttpParams();
    params.setParameter(AuthPNames.PROXY_AUTH_PREF, getClientAuthPrefs());

DefaultHttpClient httpclient = new DefaultHttpClient(cm, params);

httpclient.getCredentialsProvider().setCredentials(
                        new AuthScope(proxyHost, proxyPort),
                        new UsernamePasswordCredentials(proxyUser, proxyPass));

Источник

На чтение 3 мин Опубликовано 12.02.2020

Я хотел бы использовать команду curl, чтобы игнорировать предупреждение о сертификатах SSL.

Ведь мы можем получить ошибку подобную этой:

curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.

Есть ли в команде curl опция –no-check-certificate ,как например, у команды wget в Linux или Unix-подобной системе?

Вам нужно просто передать параметр -k или –insecure команде curl.

Эта опция явно позволяет curl выполнять «небезопасные» SSL-соединения и передачи данных.

Все SSL-соединения пытаются сделать безопасную передачу данных с помощью пакета сертификатов CA, установленного по умолчанию.

Содержание

Есть ли у curl опция -no-check-certificate, как например, у команд wget на Linux?
cURL | Как игнорировать предупреждения сертификата SSL
Как применить изменения для всех HTTPS-соединений
Как установть доверенный CA для curl

Есть ли у curl опция -no-check-certificate, как например, у команд wget на Linux?

Следующий синтаксис позволяет команде curl работать с «небезопасными» или «недоверенными» сертификатами SSL:

curl -k url
curl --insecure url
curl --insecure [options] url
curl --insecure -I url

cURL | Как игнорировать предупреждения сертификата SSL

В этом примере отключена проверка сертификата для команды curl:

curl --insecure -I https://202.54.1.2/

или

curl -k -O https://202.54.1.2/file.tar.gz

Без опции -k или –insecure вы получите сообщение об ошибке следующего содержания:

curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Вот один полезный пример, где вы сможете получить файл или просмотреть информацию заголовка с удаленного хоста без использования имени домена SNI с поддержкой SSL:

curl -O --insecure --header 'Host: www.example.com' -I https://207.5.1.10/file.html
### или ###
curl -k --header 'Host: www.example.com' -I https://207.5.1.10/file.html

Как применить изменения для всех HTTPS-соединений

Вы можете добавить опцию insecure в ваш файл $HOME/.curlrc:

$ vi $HOME/.curlrc

Сохраните и закройте файл.

Однако я не рекомендую отключать проверки SSL для всех соединений по умолчанию из соображений безопасности.

Как установть доверенный CA для curl

Можно попробовать следующую команду для самоподписанных сертификатов SSL / TLS:

curl --cacert /pth/to/my/ca.pem https://url curl --header 'Host: www.cyberciti.biz' --cacert /pth/to/my/ca.pem https://207.5.1.10/nixcraft.tar.gz

Пожалуйста, не спамьте и никого не оскорбляйте.

Это поле для комментариев, а не спамбокс.

Рекламные ссылки не индексируются!

Источник

I am getting the following error during a web service request to a remote web service:

Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Is there anyway to ignore this error, and continue?

It seems the remote certificate is not signed.

The site I connect to is www.czebox.cz — so feel free to visit the site, and notice even browsers throw security exceptions.

Luke Girvin

13.1k8 gold badges63 silver badges84 bronze badges

asked Apr 20, 2010 at 12:42

Add a certificate validation handler. Returning true will allow ignoring the validation error:

ServicePointManager
    .ServerCertificateValidationCallback += 
    (sender, cert, chain, sslPolicyErrors) => true;

answered Apr 20, 2010 at 12:48

Peter LillevoldPeter Lillevold

33.5k7 gold badges96 silver badges131 bronze badges

Allowing all certificates is very powerful but it could also be dangerous. If you would like to only allow valid certificates plus some certain certificates it could be done like this.

