从SSLPeerUnverifiedException中提取公用名的最佳方法是什么?

时间:2016-09-02 17:06:00

标签: java regex sslexception

我在Fabric上遇到以下异常:

Non-fatal Exception: javax.net.ssl.SSLPeerUnverifiedException: Hostname assets.domain.com not verified:
    certificate: sha256/6NEXAaHJ2CAMKUOkWhMCwH9biv2QtAFsYMl0WqkocgM=
    DN: CN=apc.aptilo.com,OU=Domain Control Validated - RapidSSL(R),OU=See www.rapidssl.com/resources/cps (c)13,OU=GT19785026,2.5.4.5=#13204456444273427335456d62337a6151706e6e6d356744615556354b6a63696c44
    subjectAltNames: [apc.aptilo.com]
       at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:250)
       at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:198)
       at okhttp3.internal.connection.RealConnection.buildConnection(SourceFile:174)
       at okhttp3.internal.connection.RealConnection.connect(SourceFile:114)
       at okhttp3.internal.connection.StreamAllocation.findConnection(SourceFile:193)
       at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(SourceFile:129)
       at okhttp3.internal.connection.StreamAllocation.newStream(SourceFile:98)
       at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:42)
       at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
       at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
       at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:109)
       at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
       at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
       at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:93)
       at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
       at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:124)
       at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
       at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
       at okhttp3.RealCall.getResponseWithInterceptorChain(SourceFile:170)
       at okhttp3.RealCall.access$100(SourceFile:33)
       at okhttp3.RealCall$AsyncCall.execute(SourceFile:120)
       at okhttp3.internal.NamedRunnable.run(SourceFile:32)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
       at java.lang.Thread.run(Thread.java:818)

与安全团队一起,我们已经意识到这可能是用户打开我们连接到某些酒店Wi-Fi的应用程序并且标有那些讨厌的登录页面的情况。到目前为止,只有2个用户似乎受到影响,而且我们拥有更多用户,因此这不是一个真正的中间人攻击。

因此,我想验证异常上的通用名称。如果它与我们的主机assets.domain.com相匹配,那么它就是潜在的攻击,我想记录该事件。如果CN不同,我只想抑制错误。

我有什么选择?我只能考虑解析异常原因字符串,并使用正则表达式提取CN=value部分。但是,是否有一个更容易出错的解决方案呢?

TL;博士;

我想从SSLPeerUnverifiedException中提取CN值,并将其与有效主机名进行比较。实现这一目标的最佳途径是什么?

1 个答案:

答案 0 :(得分:1)

使用您提供的有限样本,就像这样

"(?s)SSLPeerUnverifiedException:.*?(?<!\\S)CN=([^\\s,]+)(?=,)"

其中捕获组1包含CN值。

输出:

 **  Grp 0 -  ( pos 35 , len 165 ) 
SSLPeerUnverifiedException: Hostname assets.domain.com not verified:
    certificate: sha256/6NEXAaHJ2CAMKUOkWhMCwH9biv2QtAFsYMl0WqkocgM=
    DN: CN=apc.aptilo.com  
 **  Grp 1 -  ( pos 186 , len 14 ) 
apc.aptilo.com