换库后主机名与对端提供的证书主题不匹配
Host name does not match the certificate subject provided by the peer after library change
将我们的项目依赖项从 apache HttpClient 4.5.10 更新到 4.5.11 后,我们在本地环境中不断收到此错误。
我们使用hystrix,所以连接本身使用HttpAsyncClient (4.1.2).
更新后生产环境工作正常,所以我猜我们的证书有问题,在使用 4.5.10 进行 ssl 上下文配置时不知何故不会弹出。
有人知道证书中可能缺少什么吗?
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'domain' does not match the certificate subject provided by the peer (CN=domain, O=Something, ST=Some-State, C=NL)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verify(SSLIOSessionStrategy.java:188)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:503)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
(这个我已经查过了,好像和问题不符)
实际问题不是域本身,而是它是一个私有域,DefaultHostnameVerifier 假设它是一个 ICANN 域。修改主机名验证器可以修复它。
它是由从 4.5.10 到 4.5.11 的更改触发的,因为此提交:https://github.com/apache/httpcomponents-client/commit/858946348f5d34f9a8b4caf3c5f054721e647983#diff-842a4260950ada415839175b42257751
它实际上纠正了一个验证问题,但错误不是很清楚,所以我希望这对以后的人有所帮助。
上述问题已在 https://issues.apache.org/jira/browse/HTTPCLIENT-2047
中修复
将版本更改为 4.5.12
将我们的项目依赖项从 apache HttpClient 4.5.10 更新到 4.5.11 后,我们在本地环境中不断收到此错误。
我们使用hystrix,所以连接本身使用HttpAsyncClient (4.1.2).
更新后生产环境工作正常,所以我猜我们的证书有问题,在使用 4.5.10 进行 ssl 上下文配置时不知何故不会弹出。
有人知道证书中可能缺少什么吗?
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'domain' does not match the certificate subject provided by the peer (CN=domain, O=Something, ST=Some-State, C=NL)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209)
at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verify(SSLIOSessionStrategy.java:188)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:354)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:503)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
(这个我已经查过了,好像和问题不符)
实际问题不是域本身,而是它是一个私有域,DefaultHostnameVerifier 假设它是一个 ICANN 域。修改主机名验证器可以修复它。
它是由从 4.5.10 到 4.5.11 的更改触发的,因为此提交:https://github.com/apache/httpcomponents-client/commit/858946348f5d34f9a8b4caf3c5f054721e647983#diff-842a4260950ada415839175b42257751
它实际上纠正了一个验证问题,但错误不是很清楚,所以我希望这对以后的人有所帮助。
上述问题已在 https://issues.apache.org/jira/browse/HTTPCLIENT-2047
中修复将版本更改为 4.5.12