.NET Core:

using (var httpClientHandler = new HttpClientHandler())
{
    httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) =>
    {
        if (sslPolicyErrors == SslPolicyErrors.None)
        {
            return true;   //Is valid
        }

        if (cert.GetCertHashString() == "99E92D8447AEF30483B1D7527812C9B7B3A915A7")
        {
            return true;
        }
        return false;
    };

    using (var httpClient = new HttpClient(httpClientHandler))
    {
        var httpResponse = httpClient.GetAsync("https://example.com").Result;
    }
}

.NET Framework:

System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate (
    object sender,
    X509Certificate cert,
    X509Chain chain,
    SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        return true;   //Is valid
    }

    if (cert.GetCertHashString() == "99E92D8447AEF30483B1D7527812C9B7B3A915A7")
    {
        return true;
    }

    return false;
};

Update:

How to get cert.GetCertHashString() value in Chrome:

Click on Secure or Not Secure in the address bar.

Then click on Certificate -> Details -> Thumbprint and copy the value. Remember to do cert.GetCertHashString().ToLower().

Wai Ha Lee

8,41977 gold badges60 silver badges90 bronze badges

answered May 23, 2017 at 16:37

OgglasOgglas

57.4k33 gold badges312 silver badges393 bronze badges

IgnoreBadCertificates Method:

//I use a method to ignore bad certs caused by misc errors
IgnoreBadCertificates();

// after the Ignore call i can do what ever i want...
HttpWebRequest request_data = System.Net.WebRequest.Create(urlquerystring) as HttpWebRequest;

/*
and below the Methods we are using...
*/

/// <summary>
/// Together with the AcceptAllCertifications method right
/// below this causes to bypass errors caused by SLL-Errors.
/// </summary>
public static void IgnoreBadCertificates()
{
    System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(AcceptAllCertifications);
}  

/// <summary>
/// In Short: the Method solves the Problem of broken Certificates.
/// Sometime when requesting Data and the sending Webserverconnection
/// is based on a SSL Connection, an Error is caused by Servers whoes
/// Certificate(s) have Errors. Like when the Cert is out of date
/// and much more... So at this point when calling the method,
/// this behaviour is prevented
/// </summary>
/// <param name="sender"></param>
/// <param name="certification"></param>
/// <param name="chain"></param>
/// <param name="sslPolicyErrors"></param>
/// <returns>true</returns>
private static bool AcceptAllCertifications(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certification, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
    return true;
}

answered Mar 7, 2013 at 6:17

Amen RaAmen Ra

3473 silver badges2 bronze badges

The reason it’s failing is not because it isn’t signed but because the root certificate isn’t trusted by your client. Rather than switch off SSL validation, an alternative approach would be to add the root CA cert to the list of CAs your app trusts.

This is the root CA cert that your app currently doesn’t trust:

You can decode and view this certificate using

this certificate decoder or another certificate decoder

answered Apr 20, 2010 at 19:07

bignumbignum

3,4283 gold badges20 silver badges18 bronze badges

Bypass SSL Certificate….

HttpClientHandler clientHandler = new HttpClientHandler();
clientHandler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; };

// Pass the handler to httpclient(from you are calling api)
var client = new HttpClient(clientHandler)

Wai Ha Lee

8,41977 gold badges60 silver badges90 bronze badges

answered Jun 5, 2019 at 12:03

Rohit JangidRohit Jangid

2,1351 gold badge11 silver badges9 bronze badges

To disable ssl cert validation in client configuration.

