与AD通信时出错 - 在重新协商期间限制服务器证书更改

时间:2018-02-16 16:16:07

标签: java active-directory ldap certificate

我们的应用无法连接到Active Directory.

,我们间歇性地收到错误

我们目前正在jBoss 5Java 7,计划将来升级到6和8。这可能是因为域控制器上的证书不正确吗?

错误 

  javax.naming.CommunicationException: simple bind failed: ad.xxx.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
Caused by: javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:269)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1409)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
    ... 54 more

1 个答案:

答案 0 :(得分:1)

我相信客户端层代码中的此错误消息是来自Java更新的“SSL V3.0 Poodle漏洞 - CVE-2014-3566”之后的代码强化的结果。

恕我直言,这是Java的一个错误。

根据我的观察和理解,这是由于Java客户端在您的情况下与同一服务器(Microsoft Active Directory)建立了现有SSL连接。

Java客户端尝试无法执行Full Handshake并尝试恢复先前连接的TLS握手。

似乎您可以通过disable SSL v3.0 in TLS Client Oracle JDK and JRE执行解决方法。

对此问题的任何其他反馈意见表示赞赏。

相关问题
最新问题