CertificateException:找不到与ssl.someUrl.de匹配的名称 [英] CertificateException: No name matching ssl.someUrl.de found
问题描述
我正在尝试通过ssl与Java连接到我的一台服务器。我尝试了很多选项是我最好的尝试:
I'm trying to connect to one of my servers through ssl, with Java. I tried a lot of options here is my best try:
我使用推荐脚本生成一个jssecacerts: http://blogs.oracle.com/andreas/resource/InstallCert.java
命令:java InstallCert ssl.someUrl。 de changeit
I generate a jssecacerts with the recommendet script: http://blogs.oracle.com/andreas/resource/InstallCert.java with the command: java InstallCert ssl.someUrl.de changeit
在此之后我第二次执行命令:
after this I did the command a second time:
Loading KeyStore jssecacerts...
Opening connection to ssl.someUrl.de:443...
Starting SSL handshake...
No errors, certificate is already trusted
Server sent 1 certificate(s):
1 Subject EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Hernd
on, ST=Virginia, C=US
Issuer EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Hernd
on, ST=Virginia, C=US
sha1 f1 0d 2c 54 05 e1 32 19 a0 52 5e e1 81 6c a3 a5 83 0d dd 67
md5 f0 b3 be 5e 5f 6e 90 d1 bc 57 7a b2 81 ce 7d 3d
Enter certificate to add to trusted keystore or 'q' to quit: [1]
我将文件复制到默认目录,然后在Java trustStore中加载证书
I copied the file to the default directory and I loaded the certificate in Java trustStore
System.setProperty("javax.net.ssl.trustStore", "C:\\Program Files (x86)\\Java\\jre6\\lib\\security\\jssecacerts");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");
然后我尝试连接
URL url = new URL("https://ssl.someUrl.de/");
URLConnection conn = url.openConnection();
BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
我在第3行得到错误:(找不到匹配ssl.someUrl.de的名字)
And I get Error on 3rd line: (No name matching ssl.someUrl.de found)
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ssl.someUrl.de found
这是默认plesk证书的原因还是其他错误?
Is this cause of the default plesk certificate or is something else wrong?
设置:JRE 6.20,Netbeans 6.8,Windows7 64位
Setup: JRE 6.20, Netbeans 6.8, Windows7 64bit
推荐答案
它看起来像你的服务器证书尝试连接与其主机名不匹配。
It looks like the certificate of the server you are trying to connect to doesn't match its hostname.
当HTTPS客户端连接到服务器时,它会验证证书中的主机名是否与服务器的主机名匹配。证书不可靠,它必须匹配您想要与之交谈的服务器。 (作为类比,即使您相信护照是合法的,您仍然必须检查它是否是您想要与之交谈的人,而不仅仅是您认为合法的护照。)
When an HTTPS client connects to a server, it verifies that the hostname in the certificate matches the hostname of the server. It's not enough for a certificate to be trusted, it has to match the server you want to talk to too. (As an analogy, even if you trust a passport to be legitimate, you still have to check that it's the one for the person you want to talk to, not just any passport you would trust to be legitimate.)
在HTTP中,这是通过检查:
In HTTP, this is done by checking that:
-
证书包含DNS来完成的主题备用名称(这是标准扩展名)与主机名匹配;
the certificate contains a DNS subject alternative name (this is a standard extension) entry matching the hostname;
如果失败,您的主题专有名称的最后一个CN(这是主要名称)如果你愿意)匹配主机名。 (参见RFC 2818。)
failing that, the last CN of your subject distinguished name (this is the main name if you want) matches the hostname. (See RFC 2818.)
如果没有证书,很难说出主题替代名称是什么(尽管,如果你连接浏览器并查看其内容的详细信息,你应该可以看到它。)
主题专有名称似乎是:
It's hard to tell what the subject alternative name is without having the certificate (although, if you connect with your browser and check its content in more details, you should be able to see it.) The subject distinguished name seems to be:
EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US
(因此,如果您没有主题替代名称,则需要CN = ssl.someUrl.de而不是CN = plesk DNS:ssl.someUrl.de已经;我的猜测是你没有。)
(It would thus need to be CN=ssl.someUrl.de instead of CN=plesk, if you don't have a subject alternative name with DNS:ssl.someUrl.de already; my guess is that you don't.)
您可以使用 HttpsURLConnection.setHostnameVerifier(。 )。编写一个自定义的HostnameVerifier并不太难以通过验证验证,尽管我建议只在证书与此处有关的证书时才这样做。你应该能够使用SSLSession参数及其getPeerCertificates()方法获得它。
You may be able to bypass the hostname verification using HttpsURLConnection.setHostnameVerifier(..). It shouldn't be too hard to write a custom HostnameVerifier that bybasses the verification, although I would suggest doing it only when the certificate its the one concerned here specifically. You should be able to get that using the SSLSession argument and its getPeerCertificates() method.
(此外,你不需要设置javax.net.ssl 。*属性就像你完成它一样,因为你仍然使用默认值。)
(In addition, you don't need to set the javax.net.ssl.* properties the way you've done it, since you're using the default values anyway.)
或者,如果你控制服务器就连接了为了及其证书,您可以创建一个与上述命名规则相匹配的证书(CN应该足够了,尽管主题替代名称是一种改进)。如果自签名证书足以满足您的要求,请确保其公用名(CN)是您尝试与之通信的主机名(没有完整的URL,只有主机名)。
Alternatively, if you have control over the server you're connecting to and its certificate, you can create a certificate of it that matches the naming rules above (CN should be sufficient, although subject alternative name is an improvement). If a self-signed certificate is good enough for what you name, make sure its common name (CN) is the host name you're trying to talk to (no the full URL, just the hostname).
这篇关于CertificateException:找不到与ssl.someUrl.de匹配的名称的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