<behaviors>
   <endpointBehaviors>
      <behavior name="DisableSSLCertificateValidation">
         <clientCredentials>
             <serviceCertificate>
                <sslCertificateAuthentication certificateValidationMode="None" />
              </serviceCertificate>
           </clientCredentials>
        </behavior>

answered Apr 13, 2016 at 10:39

d.marzod.marzo

3093 silver badges5 bronze badges

This code worked for me. I had to add TLS2 because that’s what the URL I am interested in was using.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback +=
    (sender, cert, chain, sslPolicyErrors) => { return true; };
using (var client = new HttpClient())
{
    client.BaseAddress = new Uri(UserDataUrl);
    client.DefaultRequestHeaders.Accept.Clear();
    client.DefaultRequestHeaders.Accept.Add(new
      MediaTypeWithQualityHeaderValue("application/json"));
    Task<string> response = client.GetStringAsync(UserDataUrl);
    response.Wait();

    if (response.Exception != null)
    {
         return null;
    }

    return JsonConvert.DeserializeObject<UserData>(response.Result);
}

answered Oct 9, 2017 at 13:42

user2347528user2347528

5601 gold badge8 silver badges21 bronze badges

Old, but still helps…

Another great way of achieving the same behavior is through configuration file (web.config)

 <system.net>
    <settings>
      <servicePointManager checkCertificateName="false" checkCertificateRevocationList="false" />
    </settings>
  </system.net>

NOTE: tested on .net full.

answered Aug 14, 2020 at 21:51

digiogodigiogo

1903 silver badges5 bronze badges

This works for .Net Core.
Call on your Soap client:

client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication =
                new X509ServiceCertificateAuthentication()
                {
                    CertificateValidationMode = X509CertificateValidationMode.None,
                    RevocationMode = X509RevocationMode.NoCheck
                };

answered Oct 1, 2019 at 11:36

RimiRimi

512 bronze badges

If you are using sockets directly and are authenticating as the client, then the Service Point Manager callback method won’t work. Here’s what did work for me. PLEASE USE FOR TESTING PURPOSES ONLY.

var activeStream = new SslStream(networkStream, false, (a, b, c, d) => { return true; });
await activeStream.AuthenticateAsClientAsync("computer.local");

The key here, is to provide the remote certificate validation callback right in the constructor of the SSL stream.

answered May 5, 2016 at 4:32

MarioMario

6497 silver badges12 bronze badges

To further expand on BIGNUM’s post — Ideally you want a solution that will simulate the conditions you will see in production and modifying your code won’t do that and could be dangerous if you forget to take the code out before you deploy it.

You will need a self-signed certificate of some sort. If you know what you’re doing you can use the binary BIGNUM posted, but if not you can go hunting for the certificate. If you’re using IIS Express you will have one of these already, you’ll just have to find it. Open Firefox or whatever browser you like and go to your dev website. You should be able to view the certificate information from the URL bar and depending on your browser you should be able to export the certificate to a file.

Next, open MMC.exe, and add the Certificate snap-in. Import your certificate file into the Trusted Root Certificate Authorities store and that’s all you should need. It’s important to make sure it goes into that store and not some other store like ‘Personal’. If you’re unfamiliar with MMC or certificates, there are numerous websites with information how to do this.

Now, your computer as a whole will implicitly trust any certificates that it has generated itself and you won’t need to add code to handle this specially. When you move to production it will continue to work provided you have a proper valid certificate installed there. Don’t do this on a production server — that would be bad and it won’t work for any other clients other than those on the server itself.

answered Apr 12, 2016 at 2:24

Источник

I am getting the following error during a web service request to a remote web service:

Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Is there anyway to ignore this error, and continue?

It seems the remote certificate is not signed.

The site I connect to is www.czebox.cz — so feel free to visit the site, and notice even browsers throw security exceptions.

Luke Girvin

13.1k8 gold badges63 silver badges84 bronze badges

asked Apr 20, 2010 at 12:42

Add a certificate validation handler. Returning true will allow ignoring the validation error:

ServicePointManager
    .ServerCertificateValidationCallback += 
    (sender, cert, chain, sslPolicyErrors) => true;

answered Apr 20, 2010 at 12:48

Peter LillevoldPeter Lillevold

33.5k7 gold badges96 silver badges131 bronze badges

Allowing all certificates is very powerful but it could also be dangerous. If you would like to only allow valid certificates plus some certain certificates it could be done like this.

