个人中心
gpt4 book ai didi

java - 查找或初始化解决 "hostname in certificate didn' t 匹配所需的 keystore ”

转载 作者:太空宇宙 更新时间:2023-11-03 14:11:09 32 4
gpt4 key购买 nike

我最近继承了一个实验室 Ubuntu LAMP 服务器,该服务器相对被忽视并且仍在运行 Struts 1.0 应用程序。我们正准备进行全面检修,但与此同时,日志中抛出的唯一错误是 javax.net.ssl.SSLException: hostname in certificate didn't match 错误。我们希望在编写替换时临时修补它。我读过几个关于母校的问题(例如 1234 ),它看起来像 Will Sargent's solution是最好的选择。

不幸的是,我进入服务器时完全没有文档,也没有从设置它的组返回的电子邮件(幸运的是,根据策略没有混淆 Java)。我查找了任何 keystore 文件(在文件名或 .jks 文件中搜索“keystore”),但没有找到。这让我觉得我需要做一个新的 initialize it prior调用 webClient.getPage。到目前为止,我已经能够很好地制作 .jks 文件,只是它不会更改 hostname 匹配错误。

有没有办法查看某个 servlet 使用的是哪个 keystore ,以及它的位置恰好是什么?或者,制作新的并使用/初始化它的正确方法是什么?

其他详细信息

有几件事情对我来说很奇怪。最主要的是我不明白为什么主机名不正确。被拉取的站点是 https://www.ncbi.nlm.nih.gov/account/ 如果您在浏览器中导航到它肯定会拉取正确的证书。我想知道是否是因为 WebClient(BrowserVersion.FIREFOX_17) 设置为古老的 FIREFOX_17。我应该把它从 17 改为 31 吗?有很多东西可以升级,但由于我们要从头开始制作文档,所以我希望在旧实例上尽可能少地进行更改,以希望它能再运行几个月。服务器上安装的 FIREFOX 版本不接近当前的以太币(不是它被使用),但我在考虑改变 BrowserVersion 只是改变了回复的格式。

这是代码,在抛出错误的那一行结束:

  private Vector updateRDLpubs(Vector orderList, DataSource dataSource)
    throws Exception
  {
    Vector removeList = new Vector();
    Vector historyList = new Vector();
    try
    {
      SimpleDateFormat format = new SimpleDateFormat("MM/dd/yyyy");
      Calendar cal = Calendar.getInstance();
      cal.add(5, -5);
      Date days5Back = cal.getTime();

      WebClient webClient = new WebClient(BrowserVersion.FIREFOX_17);
      webClient.setThrowExceptionOnFailingStatusCode(false);
      HtmlPage page = (HtmlPage)webClient.getPage("https://www.ncbi.nlm.nih.gov/account/");

这里是错误的堆栈跟踪:

at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at com.gargoylesoftware.htmlunit.HtmlUnitSSLSocketFactory.connectSocket(HtmlUnitSSLSocketFactory.java:171)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at com.gargoylesoftware.htmlunit.HttpWebConnection.getResponse(HttpWebConnection.java:172)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponseFromWebConnection(WebClient.java:1486)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponse(WebClient.java:1403)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:305)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:374)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:359)
at tanklab.UpdateRDLJob2.updateRDLpubs(UpdateRDLJob2.java:241)
at tanklab.UpdateRDLJob2.execute(UpdateRDLJob2.java:79)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:525)

最佳答案

编辑:啊,您正在使用 HTMLUnit。您的问题可能是您的 HTMLUnit 已严重过时——使用 https://tersesystems.com/2014/03/31/testing-hostname-verification/ 检查服务器如果没有任何显示,然后将 HTMLUnit 升级到最新版本。

更多编辑:为什么从 Quartz 使用 HTMLUnit?他们是否试图将其用作通用 HTTP 客户端?它不是为此而设计的。

最好的引用资料是 Bulletproof TLS,其中有一章是关于 JSSE 和 Tomcat 的。

Is there a way to see what keystore if any is being used by a servlet, and what its location happens to be?

这取决于正在设置的 SSLEngine——如果您在 servlet 中运行,应用服务器很可能已经设置了您的 SSL 配置。但是,您可以通过打开 -Djavax.net.debug=ALL 来调试 JVM,但它不会告诉您证书来自文件系统的哪个位置,除非您编写自定义 KeyStore 和 TrustManager (这是蹩脚的)。不过,这是调试信息:

Alternatively, what is the proper way to make a new one and have it be used/initialized?

这取决于您的应用程序服务器。如果你只需要提供一个自定义的 SSLEngine,你可以这样做(来自 https://github.com/wsargent/activator-play-tls-example/blob/master/app/https/CustomSSLEngineProvider.scala ):

class CustomSSLEngineProvider(appProvider: ApplicationProvider) extends SSLEngineProvider {

  def readPassword(): Array[Char] = {
    val passwordPath = FileSystems.getDefault.getPath("certs", "password")
    Files.readAllLines(passwordPath).get(0).toCharArray
  }

  def readKeyInputStream(): java.io.InputStream = {
    val keyPath = FileSystems.getDefault.getPath("certs", "example.com.jks")
    Files.newInputStream(keyPath)
  }

  def readTrustInputStream(): java.io.InputStream = {
    val keyPath = FileSystems.getDefault.getPath("certs", "clientca.jks")
    Files.newInputStream(keyPath)
  }

  def readKeyManagers(): Array[KeyManager] = {
    val password = readPassword()
    val keyInputStream = readKeyInputStream()
    try {
      val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
      keyStore.load(keyInputStream, password)
      val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
      kmf.init(keyStore, password)
      kmf.getKeyManagers
    } finally {
      keyInputStream.close()
    }
  }

  def readTrustManagers(): Array[TrustManager] = {
    val password = readPassword()
    val trustInputStream = readTrustInputStream()
    try {
      val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
      keyStore.load(trustInputStream, password)
      val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
      tmf.init(keyStore)
      tmf.getTrustManagers
    } finally {
      trustInputStream.close()
    }
  }

  def createSSLContext(applicationProvider: ApplicationProvider): SSLContext = {
    val keyManagers = readKeyManagers()
    val trustManagers = readTrustManagers()

    // Configure the SSL context to use TLS
    val sslContext = SSLContext.getInstance("TLS")
    sslContext.init(keyManagers, trustManagers, null)
    sslContext
  }

  override def createSSLEngine(): SSLEngine = {
    val sslContext = createSSLContext(appProvider)

    // Start off with a clone of the default SSL parameters...
    val sslParameters = sslContext.getDefaultSSLParameters

    // Tells the server to ignore client's cipher suite preference.
    // http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#cipher_suite_preference
    sslParameters.setUseCipherSuitesOrder(true)

    // http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLParameters
    val needClientAuth = java.lang.System.getProperty("play.ssl.needClientAuth")
    sslParameters.setNeedClientAuth(java.lang.Boolean.parseBoolean(needClientAuth))

    // Clone and modify the default SSL parameters.
    val engine = sslContext.createSSLEngine
    engine.setSSLParameters(sslParameters)

    engine
  }

}

关于java - 查找或初始化解决 "hostname in certificate didn' t 匹配所需的 keystore ”,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30105561/

32 4 0
文章推荐: python - 列表理解在 Python2 : how making it be compatible with Python3 中泄漏了它们的循环变量
文章推荐: c# - WCF 代理使用
文章推荐: python - pip installtensorflow在尝试安装相关packeg :futures时抛出错误
文章推荐: python - 错误说明 - 'statInter' 对象没有属性 'tk'
太空宇宙
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com