查找或初始化解决 "hostname in certificate didn't match" 所需的密钥库

Find or initialize the keystore needed to solve "hostname in certificate didn't match"

我最近继承了一个实验室 Ubuntu LAMP 服务器,该服务器一直被相对忽视并且仍然 运行 一个 Struts 1.0 应用程序。我们正准备进行全面检修,但与此同时,日志中抛出的唯一错误是 javax.net.ssl.SSLException: hostname in certificate didn't match 错误。我们希望在编写替换时临时修补它。我读过几个关于这个问题的问题(例如 1, 2, 3, 4) and it seemed like Will Sargent's solution 是最好的选择。

不幸的是,我进入服务器时完全没有文档,也没有从设置它的组返回的电子邮件(幸运的是 Java 的 none 根据策略进行了混淆处理)。我查找了任何密钥库文件(在文件名或 .jks 文件中搜索 "keystore"),但我没有找到。这让我认为我需要制作一个新的 initialize it prior 来调用 webClient.getPage。到目前为止,我已经能够很好地制作 .jks 文件,只是它没有改变 hostname 匹配错误。

有没有办法查看某个 servlet 使用的是哪个密钥库,以及它的位置恰好是什么?或者,制作新的并使其成为 used/initialized?

的正确方法是什么

其他详细信息

关于这件事有几件事对我来说很奇怪。最主要的是我不明白为什么主机名不正确。被拉取的站点是 https://www.ncbi.nlm.nih.gov/account/,如果您在浏览器中导航到它,肯定会拉取正确的证书。我想知道是否是因为 WebClient(BrowserVersion.FIREFOX_17) 设置为过时的 FIREFOX_17。我应该把它从 17 改为 31 吗?有很多东西可以升级,但由于我们要从头开始制作文档,所以我想尽可能少地对旧实例进行更改,希望能将它 运行 再保留几个月.服务器上安装的 FIREFOX 版本不接近当前的以太币(不是它被使用),但我正在考虑改变 BrowserVersion 只是改变了回复的格式。

这是代码,在抛出错误的行结束:

  private Vector updateRDLpubs(Vector orderList, DataSource dataSource)
    throws Exception
  {
    Vector removeList = new Vector();
    Vector historyList = new Vector();
    try
    {
      SimpleDateFormat format = new SimpleDateFormat("MM/dd/yyyy");
      Calendar cal = Calendar.getInstance();
      cal.add(5, -5);
      Date days5Back = cal.getTime();

      WebClient webClient = new WebClient(BrowserVersion.FIREFOX_17);
      webClient.setThrowExceptionOnFailingStatusCode(false);
      HtmlPage page = (HtmlPage)webClient.getPage("https://www.ncbi.nlm.nih.gov/account/");

这里是关于错误的堆栈跟踪:

at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:227)
at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:147)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at com.gargoylesoftware.htmlunit.HtmlUnitSSLSocketFactory.connectSocket(HtmlUnitSSLSocketFactory.java:171)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at com.gargoylesoftware.htmlunit.HttpWebConnection.getResponse(HttpWebConnection.java:172)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponseFromWebConnection(WebClient.java:1486)
at com.gargoylesoftware.htmlunit.WebClient.loadWebResponse(WebClient.java:1403)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:305)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:374)
at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:359)
at tanklab.UpdateRDLJob2.updateRDLpubs(UpdateRDLJob2.java:241)
at tanklab.UpdateRDLJob2.execute(UpdateRDLJob2.java:79)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:525)

编辑:啊,你正在使用 HTMLUnit。您的问题可能是您的 HTMLUnit 已严重过时 - 使用 https://tersesystems.com/2014/03/31/testing-hostname-verification/ 检查服务器,如果没有任何显示,然后将 HTMLUnit 升级到最新版本。

更多编辑:为什么从 Quartz 使用 HTMLUnit?他们是否试图将其用作通用 HTTP 客户端?它不是为此而设计的。

最好的参考资料是 Bulletproof TLS,其中有一章是关于 JSSE 和 Tomcat。

Is there a way to see what keystore if any is being used by a servlet, and what its location happens to be?

这取决于正在设置的 SSLEngine -- 如果您 运行 在 servlet 中,应用服务器很可能已经设置了您的 SSL 配置。但是,您可以通过打开 -Djavax.net.debug=ALL 来调试 JVM,但它不会告诉您证书来自文件系统上的哪个位置,除非您编写了自定义 KeyStore 和 TrustManager(这是蹩脚的)。不过,这是调试信息:

Alternatively, what is the proper way to make a new one and have it be used/initialized?

这取决于您的应用程序服务器。如果你只需要提供一个自定义的 SSLEngine,你可以这样做(来自 https://github.com/wsargent/activator-play-tls-example/blob/master/app/https/CustomSSLEngineProvider.scala):

class CustomSSLEngineProvider(appProvider: ApplicationProvider) extends SSLEngineProvider {

  def readPassword(): Array[Char] = {
    val passwordPath = FileSystems.getDefault.getPath("certs", "password")
    Files.readAllLines(passwordPath).get(0).toCharArray
  }

  def readKeyInputStream(): java.io.InputStream = {
    val keyPath = FileSystems.getDefault.getPath("certs", "example.com.jks")
    Files.newInputStream(keyPath)
  }

  def readTrustInputStream(): java.io.InputStream = {
    val keyPath = FileSystems.getDefault.getPath("certs", "clientca.jks")
    Files.newInputStream(keyPath)
  }

  def readKeyManagers(): Array[KeyManager] = {
    val password = readPassword()
    val keyInputStream = readKeyInputStream()
    try {
      val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
      keyStore.load(keyInputStream, password)
      val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
      kmf.init(keyStore, password)
      kmf.getKeyManagers
    } finally {
      keyInputStream.close()
    }
  }

  def readTrustManagers(): Array[TrustManager] = {
    val password = readPassword()
    val trustInputStream = readTrustInputStream()
    try {
      val keyStore = KeyStore.getInstance(KeyStore.getDefaultType)
      keyStore.load(trustInputStream, password)
      val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
      tmf.init(keyStore)
      tmf.getTrustManagers
    } finally {
      trustInputStream.close()
    }
  }

  def createSSLContext(applicationProvider: ApplicationProvider): SSLContext = {
    val keyManagers = readKeyManagers()
    val trustManagers = readTrustManagers()

    // Configure the SSL context to use TLS
    val sslContext = SSLContext.getInstance("TLS")
    sslContext.init(keyManagers, trustManagers, null)
    sslContext
  }

  override def createSSLEngine(): SSLEngine = {
    val sslContext = createSSLContext(appProvider)

    // Start off with a clone of the default SSL parameters...
    val sslParameters = sslContext.getDefaultSSLParameters

    // Tells the server to ignore client's cipher suite preference.
    // http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#cipher_suite_preference
    sslParameters.setUseCipherSuitesOrder(true)

    // http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLParameters
    val needClientAuth = java.lang.System.getProperty("play.ssl.needClientAuth")
    sslParameters.setNeedClientAuth(java.lang.Boolean.parseBoolean(needClientAuth))

    // Clone and modify the default SSL parameters.
    val engine = sslContext.createSSLEngine
    engine.setSSLParameters(sslParameters)

    engine
  }

}