.NET Core:

using (var httpClientHandler = new HttpClientHandler())
{
    httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) =>
    {
        if (sslPolicyErrors == SslPolicyErrors.None)
        {
            return true;   //Is valid
        }

        if (cert.GetCertHashString() == "99E92D8447AEF30483B1D7527812C9B7B3A915A7")
        {
            return true;
        }
        return false;
    };

    using (var httpClient = new HttpClient(httpClientHandler))
    {
        var httpResponse = httpClient.GetAsync("https://example.com").Result;
    }
}

.NET Framework:

System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate (
    object sender,
    X509Certificate cert,
    X509Chain chain,
    SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        return true;   //Is valid
    }

    if (cert.GetCertHashString() == "99E92D8447AEF30483B1D7527812C9B7B3A915A7")
    {
        return true;
    }

    return false;
};

Update:

How to get cert.GetCertHashString() value in Chrome:

Click on Secure or Not Secure in the address bar.

Then click on Certificate -> Details -> Thumbprint and copy the value. Remember to do cert.GetCertHashString().ToLower().

Wai Ha Lee

8,41977 gold badges60 silver badges90 bronze badges

answered May 23, 2017 at 16:37

OgglasOgglas

57.4k33 gold badges312 silver badges393 bronze badges

IgnoreBadCertificates Method:

//I use a method to ignore bad certs caused by misc errors
IgnoreBadCertificates();

// after the Ignore call i can do what ever i want...
HttpWebRequest request_data = System.Net.WebRequest.Create(urlquerystring) as HttpWebRequest;

/*
and below the Methods we are using...
*/

/// <summary>
/// Together with the AcceptAllCertifications method right
/// below this causes to bypass errors caused by SLL-Errors.
/// </summary>
public static void IgnoreBadCertificates()
{
    System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(AcceptAllCertifications);
}  

/// <summary>
/// In Short: the Method solves the Problem of broken Certificates.
/// Sometime when requesting Data and the sending Webserverconnection
/// is based on a SSL Connection, an Error is caused by Servers whoes
/// Certificate(s) have Errors. Like when the Cert is out of date
/// and much more... So at this point when calling the method,
/// this behaviour is prevented
/// </summary>
/// <param name="sender"></param>
/// <param name="certification"></param>
/// <param name="chain"></param>
/// <param name="sslPolicyErrors"></param>
/// <returns>true</returns>
private static bool AcceptAllCertifications(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certification, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors)
{
    return true;
}

answered Mar 7, 2013 at 6:17

Amen RaAmen Ra

3473 silver badges2 bronze badges

This is the root CA cert that your app currently doesn’t trust:

You can decode and view this certificate using

this certificate decoder or another certificate decoder

answered Apr 20, 2010 at 19:07

bignumbignum

3,4283 gold badges20 silver badges18 bronze badges

Bypass SSL Certificate….

HttpClientHandler clientHandler = new HttpClientHandler();
clientHandler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; };

// Pass the handler to httpclient(from you are calling api)
var client = new HttpClient(clientHandler)

Wai Ha Lee

8,41977 gold badges60 silver badges90 bronze badges

answered Jun 5, 2019 at 12:03

Rohit JangidRohit Jangid

2,1351 gold badge11 silver badges9 bronze badges

To disable ssl cert validation in client configuration.

<behaviors>
   <endpointBehaviors>
      <behavior name="DisableSSLCertificateValidation">
         <clientCredentials>
             <serviceCertificate>
                <sslCertificateAuthentication certificateValidationMode="None" />
              </serviceCertificate>
           </clientCredentials>
        </behavior>

answered Apr 13, 2016 at 10:39

d.marzod.marzo

3093 silver badges5 bronze badges

This code worked for me. I had to add TLS2 because that’s what the URL I am interested in was using.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServicePointManager.ServerCertificateValidationCallback +=
    (sender, cert, chain, sslPolicyErrors) => { return true; };
using (var client = new HttpClient())
{
    client.BaseAddress = new Uri(UserDataUrl);
    client.DefaultRequestHeaders.Accept.Clear();
    client.DefaultRequestHeaders.Accept.Add(new
      MediaTypeWithQualityHeaderValue("application/json"));
    Task<string> response = client.GetStringAsync(UserDataUrl);
    response.Wait();

