查找或初始化解决 "hostname in certificate didn't match" 所需的密钥库
Find or initialize the keystore needed to solve "hostname in certificate didn't match"
我最近继承了一个实验室 Ubuntu LAMP 服务器,该服务器一直被相对忽视并且仍然 运行 一个 Struts 1.0 应用程序。我们正准备进行全面检修,但与此同时,日志中抛出的唯一错误是 javax.net.ssl.SSLException: hostname in certificate didn't match
错误。我们希望在编写替换时临时修补它。我读过几个关于这个问题的问题(例如 1, 2, 3, 4) and it seemed like Will Sargent's solution 是最好的选择。
不幸的是,我进入服务器时完全没有文档,也没有从设置它的组返回的电子邮件(幸运的是 Java 的 none 根据策略进行了混淆处理)。我查找了任何密钥库文件(在文件名或 .jks
文件中搜索 "keystore"),但我没有找到。这让我认为我需要制作一个新的 initialize it prior 来调用 webClient.getPage
。到目前为止,我已经能够很好地制作 .jks
文件,只是它没有改变 hostname
匹配错误。
有没有办法查看某个 servlet 使用的是哪个密钥库,以及它的位置恰好是什么?或者,制作新的并使其成为 used/initialized?
的正确方法是什么
其他详细信息
关于这件事有几件事对我来说很奇怪。最主要的是我不明白为什么主机名不正确。被拉取的站点是 https://www.ncbi.nlm.nih.gov/account/
,如果您在浏览器中导航到它,肯定会拉取正确的证书。我想知道是否是因为 WebClient(BrowserVersion.FIREFOX_17)
设置为过时的 FIREFOX_17
。我应该把它从 17 改为 31 吗?有很多东西可以升级,但由于我们要从头开始制作文档,所以我想尽可能少地对旧实例进行更改,希望能将它 运行 再保留几个月.服务器上安装的 FIREFOX 版本不接近当前的以太币(不是它被使用),但我正在考虑改变 BrowserVersion
只是改变了回复的格式。
这是代码,在抛出错误的行结束:
private Vector updateRDLpubs(Vector orderList, DataSource dataSource)
throws Exception
{
Vector removeList = new Vector();
Vector historyList = new Vector();
try
{
SimpleDateFormat format = new SimpleDateFormat("MM/dd/yyyy");
Calendar cal = Calendar.getInstance();
cal.add(5, -5);
Date days5Back = cal.getTime();
WebClient webClient = new WebClient(BrowserVersion.FIREFOX_17);
webClient.setThrowExceptionOnFailingStatusCode(false);
HtmlPage page = (HtmlPage)webClient.getPage("https://www.ncbi.nlm.nih.gov/account/");
这里是关于错误的堆栈跟踪:
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at com.gargoylesoftware.htmlunit.HtmlUnitSSLSocketFactory.connectSocket(HtmlUnitSSLSocketFactory.java:171)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at com.gargoylesoftware.htmlunit.HttpWebConnection.getResponse(HttpWebConnection.java:172)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponseFromWebConnection(WebClient.java:1486)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponse(WebClient.java:1403)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:305)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:374)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:359)
at tanklab.UpdateRDLJob2.updateRDLpubs(UpdateRDLJob2.java:241)
at tanklab.UpdateRDLJob2.execute(UpdateRDLJob2.java:79)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:525)
编辑:啊,你正在使用 HTMLUnit。您的问题可能是您的 HTMLUnit 已严重过时 - 使用 https://tersesystems.com/2014/03/31/testing-hostname-verification/ 检查服务器,如果没有任何显示,然后将 HTMLUnit 升级到最新版本。
更多编辑:为什么从 Quartz 使用 HTMLUnit?他们是否试图将其用作通用 HTTP 客户端?它不是为此而设计的。
最好的参考资料是 Bulletproof TLS,其中有一章是关于 JSSE 和 Tomcat。
Is there a way to see what keystore if any is being used by a servlet, and what its location happens to be?
这取决于正在设置的 SSLEngine -- 如果您 运行 在 servlet 中,应用服务器很可能已经设置了您的 SSL 配置。但是,您可以通过打开 -Djavax.net.debug=ALL
来调试 JVM,但它不会告诉您证书来自文件系统上的哪个位置,除非您编写了自定义 KeyStore 和 TrustManager(这是蹩脚的)。不过,这是调试信息:
- https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
- https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug
Alternatively, what is the proper way to make a new one and have it be used/initialized?
