用作默认 WSo2 证书中的通用名称的“Localhost"创建未找到主题备用名称 [英] 'Localhost' used as Common name in the default WSo2 certificate creates No Subject Alternative Name found

问题描述

我们使用了 wso2 esb(版本 4.0.3)来公开我们的网络服务.我们的网络服务是使用 wso2 中的管理控制台添加为代理服务的.我们只想通过 https 公开/使用我们的网络服务.生成存根后，我们完成了以下操作

1. 使用 java keytool 创建一个 jks 文件.
2. 导出wso2证书并导入到jks文件中.
3. 在调用网络服务时在代码中添加了以下内容.

<块引用>

System.setProperty("javax.net.ssl.trustStore", "文件名");System.setProperty("javax.net.ssl.trustStorePassword", "密码");

当我们尝试从 java 代码调用 webservice 完成所有这些之后，它仅在 url 与 localhost 一起提供时才有效.它不适用于 127.0.0.1 或机器 IP 地址，即使我们在主机文件中有正确的映射.在使用 IP 地址时，我们收到错误消息javax.net.ssl.SSLHandshakeException:java.security.cert.CertificateException:不存在主题替代名称.出现此错误是因为 wso2 提供的默认证书将localhost"作为通用名称.我们可以通过添加以下代码来摆脱这个问题

 HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {公共布尔验证(字符串字符串，SSLSession ssls){返回真；}});

但这可能会造成安全问题.请建议我们如何解决此问题.

解决方案

当主机名与证书的 CN 不匹配时会出现此错误.我可以为您提供两种解决方案.

• 如果您只需要使用 IP 地址访问服务，那么只需生成一个具有正确 IP 地址的证书作为服务器证书 CN 值的值.可以使用 Java Keytool.
• 如果您想同时使用 IP 地址和主机名来寻址服务，请生成一个包含主题备用名称 (SAN) 的证书.Java 7 附带的 Java Keytool 能够使用 SAN 生成证书.否则，请使用任何其他工具(例如 OpenSSL)或使用 CA 颁发的证书和 SAN.

We have used wso2 esb (version 4.0.3) for exposing our webservice. Our webservice is added as a proxy service using the admin console in the wso2. We want to expose/consume our webservice only though the https. After generating the stub we have done the following

1. Create a jks file using the java keytool.
2. Exported the wso2 certificate and imported in the the jks file.
3. Added the following in the code while calling the webservice.

System.setProperty("javax.net.ssl.trustStore", "filename"); System.setProperty("javax.net.ssl.trustStorePassword", "password");

After doing all these when we try to call the webservice from the java code, it only works when the url is given with localhost. It doesnt work with the 127.0.0.1 or the machine IP address, even though we have proper mapping in the host file. While using the ip address we get the error as javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present. This error comes because the default certificate provided by wso2 has "localhost" as common name. We can get rid of this issue by adding the following piece of code

 HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
          public boolean verify(String string, SSLSession ssls) {
                          return true;
          }});

But this may create security issues. Please suggest us how to resolve this issue.

解决方案

This error rise when the host name doesn't match the CN of the certificate. I can provide you two solutions.

• If you only need to access the service with the IP address, then simply generate a certificate having the correct IP address as the value for the CN value of the servers certificate. Java Keytool can be used.
• If you want to use both the IP address and host name to address the service, generate a certificate containing Subject Alternative Names (SAN). Java Keytool ship with Java 7 is capable of generating certificates with SAN. Otherwise use any other tool such as OpenSSL or use a certificate issued by a CA with SAN.

这篇关于用作默认 WSo2 证书中的通用名称的“Localhost"创建未找到主题备用名称的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！