jSSLutils是一个库,可让您包装现有的信任管理器并自定义某些设置.你不需要它,但它可能有所帮助.

这将遵循这些方针：

PKIXSSLContextFactory sslContextFactory = new PKIXSSLContextFactory();
sslContextFactory.setTrustManagerWrapper(new X509TrustManagerWrapper() {
    @Override
    public X509TrustManager wrapTrustManager(final X509TrustManager origManager) {
        return new X509TrustManager() { 
            @Override
            public X509Certificate[] getAcceptedIssuers() {
                return origManager.getAcceptedIssuers();
            }

            @Override
            public void checkServerTrusted(X509Certificate[] chain,String authType)
                    throws CertificateException {
                try {
                    // This will call the default trust manager
                    // which will throw an exception if it doesn't know the certificate
                    origManager.checkServerTrusted(chain,authType);
                } catch (CertificateException e) {
                    // If it throws an exception,check what this exception is
                    // the server certificate is in chain[0],you could
                    // implement a callback to the user to accept/refuse
                }
            }

            @Override
            public void checkClientTrusted(X509Certificate[] chain,String authType)
                    throws CertificateException {
                origManager.checkClientTrusted(chain,authType);
            }
        };
    }
});
SSLContext sslContext = sslContextFactory.buildSSLContext();

((PKIX)SSLContextFactory和X509TrustManagerWrapper来自jSSLutils,但其余部分来自J2SE / J2EE.)

您可能想要捕获一些CertificateExceptions(请参阅子类).
如果您对用户进行回调,则SSL / TLS连接可能会因SSL / TLS握手超时而失败(如果回调时间太长而无法回复).

然后,您可以使用SSLContext.setSSLContext(…)(来自Java 6)将此SSLContext用作默认值,但这不一定是个好主意.如果可以,请将SSLContext传递给进行SSL / TLS连接的库.如何做到这一点各不相同,但Apache HTTP Client 4.x有多个选项来配置其SSL设置,其中一个是通过传递KeyStores,另一个是通过传递SSLContext.

通过检查X509TrustManager中的当前线程,您还可以使用每个线程而不是每个要连接的对象(依赖于库)：这可能会使同步和线程管理/“感知”方面的事情变得更复杂一些信托经理.