这取决于您的应用程序服务器。如果你只需要提供一个自定义的 SSLEngine,你可以这样做(来自 https://github.com/wsargent/activator-play-tls-example/blob/master/app/https/CustomSSLEngineProvider.scala):
class CustomSSLEngineProvider(appProvider: ApplicationProvider) extends SSLEngineProvider {
def readPassword(): Array[Char] = {
val passwordPath = FileSystems.getDefault.getPath("certs", "password")
Files.readAllLines(passwordPath).get(0).toCharArray
}
def readKeyInputStream(): java.io.InputStream = {
val keyPath = FileSystems.getDefault.getPath("certs", "example.com.jks")
Files.newInputStream(keyPath)
}
def readTrustInputStream(): java.io.InputStream = {
val keyPath = FileSystems.getDefault.getPath("certs", "clientca.jks")
Files.newInputStream(keyPath)
}
def readKeyManagers(): Array[KeyManager] = {
val password = readPassword()
val keyInputStream = readKeyInputStream()
try {
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
keyStore.load(keyInputStream, password)
val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
kmf.init(keyStore, password)
kmf.getKeyManagers
} finally {
keyInputStream.close()
}
}
def readTrustManagers(): Array[TrustManager] = {
val password = readPassword()
val trustInputStream = readTrustInputStream()
try {
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
keyStore.load(trustInputStream, password)
val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
tmf.init(keyStore)
tmf.getTrustManagers
} finally {
trustInputStream.close()
}
}
def createSSLContext(applicationProvider: ApplicationProvider): SSLContext = {
val keyManagers = readKeyManagers()
val trustManagers = readTrustManagers()
// Configure the SSL context to use TLS
val sslContext = SSLContext.getInstance("TLS")
sslContext.init(keyManagers, trustManagers, null)
sslContext
}
override def createSSLEngine(): SSLEngine = {
val sslContext = createSSLContext(appProvider)
// Start off with a clone of the default SSL parameters...
val sslParameters = sslContext.getDefaultSSLParameters
// Tells the server to ignore client's cipher suite preference.
// http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#cipher_suite_preference
sslParameters.setUseCipherSuitesOrder(true)
// http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLParameters
val needClientAuth = java.lang.System.getProperty("play.ssl.needClientAuth")
sslParameters.setNeedClientAuth(java.lang.Boolean.parseBoolean(needClientAuth))
// Clone and modify the default SSL parameters.
val engine = sslContext.createSSLEngine
engine.setSSLParameters(sslParameters)
engine
}
}
我最近继承了一个实验室 Ubuntu LAMP 服务器,该服务器一直被相对忽视并且仍然 运行 一个 Struts 1.0 应用程序。我们正准备进行全面检修,但与此同时,日志中抛出的唯一错误是 javax.net.ssl.SSLException: hostname in certificate didn't match
错误。我们希望在编写替换时临时修补它。我读过几个关于这个问题的问题(例如 1, 2, 3, 4) and it seemed like Will Sargent's solution 是最好的选择。
不幸的是,我进入服务器时完全没有文档,也没有从设置它的组返回的电子邮件(幸运的是 Java 的 none 根据策略进行了混淆处理)。我查找了任何密钥库文件(在文件名或 .jks
文件中搜索 "keystore"),但我没有找到。这让我认为我需要制作一个新的 initialize it prior 来调用 webClient.getPage
。到目前为止,我已经能够很好地制作 .jks
文件,只是它没有改变 hostname
匹配错误。
有没有办法查看某个 servlet 使用的是哪个密钥库,以及它的位置恰好是什么?或者,制作新的并使其成为 used/initialized?
