我最近继承了一个实验室 Ubuntu LAMP 服务器,该服务器相对被忽视并且仍在运行 Struts 1.0 应用程序。我们正准备进行全面检修,但与此同时,日志中抛出的唯一错误是 javax.net.ssl.SSLException: hostname in certificate didn't match 错误。我们希望在编写替换时临时修补它。我读过几个关于母校的问题(例如 1 、 2 、 3 、 4 ),它看起来像 Will Sargent's solution是最好的选择。
不幸的是,我进入服务器时完全没有文档,也没有从设置它的组返回的电子邮件(幸运的是,根据策略没有混淆 Java)。我查找了任何 keystore 文件(在文件名或 .jks 文件中搜索“keystore”),但没有找到。这让我觉得我需要做一个新的 initialize it prior调用 webClient.getPage。到目前为止,我已经能够很好地制作 .jks 文件,只是它不会更改 hostname 匹配错误。
有没有办法查看某个 servlet 使用的是哪个 keystore ,以及它的位置恰好是什么?或者,制作新的并使用/初始化它的正确方法是什么?
其他详细信息
有几件事情对我来说很奇怪。最主要的是我不明白为什么主机名不正确。被拉取的站点是 https://www.ncbi.nlm.nih.gov/account/ 如果您在浏览器中导航到它肯定会拉取正确的证书。我想知道是否是因为 WebClient(BrowserVersion.FIREFOX_17) 设置为古老的 FIREFOX_17。我应该把它从 17 改为 31 吗?有很多东西可以升级,但由于我们要从头开始制作文档,所以我希望在旧实例上尽可能少地进行更改,以希望它能再运行几个月。服务器上安装的 FIREFOX 版本不接近当前的以太币(不是它被使用),但我在考虑改变 BrowserVersion 只是改变了回复的格式。
这是代码,在抛出错误的那一行结束:
private Vector updateRDLpubs(Vector orderList, DataSource dataSource)
throws Exception
{
Vector removeList = new Vector();
Vector historyList = new Vector();
try
{
SimpleDateFormat format = new SimpleDateFormat("MM/dd/yyyy");
Calendar cal = Calendar.getInstance();
cal.add(5, -5);
Date days5Back = cal.getTime();
WebClient webClient = new WebClient(BrowserVersion.FIREFOX_17);
webClient.setThrowExceptionOnFailingStatusCode(false);
HtmlPage page = (HtmlPage)webClient.getPage("https://www.ncbi.nlm.nih.gov/account/");
这里是错误的堆栈跟踪:
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at com.gargoylesoftware.htmlunit.HtmlUnitSSLSocketFactory.connectSocket(HtmlUnitSSLSocketFactory.java:171)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at com.gargoylesoftware.htmlunit.HttpWebConnection.getResponse(HttpWebConnection.java:172)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponseFromWebConnection(WebClient.java:1486)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponse(WebClient.java:1403)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:305)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:374)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:359)
at tanklab.UpdateRDLJob2.updateRDLpubs(UpdateRDLJob2.java:241)
at tanklab.UpdateRDLJob2.execute(UpdateRDLJob2.java:79)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:525)
最佳答案
编辑:啊,您正在使用 HTMLUnit。您的问题可能是您的 HTMLUnit 已严重过时——使用 https://tersesystems.com/2014/03/31/testing-hostname-verification/ 检查服务器如果没有任何显示,然后将 HTMLUnit 升级到最新版本。
更多编辑:为什么从 Quartz 使用 HTMLUnit?他们是否试图将其用作通用 HTTP 客户端?它不是为此而设计的。
最好的引用资料是 Bulletproof TLS,其中有一章是关于 JSSE 和 Tomcat 的。
Is there a way to see what keystore if any is being used by a servlet, and what its location happens to be?
这取决于正在设置的 SSLEngine——如果您在 servlet 中运行,应用服务器很可能已经设置了您的 SSL 配置。但是,您可以通过打开 -Djavax.net.debug=ALL 来调试 JVM,但它不会告诉您证书来自文件系统的哪个位置,除非您编写自定义 KeyStore 和 TrustManager (这是蹩脚的)。不过,这是调试信息:
- > https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
- > https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug
Alternatively, what is the proper way to make a new one and have it be used/initialized?
这取决于您的应用程序服务器。如果你只需要提供一个自定义的 SSLEngine,你可以这样做(来自 https://github.com/wsargent/activator-play-tls-example/blob/master/app/https/CustomSSLEngineProvider.scala ):
class CustomSSLEngineProvider(appProvider: ApplicationProvider) extends SSLEngineProvider {
def readPassword(): Array[Char] = {
val passwordPath = FileSystems.getDefault.getPath("certs", "password")
Files.readAllLines(passwordPath).get(0).toCharArray
}
def readKeyInputStream(): java.io.InputStream = {
val keyPath = FileSystems.getDefault.getPath("certs", "example.com.jks")
Files.newInputStream(keyPath)
}
def readTrustInputStream(): java.io.InputStream = {
val keyPath = FileSystems.getDefault.getPath("certs", "clientca.jks")
Files.newInputStream(keyPath)
}
def readKeyManagers(): Array[KeyManager] = {
val password = readPassword()
val keyInputStream = readKeyInputStream()
try {
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
keyStore.load(keyInputStream, password)
val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
kmf.init(keyStore, password)
kmf.getKeyManagers
} finally {
keyInputStream.close()
}
}
def readTrustManagers(): Array[TrustManager] = {
val password = readPassword()
val trustInputStream = readTrustInputStream()
try {
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
keyStore.load(trustInputStream, password)
val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
tmf.init(keyStore)
tmf.getTrustManagers
} finally {
trustInputStream.close()
}
}
def createSSLContext(applicationProvider: ApplicationProvider): SSLContext = {
val keyManagers = readKeyManagers()
val trustManagers = readTrustManagers()
// Configure the SSL context to use TLS
val sslContext = SSLContext.getInstance("TLS")
sslContext.init(keyManagers, trustManagers, null)
sslContext
}
override def createSSLEngine(): SSLEngine = {
val sslContext = createSSLContext(appProvider)
// Start off with a clone of the default SSL parameters...
val sslParameters = sslContext.getDefaultSSLParameters
// Tells the server to ignore client's cipher suite preference.
// http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#cipher_suite_preference
sslParameters.setUseCipherSuitesOrder(true)
// http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLParameters
val needClientAuth = java.lang.System.getProperty("play.ssl.needClientAuth")
sslParameters.setNeedClientAuth(java.lang.Boolean.parseBoolean(needClientAuth))
// Clone and modify the default SSL parameters.
val engine = sslContext.createSSLEngine
engine.setSSLParameters(sslParameters)
engine
}
}
关于java - 查找或初始化解决 "hostname in certificate didn' t 匹配所需的 keystore ”,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30105561/