SSL 中证书是否可以使用IP而不是域名
来源:互联网 发布:医疗器械网络推广方案 编辑:程序博客网 时间:2024/05/10 11:37
前言:以前听别人说生成证书时可以用IP地址,今天用例子证实了下用IP地址是不行的。
情景一:
生成证书时指定的名称为IP地址
例子是做单点登录时的例子,web.xml中配置如下:
<!--该过滤器负责用户的认证工作,必须启用它 --> <filter> <filter-name>CASFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://172.18.113.78:8443/CasServer/login</param-value> <!--这里的server是服务端的IP --> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://127.0.0.1:8080/</param-value> </init-param> </filter> <filter-mapping> <filter-name>CASFilter</filter-name> <url-pattern>/*</url-pattern </filter-mapping> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <!-- ValidationFilter 这个filter负责对请求参数ticket进行验证(ticket参数是负责子系统与CAS进行验证交互的凭证)casServerUrlPrefix:CAS服务访问地址serverName:当前应用所在的主机名 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter </filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://172.18.113.78:8443/CasServer</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://127.0.0.1:8080</param-value> </init-param> <init-param><param-name>encoding</param-name><param-value>UTF-8</param-value></init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
如上配置中指定使用HTTPS协议,生成证书时指定的名称为上图中的172.18.113.78,访问后出错,结果如下:
严重: Servlet.service() for servlet [jsp] in context with path [/uum] threw exceptionjava.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names presentat org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)at fi.common.filter.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:125)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)at java.lang.Thread.run(Thread.java:619)Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names presentat com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1026)at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:328)... 30 moreCaused by: java.security.cert.CertificateException: No subject alternative names presentat sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)... 42 more
情景二:
生成证书时指定名称为域名(测试用的,修改了本地host文件)
例子同情景一中的例子,只是把web.xml中的IP地址改为了域名,测试结果为通过。
如果客户端访问出现如下错误:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target这种错误往往是证书路径不对导致的。
可能原因一:tomcat使用的jdk和证书导入的jdk不是同一个
可能原因二:导入完成后需要重启(静态导入),重启一次不行建议重启第二次
可能原因三:jdk中的证书导入错误
结论
所以得出结论,生成证书时需要指定域名而非用IP地址。
0 0
- SSL 中证书是否可以使用IP而不是域名
- delphi 域名转ip并判断ip是否可以联通
- 验证SSL证书是否正确,以及证书所解析出的域名
- GlobalSign 域名型 SSL 证书
- 申请域名及SSL证书
- RSA - SSL中证书的使用
- DV SSL证书 - 域名验证型SSL证书
- jetty嵌入式开发中使用ssl连接,ssl证书生成
- SSL使用windows证书库中证书实现双向认证
- 全球首款多域名通配符SSL证书
- 沃通SSL证书支持最新顶级域名
- ssl证书支持多域名吗?
- 如何申请沃通多域名免费SSL证书
- 申请SSL证书怎样验证域名所有权
- 申请SSL证书怎样验证域名所有权
- SSL多域名绑定证书的解决方案
- nginx 安装ssl证书及域名配置文件
- 在startssl申请免费域名ssl证书
- 文件操作的几个函数
- ADS1.2 Error:(Fatal) L6002u:could not open file
- TrafficLamp
- BankQueue
- java规范模型概述
- SSL 中证书是否可以使用IP而不是域名
- Effective C++ Item 42 了解 typename 的双重意义
- Ant 的安装和使用教程
- Effective C++ Item 43 学习处理模板化基类内的名称
- day118 玩word(20140709)
- 【HDU】2647 Reward 拓扑排序
- 360浏览器极速版 v7.5.3.182 官方正式版_HTM5浏览器
- Effective C++ Item 46 需要类型转换时请为模板定义非成员函数
- 我与外汇