JVM忽略证书名称不匹配 [英] JVM to ignore certificate name mismatch
问题描述
我知道有很多关于如何忽略代码中SSL错误的问题/答案。
I know there were a lot of questions/answers about how to ignore SSL error in the code.
在我们的开发区域 dev中。 domain.tld
我们已经通过SSL配置了应用服务器。
On our dev region dev.domain.tld
we have configured a app server over SSL.
显示的证书用于 somedev.domain .tld
。
无法更改证书,它将始终是域不匹配。
There is no way to change the certificate, it will always be a domain mismatch.
因此,当我将Web服务部署到 https://dev.domain.tld
并尝试连接/调用我的Web服务时,出现异常:
So when I deploy a web-service to https://dev.domain.tld
and try to connect/call my webservice I get an exception:
原因:
java.security.cert.CertificateException:
没有与dev.domain.tld匹配的名称找到
Caused by: java.security.cert.CertificateException: No name matching dev.domain.tld found
我信任 somedev.domain.tld
CERT
现在,我看到了很多示例如何在代码中进行更改(使用接受所有域的信任管理器),但是如何指定JVM在连接到服务时忽略域不匹配?是否有 -Djavax.net.ssl
参数或其他内容?
Now, I saw a lot of samples how to change that in the code (using a Trust Manager that accepts all domains), but how do I specify to the JVM to ignore the domain mismatch when connecting to the server? Is there a -Djavax.net.ssl
argument or something?
谢谢!
更新:
或者,因为我使用的是Spring-WS,是否可以设置一些春天的财产呢? (WebServiceTemplate)
Or, since I am using Spring-WS, is there a way to set some property in Spring for that? (WebServiceTemplate)
更新
我想我必须使用来自Spring Security的内容: http://static.springsource .org / spring-ws / sites / 1.5 / reference / html / security.html
I guess I'll have to do use something from Spring Security: http://static.springsource.org/spring-ws/sites/1.5/reference/html/security.html
推荐答案
我在我的客户端应用程序中,如果您(或Spring在内部)在任何地方使用HttpsURLConnection,这也可能对您有用。
This works for me in a client application of mine, perhaps this will also work for you if you are (or Spring is internally) using HttpsURLConnection anywhere.
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName, SSLSession session) {
log.warning(String.format("Warning: URL Host: '%s' does not equal '%s'", urlHostName, session.getPeerHost()));
return true;
}
};
HttpsURLConnection.setDefaultHostnameVerifier(hv);
不过,这几乎不是SSL最佳做法。最好的解决方案是使用与主机名匹配的证书。
Its hardly SSL best practice though. The best solution would be to use a certificate that matches the hostname.
这篇关于JVM忽略证书名称不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!