java javax.net.ssl.SSLHandshakeException:不存在使用者替代名称

时间:2018-12-07 17:04:28

标签: java rest web-services ssl https

我有一个在Tomcat 8.5上运行的Web服务器。我已经使用以下解决方案导入了证书: "PKIX path building failed" and "unable to find valid certification path to requested target"

这是确切的流程和问题:我将资源放在该URL https://localhost:8443/Test/prova/HelloWorld上,并且正在使用Jersey。在虚拟机上(在同一台机器上),我在Tomcat 9上运行了一个cas服务器。现在,我尝试使用sso。我登录cas页面,当它在请求的服务上重定向我时,我得到了完整的堆栈跟踪:

send(client_socket, msg, strlen(msg), 0)
                         ^^^^^^^^^^^ returns the length of entered message

编辑: 在vm中,cas服务器在哪里,我做了以下事情:

  1. 使用SAN ip生成了一个证书
  2. 将其导入cacerts

现在我还有另一个例外:

SEVERE: Servlet.service() for servlet [Jersey REST Service] in context with path [/Test] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: No subject alternative names present
    at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)
    at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
    at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
    at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:97)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245)
    at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
    ... 25 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
    at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:137)
    at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:434)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313)
    ... 41 more

我也在主机中导入了相同的证书

1 个答案:

答案 0 :(得分:0)

(针对修订后的问题)

来自the javadoc for X509ExtendedTrustManager

  

为防止中间人攻击,可以进行主机名检查以验证最终实体证书中的主机名是否与目标主机名匹配。 TLS不需要进行此类检查,但是某些基于TLS的协议(例如HTTPS)却需要。 ... RFC 2818为“ HTTPS”算法定义了服务器标识和客户端标识规范。

和来自RFC 2818

  

通常,HTTP / TLS请求是通过取消引用URI来生成的。      结果,客户端知道服务器的主机名。      如果主机名可用,则客户端必须对照主机名进行检查。      服务器的证书消息中显示的服务器身份,      为了防止中间人攻击。 ...

[跳过有关名称匹配的部分,这会稍微复杂一些]

  

在某些情况下,URI被指定为IP地址而不是      主机名。在这种情况下,必须存在iPAddress subjectAltName      在证书中,并且必须与URI中的IP完全匹配。

(顺便说一句,大写看起来不是一个错误,这是ASN.1中命名约定的结果,ASN.1中的命名约定用于定义SSL中使用的X.509证书等) / TLS / HTTPS。)

堆栈跟踪显示 jasig正在尝试连接到IP地址所标识的HTTPS服务器,但是该服务器提供的证书没有包含以下内容的SubjectAlternativeName(缩写SubjectAltName或仅SAN)扩展名>所需的IP地址。选项是:

  • 服务器实际上应该由名称标识,该名称可以是Subject字段的CommonName属性中的(在这种情况下,大概是)而不是SAN扩展名。您需要在jasig尝试访问的URL中更改主机名,但我对此还不了解,无法对此发表评论。

  • 服务器实际上应该通过IP地址标识,并且其证书的颁发/创建错误。您或某人应获取并使用服务器的更正证书。由于有成千上万种获取或创建证书的方法,而且您不说使用或可以使用哪种证书,因此我无法提供任何详细信息。

  • 通常的stackoverflow方法:“我只需要一些连接,而不管它是否是正确的服务器”。 HttpsURLConnection允许在实例级别或JVM范围内(默认)使用自定义HostnameVerifier(在上面的Javadoc中链接),即使它不接受服务器证书(和连接),它也可以接受符合正常规则。我不知道jasig是否或如何让您控制用于它的(Https)URLConnection实例或工厂,这将使您设置该实例;如果需要设置the javadoc中的默认值。