Java升级8至11导致LDAPS连接出现问题(连接或出站已关闭) [英] Java upgrade 8 to 11 causing issue with LDAPS connection (Connection or outbound has closed)
问题描述
java升级后出现的这个问题:
This issue seen after java upgrade:
- 具有DNS别名的LDAP无法在其正常工作的地方与Java 11.0.2连接使用Java 8
DNS别名如下,此处保持不变,此处仅更改为Java升级8至11:
DNS alias as below this remain same no change here only change is java upgrade 8 to 11:
$ nslookup ad1.XXXXX.zz
$ nslookup ad1.XXXXX.zz
Server: 10.222.249.209
Address: 10.222.249.209#53
Name: ad1.XXXXX.zz
Address: 10.222.249.205
Name: ad1.XXXXX.zz
Address: 10.222.249.204
Name: ad1.XXXXX.zz
Address: 10.222.249.210
- 使用Java 11.0.2的LDAP直接IP没问题:
$ nslookup qdegsf.XXXXX.zz
$ nslookup qdegsf.XXXXX.zz
Server: 10.222.249.209
Address: 10.222.249.209#53
Name: qdegsf.XXXXX.zz
Address: 10.222.249.210
工艺参数:
/opt/3rdparty/jdk_installed/jdk-11.0.2/bin/java -Dsserver -Djdk.serialFilter = * -Dfile.encoding = UTF8 -Djavax.net.ssl.trustStore =/opt/3rdparty/tomcat/conf/svrtrust -Djavax.net.ssl.trustStorePassword = XXXX -Djavax.net.ssl.keyStore =/opt/3rdparty/tomcat/conf/svrkeystore.jks
/opt/3rdparty/jdk_installed/jdk-11.0.2/bin/java -Dsserver -Djdk.serialFilter=* -Dfile.encoding=UTF8 -Djavax.net.ssl.trustStore=/opt/3rdparty/tomcat/conf/svrtrust -Djavax.net.ssl.trustStorePassword=XXXX -Djavax.net.ssl.keyStore=/opt/3rdparty/tomcat/conf/svrkeystore.jks
下面是建立ldap连接时的问题跟踪
Below is the issue traces when ldap connection is made
java.lang.RuntimeException: connection to ldap server failed;url;ldaps://ad1.XXXXX.zz:636;authDN;sa_XXX@XXXXX.zz
javax.naming.CommunicationException: simple bind failed: ad1.XXXXX.zz:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
java.net.SocketException: Connection or outbound has closed
Trace for the thrown exceptions:
java.lang.RuntimeException: connection to ldap server failed;url;ldaps://ad1.XXXXX.zz:636;authDN;sa_XXX@XXXXX.zz
at auth.ldap.LdapConnection.testConnection(LdapConnection.java:46)
Caused by: javax.naming.CommunicationException: simple bind failed: ad1.XXXXX.zz:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at auth.ldap.LdapConnection.testConnection(LdapConnection.java:41)
... 3 more
Caused by: java.net.SocketException: Connection or outbound has closed
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 15 more
javax.naming.CommunicationException: simple bind failed: ad1.XXXXX.zz:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at auth.ldap.LdapConnection.testConnection(LdapConnection.java:41)
Caused by: java.net.SocketException: Connection or outbound has closed
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 15 more
java.net.SocketException: Connection or outbound has closed
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at nims.auth.ldap.LdapConnection.testConnection(LdapConnection.java:41)
at auth.LdapAuthenticationService.doTestConnection(LdapAuthenticationService.java:50)
>更新时出现以下错误:
$ openssl s_client -connect ad1.XXXXX-ru.zz:636
$ openssl s_client -connect ad1.XXXXX-ru.zz:636
已连接(00000003)深度= 0验证错误:num = 20:无法获取本地颁发者证书验证回报:1深度= 0验证错误:num = 27:证书不受信任验证回报:1深度= 0验证错误:num = 21:无法验证第一个证书验证返回:1
CONNECTED(00000003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1
证书链0秒:i:/DC = zz/DC = XXXXX-ru/CN = XXXXX-ru-ROOT-CA
Certificate chain 0 s: i:/DC=zz/DC=XXXXX-ru/CN=XXXXX-ru-ROOT-CA
服务器证书----- BEGIN证书-----MIIFfjCCBGagAwIBAgITLwAAAKgllUHEZUjzRwAAAAAAqDANBgkqhkiG9w0BA ........
Server certificate -----BEGIN CERTIFICATE----- MIIFfjCCBGagAwIBAgITLwAAAKgllUHEZUjzRwAAAAAAqDANBgkqhkiG9w0BA.................
APpwNrloBJjZo2bJ7pqe4gXN-----结束证书-----
APpwNrloBJjZo2bJ7pqe4gXN -----END CERTIFICATE-----
subject =发行者=/DC = zz/DC = XXXXX-ru/CN = XXXXX-ru-ROOT-CA
subject= issuer=/DC=zz/DC=XXXXX-ru/CN=XXXXX-ru-ROOT-CA
未发送客户端证书CA名称服务器临时密钥:ECDH,prime256v1,256位
No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits
SSL握手已读取1980个字节并写入441个字节
SSL handshake has read 1980 bytes and written 441 bytes
新的TLSv1/SSLv3,密码为ECDHE-RSA-AES256-SHA384服务器公钥为2048位支持安全重新协商压缩:无扩展:无SSL会话:通讯协定:TLSv1.2密码:ECDHE-RSA-AES256-SHA384会话ID:C51900006745E495E1C8CA132C0EDF901C3638DE9E5EEA506551E298E2374372会话ID-ctx:万能钥匙:A8B4C4E2B01FE11822CE047D3B7D692EE1C001DA551DFE63FBC314737177BE7A285F79D6FF36B67D3E1AFF72C1402D2DKey-Arg:无Krb5负责人:无PSK身份:无PSK身份提示:无开始时间:1574232095超时:300(秒)验证返回码:21(无法验证第一个证书)
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: C51900006745E495E1C8CA132C0EDF901C3638DE9E5EEA506551E298E2374372 Session-ID-ctx: Master-Key: A8B4C4E2B01FE11822CE047D3B7D692EE1C001DA551DFE63FBC314737177BE7A285F79D6FF36B67D3E1AFF72C1402D2D Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1574232095 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)
请提供建议.谢谢
推荐答案
根据您使用的Java 8的版本,可能有多个原因导致此错误:
Depending on the version of Java 8 you were using, there could be several reasons for this error:
- Java 11(和Java 8的最新版本)现在强制执行主机名建立SSL连接时进行验证.所以服务器的证书与您要连接的主机名非常匹配.
- Java 11还具有更新的密码套件和TLS版本,并且不赞成使用某些旧的密码套件.您可能要启用SSL进行调试以查看SSL层上交换的内容.
- 最后,在Java 11的早期版本中,TLS(1.3)和密码套件存在多个问题,因此您可能需要切换到最新更新(11.0.5)
这篇关于Java升级8至11导致LDAPS连接出现问题(连接或出站已关闭)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
