从 SSLPeerUnverifiedException 中提取公用名的最佳方法?
Best way to extract common name from SSLPeerUnverifiedException?
我在 Fabric 上遇到以下异常:
Non-fatal Exception: javax.net.ssl.SSLPeerUnverifiedException: Hostname assets.domain.com not verified:
certificate: sha256/6NEXAaHJ2CAMKUOkWhMCwH9biv2QtAFsYMl0WqkocgM=
DN: CN=apc.aptilo.com,OU=Domain Control Validated - RapidSSL(R),OU=See www.rapidssl.com/resources/cps (c)13,OU=GT19785026,2.5.4.5=#13204456444273427335456d62337a6151706e6e6d356744615556354b6a63696c44
subjectAltNames: [apc.aptilo.com]
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:250)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:198)
at okhttp3.internal.connection.RealConnection.buildConnection(SourceFile:174)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:114)
at okhttp3.internal.connection.StreamAllocation.findConnection(SourceFile:193)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(SourceFile:129)
at okhttp3.internal.connection.StreamAllocation.newStream(SourceFile:98)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:109)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:124)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
at okhttp3.RealCall.getResponseWithInterceptorChain(SourceFile:170)
at okhttp3.RealCall.access0(SourceFile:33)
at okhttp3.RealCall$AsyncCall.execute(SourceFile:120)
at okhttp3.internal.NamedRunnable.run(SourceFile:32)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
at java.lang.Thread.run(Thread.java:818)
我们与安全团队一起意识到,这可能是用户打开我们的应用程序并连接到某些酒店 Wi-Fi 并被标记为那些讨厌的登录页面的情况。到目前为止,似乎只有 2 个用户受到影响,我们还有更多的用户,所以这不像是 真正的 中间人攻击。
因此,我想验证异常的通用名称。如果它与我们的主机 assets.domain.com 相匹配,那么它就是一个潜在的攻击,我想记录这一事件。如果 CN 不同,我只想抑制错误。
我有哪些选择?我只能考虑解析异常原因字符串并使用正则表达式提取 CN=value 部分。但是有没有更好的不易出错的解决方案呢?
tl;博士;
我想从 SSLPeerUnverifiedException 中提取 CN 值并将其与我们的有效主机名进行比较。实现此目标的最佳方法是什么?
你提供的样本有限,大概是这样的
"(?s)SSLPeerUnverifiedException:.*?(?<!\S)CN=([^\s,]+)(?=,)"
其中捕获组 1 包含 CN 值。
输出:
** Grp 0 - ( pos 35 , len 165 )
SSLPeerUnverifiedException: Hostname assets.domain.com not verified:
certificate: sha256/6NEXAaHJ2CAMKUOkWhMCwH9biv2QtAFsYMl0WqkocgM=
DN: CN=apc.aptilo.com
** Grp 1 - ( pos 186 , len 14 )
apc.aptilo.com
我在 Fabric 上遇到以下异常:
Non-fatal Exception: javax.net.ssl.SSLPeerUnverifiedException: Hostname assets.domain.com not verified:
certificate: sha256/6NEXAaHJ2CAMKUOkWhMCwH9biv2QtAFsYMl0WqkocgM=
DN: CN=apc.aptilo.com,OU=Domain Control Validated - RapidSSL(R),OU=See www.rapidssl.com/resources/cps (c)13,OU=GT19785026,2.5.4.5=#13204456444273427335456d62337a6151706e6e6d356744615556354b6a63696c44
subjectAltNames: [apc.aptilo.com]
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:250)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:198)
at okhttp3.internal.connection.RealConnection.buildConnection(SourceFile:174)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:114)
at okhttp3.internal.connection.StreamAllocation.findConnection(SourceFile:193)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(SourceFile:129)
at okhttp3.internal.connection.StreamAllocation.newStream(SourceFile:98)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:109)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:124)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:92)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:67)
at okhttp3.RealCall.getResponseWithInterceptorChain(SourceFile:170)
at okhttp3.RealCall.access0(SourceFile:33)
at okhttp3.RealCall$AsyncCall.execute(SourceFile:120)
at okhttp3.internal.NamedRunnable.run(SourceFile:32)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588)
at java.lang.Thread.run(Thread.java:818)
我们与安全团队一起意识到,这可能是用户打开我们的应用程序并连接到某些酒店 Wi-Fi 并被标记为那些讨厌的登录页面的情况。到目前为止,似乎只有 2 个用户受到影响,我们还有更多的用户,所以这不像是 真正的 中间人攻击。
因此,我想验证异常的通用名称。如果它与我们的主机 assets.domain.com 相匹配,那么它就是一个潜在的攻击,我想记录这一事件。如果 CN 不同,我只想抑制错误。
我有哪些选择?我只能考虑解析异常原因字符串并使用正则表达式提取 CN=value 部分。但是有没有更好的不易出错的解决方案呢?
tl;博士;
我想从 SSLPeerUnverifiedException 中提取 CN 值并将其与我们的有效主机名进行比较。实现此目标的最佳方法是什么?
你提供的样本有限,大概是这样的
"(?s)SSLPeerUnverifiedException:.*?(?<!\S)CN=([^\s,]+)(?=,)"
其中捕获组 1 包含 CN 值。
输出:
** Grp 0 - ( pos 35 , len 165 )
SSLPeerUnverifiedException: Hostname assets.domain.com not verified:
certificate: sha256/6NEXAaHJ2CAMKUOkWhMCwH9biv2QtAFsYMl0WqkocgM=
DN: CN=apc.aptilo.com
** Grp 1 - ( pos 186 , len 14 )
apc.aptilo.com