的正确方法是什么其他详细信息
关于这件事有几件事对我来说很奇怪。最主要的是我不明白为什么主机名不正确。被拉取的站点是 https://www.ncbi.nlm.nih.gov/account/
,如果您在浏览器中导航到它,肯定会拉取正确的证书。我想知道是否是因为 WebClient(BrowserVersion.FIREFOX_17)
设置为过时的 FIREFOX_17
。我应该把它从 17 改为 31 吗?有很多东西可以升级,但由于我们要从头开始制作文档,所以我想尽可能少地对旧实例进行更改,希望能将它 运行 再保留几个月.服务器上安装的 FIREFOX 版本不接近当前的以太币(不是它被使用),但我正在考虑改变 BrowserVersion
只是改变了回复的格式。
这是代码,在抛出错误的行结束:
private Vector updateRDLpubs(Vector orderList, DataSource dataSource)
throws Exception
{
Vector removeList = new Vector();
Vector historyList = new Vector();
try
{
SimpleDateFormat format = new SimpleDateFormat("MM/dd/yyyy");
Calendar cal = Calendar.getInstance();
cal.add(5, -5);
Date days5Back = cal.getTime();
WebClient webClient = new WebClient(BrowserVersion.FIREFOX_17);
webClient.setThrowExceptionOnFailingStatusCode(false);
HtmlPage page = (HtmlPage)webClient.getPage("https://www.ncbi.nlm.nih.gov/account/");
这里是关于错误的堆栈跟踪:
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at com.gargoylesoftware.htmlunit.HtmlUnitSSLSocketFactory.connectSocket(HtmlUnitSSLSocketFactory.java:171)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at com.gargoylesoftware.htmlunit.HttpWebConnection.getResponse(HttpWebConnection.java:172)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponseFromWebConnection(WebClient.java:1486)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponse(WebClient.java:1403)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:305)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:374)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:359)
at tanklab.UpdateRDLJob2.updateRDLpubs(UpdateRDLJob2.java:241)
at tanklab.UpdateRDLJob2.execute(UpdateRDLJob2.java:79)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:525)
编辑:啊,你正在使用 HTMLUnit。您的问题可能是您的 HTMLUnit 已严重过时 - 使用 https://tersesystems.com/2014/03/31/testing-hostname-verification/ 检查服务器,如果没有任何显示,然后将 HTMLUnit 升级到最新版本。
更多编辑:为什么从 Quartz 使用 HTMLUnit?他们是否试图将其用作通用 HTTP 客户端?它不是为此而设计的。
最好的参考资料是 Bulletproof TLS,其中有一章是关于 JSSE 和 Tomcat。
Is there a way to see what keystore if any is being used by a servlet, and what its location happens to be?
这取决于正在设置的 SSLEngine -- 如果您 运行 在 servlet 中,应用服务器很可能已经设置了您的 SSL 配置。但是,您可以通过打开 -Djavax.net.debug=ALL
来调试 JVM,但它不会告诉您证书来自文件系统上的哪个位置,除非您编写了自定义 KeyStore 和 TrustManager(这是蹩脚的)。不过,这是调试信息:
- https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
- https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug
Alternatively, what is the proper way to make a new one and have it be used/initialized?
这取决于您的应用程序服务器。如果你只需要提供一个自定义的 SSLEngine,你可以这样做(来自 https://github.com/wsargent/activator-play-tls-example/blob/master/app/https/CustomSSLEngineProvider.scala):
class CustomSSLEngineProvider(appProvider: ApplicationProvider) extends SSLEngineProvider {
def readPassword(): Array[Char] = {
val passwordPath = FileSystems.getDefault.getPath("certs", "password")
Files.readAllLines(passwordPath).get(0).toCharArray
}
def readKeyInputStream(): java.io.InputStream = {
val keyPath = FileSystems.getDefault.getPath("certs", "example.com.jks")
Files.newInputStream(keyPath)
}
def readTrustInputStream(): java.io.InputStream = {
val keyPath = FileSystems.getDefault.getPath("certs", "clientca.jks")
Files.newInputStream(keyPath)
}
def readKeyManagers(): Array[KeyManager] = {
val password = readPassword()
val keyInputStream = readKeyInputStream()
try {
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
keyStore.load(keyInputStream, password)
val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
kmf.init(keyStore, password)
kmf.getKeyManagers
} finally {
keyInputStream.close()
}
}
def readTrustManagers(): Array[TrustManager] = {
val password = readPassword()
val trustInputStream = readTrustInputStream()
try {
val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
keyStore.load(trustInputStream, password)
val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
tmf.init(keyStore)
tmf.getTrustManagers
} finally {
trustInputStream.close()
}
}
def createSSLContext(applicationProvider: ApplicationProvider): SSLContext = {
val keyManagers = readKeyManagers()
val trustManagers = readTrustManagers()
// Configure the SSL context to use TLS
val sslContext = SSLContext.getInstance("TLS")
sslContext.init(keyManagers, trustManagers, null)
sslContext
}
override def createSSLEngine(): SSLEngine = {
val sslContext = createSSLContext(appProvider)
// Start off with a clone of the default SSL parameters...
val sslParameters = sslContext.getDefaultSSLParameters
// Tells the server to ignore client's cipher suite preference.
// http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#cipher_suite_preference
sslParameters.setUseCipherSuitesOrder(true)
// http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLParameters
val needClientAuth = java.lang.System.getProperty("play.ssl.needClientAuth")
sslParameters.setNeedClientAuth(java.lang.Boolean.parseBoolean(needClientAuth))
// Clone and modify the default SSL parameters.
val engine = sslContext.createSSLEngine
engine.setSSLParameters(sslParameters)
engine
}
}