• SSL 中证书能否够使用IP而不是域名


    前言:曾经听别人说生成证书时能够用IP地址。今天用样例证实了下用IP地址是不行的。

    情景一:

    生成证书时指定的名称为IP地址

    样例是做单点登录时的样例。web.xml中配置例如以下:


    <!--该过滤器负责用户的认证工作。必须启用它 -->
        <filter>
            <filter-name>CASFilter</filter-name>
            <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
            <init-param>
                <param-name>casServerLoginUrl</param-name>
                <param-value>https://172.18.113.78:8443/CasServer/login</param-value>
                <!--这里的server是服务端的IP -->
            </init-param>
            <init-param>
                <param-name>serverName</param-name>
                <param-value>http://127.0.0.1:8080/</param-value>
            </init-param>
        </filter>
        <filter-mapping>
            <filter-name>CASFilter</filter-name>
            <url-pattern>/*</url-pattern
        </filter-mapping>
     
        <!-- 该过滤器负责对Ticket的校验工作。必须启用它 -->
        <!-- ValidationFilter 这个filter负责对请求參数ticket进行验证(ticket參数是负责子系统与CAS进行验证交互的凭证)casServerUrlPrefix:CAS服务訪问地址serverName:当前应用所在的主机名 -->
        <filter>
            <filter-name>CAS Validation Filter</filter-name>
            <filter-class>
                org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
            </filter-class>
            <init-param>
                <param-name>casServerUrlPrefix</param-name>
                <param-value>https://172.18.113.78:8443/CasServer</param-value>
            </init-param>
            <init-param>
                <param-name>serverName</param-name>
                <param-value>http://127.0.0.1:8080</param-value>
            </init-param>
            <init-param>
    			<param-name>encoding</param-name>
    			<param-value>UTF-8</param-value>
    		</init-param>
        </filter>
        <filter-mapping>
            <filter-name>CAS Validation Filter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

    如上配置中指定使用HTTPS协议,生成证书时指定的名称为上图中的172.18.113.78,訪问后出错,结果例如以下:

    严重: Servlet.service() for servlet [jsp] in context with path [/uum] threw exception
    java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
    	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
    	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
    	at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
    	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
    	at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    	at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    	at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    	at fi.common.filter.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:125)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
    	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)
    	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)
    	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
    	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)
    	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    	at java.lang.Thread.run(Thread.java:619)
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
    	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
    	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
    	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
    	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
    	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
    	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1026)
    	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
    	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:328)
    	... 30 more
    Caused by: java.security.cert.CertificateException: No subject alternative names present
    	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
    	at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
    	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
    	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
    	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
    	... 42 more

    情景二:

    生成证书时指定名称为域名(測试用的,改动了本地host文件)

    样例同情景一中的样例,仅仅是把web.xml中的IP地址改为了域名,測试结果为通过。

    假设client訪问出现例如以下错误:

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
    sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    这样的错误往往是证书路径不正确导致的。

    可能原因一:tomcat使用的jdk和证书导入的jdk不是同一个

    可能原因二:导入完毕后须要重新启动(静态导入),重新启动一次不行建议重新启动第二次

    可能原因三:jdk中的证书导入错误


    结论

    所以得出结论,生成证书时须要指定域名而非用IP地址。

  • 相关阅读:
    120-136. 只出现一次的数字
    119-217. 存在重复元素
    118-103. 二叉树的锯齿形层序遍历
    117.力扣-两数相加问题
    116.python处理xmind文件
    115.python获取服务器信息
    日期转换类 DateConverter.java
    数据库连接工具类——包含取得连接和关闭资源 ConnUtil.java
    数据库连接工具类 数据库连接工具类——仅仅获得连接对象 ConnDB.java
    APP手机端加载不到资源服务器后台解决参考
  • 原文地址:https://www.cnblogs.com/yxwkf/p/5144040.html
Copyright © 2020-2023  润新知