    if (response.Exception != null)
    {
         return null;
    }

    return JsonConvert.DeserializeObject<UserData>(response.Result);
}

answered Oct 9, 2017 at 13:42

user2347528user2347528

5601 gold badge8 silver badges21 bronze badges

Old, but still helps…

Another great way of achieving the same behavior is through configuration file (web.config)

 <system.net>
    <settings>
      <servicePointManager checkCertificateName="false" checkCertificateRevocationList="false" />
    </settings>
  </system.net>

NOTE: tested on .net full.

answered Aug 14, 2020 at 21:51

digiogodigiogo

1903 silver badges5 bronze badges

This works for .Net Core.
Call on your Soap client:

client.ClientCredentials.ServiceCertificate.SslCertificateAuthentication =
                new X509ServiceCertificateAuthentication()
                {
                    CertificateValidationMode = X509CertificateValidationMode.None,
                    RevocationMode = X509RevocationMode.NoCheck
                };

answered Oct 1, 2019 at 11:36

RimiRimi

512 bronze badges

var activeStream = new SslStream(networkStream, false, (a, b, c, d) => { return true; });
await activeStream.AuthenticateAsClientAsync("computer.local");

The key here, is to provide the remote certificate validation callback right in the constructor of the SSL stream.

answered May 5, 2016 at 4:32

MarioMario

6497 silver badges12 bronze badges

answered Apr 12, 2016 at 2:24

Источник

Так лучше не делать, но иногда нужно проигнорировать ошибки связанные с сертификатом сайта.

import lombok.experimental.UtilityClass;
import lombok.extern.slf4j.Slf4j;
import okhttp3.OkHttpClient;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

/**
 * @author upagge 03.02.2021
 */
@Slf4j
@UtilityClass
public class OkHttpUtil {

    private static OkHttpClient client = new OkHttpClient.Builder().build();

    public static OkHttpClient getClient() {
        return client;
    }

    public static void init(boolean ignoreCertificate) {

        OkHttpClient.Builder builder = new OkHttpClient.Builder();

        log.info("Initialising httpUtil with default configuration");
        if (ignoreCertificate) {
            builder = configureToIgnoreCertificate(builder);
        }

        //Other application specific configuration

        client = builder.build();
    }

    //Setting testMode configuration. If set as testMode, the connection will skip certification check
    private static OkHttpClient.Builder configureToIgnoreCertificate(OkHttpClient.Builder builder) {
        log.warn("Ignore Ssl Certificate");
        try {

            // Create a trust manager that does not validate certificate chains
            final TrustManager[] trustAllCerts = new TrustManager[]{
                    new X509TrustManager() {
                        @Override
                        public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {
                        }

                        @Override
                        public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {
                        }

                        @Override
                        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                            return new java.security.cert.X509Certificate[]{};
                        }
                    }
            };

            final SSLContext sslContext = SSLContext.getInstance("SSL");
            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
            final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

            builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]);
            builder.hostnameVerifier((hostname, session) -> true);
        } catch (Exception e) {
            log.warn("Exception while configuring IgnoreSslCertificate" + e, e);
        }
        return builder;
    }

}

Спонсор поста

Как это использовать?

Перед получением OkHttpClient необходимо инициализировать настройки игнорирования сертификатов. Для этого вызываем метод:

OkHttpUtil.init(true);

После этого можете получить OkHttpClient:

OkHttpUtil.getClient();

Или вот так.

public class HttpParse {

    static {
        OkHttpUtil.init(true);
    }

    private static final OkHttpClient client = OkHttpUtil.getClient();

    // ... ... ... ... ...

}

Источник