javax.net.ssl.SSLPeerUnverifiedException: 主机名 XXX 未验证,因为没有自签名证书
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified, for no self-signed cert
问题
最近我注意到,在简单的 GET 超过 HTTPS 期间,所有用户中有 1-0.5% 面临 javax.net.ssl.SSLPeerUnverifiedException。
但它们看起来很有趣:异常消息包含证书信息,根据此信息,证书与我的服务器无关,异常示例是:
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified:
certificate: sha256/AUSXlKDCf1X30WhWeAWbjToABfBkJrKWPL6KwEi5VH0=
DN: CN=hautdebitmobile.orange.fr,OU=Orange France,O=Orange,L=Paris,ST=Paris,C=FR
subjectAltNames: [hautdebitmobile.orange.fr]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified:
certificate: sha256/LKtpdq9q7F7msGK0w1+b/gKoDHaQcZKTHIf9PTz2u+U=
DN: CN=wireless.wifirst.net,OU=Gandi Standard SSL,OU=Domain Control Validated
subjectAltNames: [wireless.wifirst.net, www.wireless.wifirst.net]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified:
certificate: sha256/TfZXN7z9Tky/Z84sfOJcq4lhD3kNY4fPp3gKUZ27ekE=
DN: CN=.internet-access.center,OU=Gandi Standard Wildcard SSL,OU=Domain Control Validated
subjectAltNames: [.internet-access.center, internet-access.center]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified:
certificate: sha256/Bx0LzMlqtgOKRIfUR4cQfb7yDy+3iotESgqk9HvWTOA=
DN: CN=.nomosphere.fr,OU=Gandi Standard Wildcard SSL,OU=Domain Control Validated
subjectAltNames: [.nomosphere.fr, nomosphere.fr]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified:
certificate: sha256/zaV2Aw1A742R1+WpXWvL5atsJbGmeSS6dzZOfe6f1Yw=
DN: CN=login.globalsuite.net,OU=COMODO SSL Unified Communications,OU=Domain Control Validated
subjectAltNames: [login.globalsuite.net, *.gtkcentral.net, *.gtkserver.net]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified:
certificate: sha256/UwOkRGMlP0K/mKNJdpQ0sTg2ean9Tje8UTOvFYzt1GE=
DN: CN=login.netinary.net,OU=Security,O=NETINARY,L=MARSEILLE,ST=Bouches-du-Rhône,C=FR
subjectAltNames: [login.netinary.net]
乍一看这些证书看起来像是随机的,但经过快速研究后我发现那里提到的域与互联网提供商有关
问题
- 当最终用户无法访问互联网并且它只是被重定向到提供商特定站点(登录或存入一些钱)时,是否可能发生这种异常?
你的假设可能是正确的。
看起来中间人 (MitM) 拦截了创建证书(自签名或由中间 CA 颁发)的流量,该证书未被 Java 接受。
Java,默认情况下,只接受来自受信任的根 CA 的证书。受信任的证书位于 Java 安装中的文件 cacerts 中。
问题
最近我注意到,在简单的 GET 超过 HTTPS 期间,所有用户中有 1-0.5% 面临 javax.net.ssl.SSLPeerUnverifiedException。
但它们看起来很有趣:异常消息包含证书信息,根据此信息,证书与我的服务器无关,异常示例是:
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/AUSXlKDCf1X30WhWeAWbjToABfBkJrKWPL6KwEi5VH0= DN: CN=hautdebitmobile.orange.fr,OU=Orange France,O=Orange,L=Paris,ST=Paris,C=FR subjectAltNames: [hautdebitmobile.orange.fr]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/LKtpdq9q7F7msGK0w1+b/gKoDHaQcZKTHIf9PTz2u+U= DN: CN=wireless.wifirst.net,OU=Gandi Standard SSL,OU=Domain Control Validated subjectAltNames: [wireless.wifirst.net, www.wireless.wifirst.net]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/TfZXN7z9Tky/Z84sfOJcq4lhD3kNY4fPp3gKUZ27ekE= DN: CN=.internet-access.center,OU=Gandi Standard Wildcard SSL,OU=Domain Control Validated subjectAltNames: [.internet-access.center, internet-access.center]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/Bx0LzMlqtgOKRIfUR4cQfb7yDy+3iotESgqk9HvWTOA= DN: CN=.nomosphere.fr,OU=Gandi Standard Wildcard SSL,OU=Domain Control Validated subjectAltNames: [.nomosphere.fr, nomosphere.fr]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/zaV2Aw1A742R1+WpXWvL5atsJbGmeSS6dzZOfe6f1Yw= DN: CN=login.globalsuite.net,OU=COMODO SSL Unified Communications,OU=Domain Control Validated subjectAltNames: [login.globalsuite.net, *.gtkcentral.net, *.gtkserver.net]
javax.net.ssl.SSLPeerUnverifiedException: Hostname XXX not verified: certificate: sha256/UwOkRGMlP0K/mKNJdpQ0sTg2ean9Tje8UTOvFYzt1GE= DN: CN=login.netinary.net,OU=Security,O=NETINARY,L=MARSEILLE,ST=Bouches-du-Rhône,C=FR subjectAltNames: [login.netinary.net]
乍一看这些证书看起来像是随机的,但经过快速研究后我发现那里提到的域与互联网提供商有关
问题
- 当最终用户无法访问互联网并且它只是被重定向到提供商特定站点(登录或存入一些钱)时,是否可能发生这种异常?
你的假设可能是正确的。
看起来中间人 (MitM) 拦截了创建证书(自签名或由中间 CA 颁发)的流量,该证书未被 Java 接受。
Java,默认情况下,只接受来自受信任的根 CA 的证书。受信任的证书位于 Java 安装中的文件 cacerts 中。