CertificateException:找不到与 ssl.someUrl.de 匹配的名称 [英] CertificateException: No name matching ssl.someUrl.de found
问题描述
我正在尝试使用 Java 通过 ssl 连接到我的一台服务器.我尝试了很多选择,这是我最好的尝试:
I'm trying to connect to one of my servers through ssl, with Java. I tried a lot of options here is my best try:
我用推荐脚本生成了一个jssecacerts:http://blogs.oracle.com/andreas/resource/InstallCert.java使用命令:java InstallCert ssl.someUrl.de changeit
I generate a jssecacerts with the recommendet script: http://blogs.oracle.com/andreas/resource/InstallCert.java with the command: java InstallCert ssl.someUrl.de changeit
此后我第二次执行命令:
after this I did the command a second time:
Loading KeyStore jssecacerts...
Opening connection to ssl.someUrl.de:443...
Starting SSL handshake...
No errors, certificate is already trusted
Server sent 1 certificate(s):
1 Subject EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Hernd
on, ST=Virginia, C=US
Issuer EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Hernd
on, ST=Virginia, C=US
sha1 f1 0d 2c 54 05 e1 32 19 a0 52 5e e1 81 6c a3 a5 83 0d dd 67
md5 f0 b3 be 5e 5f 6e 90 d1 bc 57 7a b2 81 ce 7d 3d
Enter certificate to add to trusted keystore or 'q' to quit: [1]
我将文件复制到默认目录并将证书加载到 Java trustStore
I copied the file to the default directory and I loaded the certificate in Java trustStore
System.setProperty("javax.net.ssl.trustStore", "C:\Program Files (x86)\Java\jre6\lib\security\jssecacerts");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");
然后我尝试连接
URL url = new URL("https://ssl.someUrl.de/");
URLConnection conn = url.openConnection();
BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
我在第 3 行出现错误:(找不到与 ssl.someUrl.de 匹配的名称)
And I get Error on 3rd line: (No name matching ssl.someUrl.de found)
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ssl.someUrl.de found
这是默认 plesk 证书的原因还是其他错误?
Is this cause of the default plesk certificate or is something else wrong?
设置:JRE 6.20、Netbeans 6.8、Windows7 64 位
Setup: JRE 6.20, Netbeans 6.8, Windows7 64bit
推荐答案
您尝试连接的服务器的证书似乎与其主机名不匹配.
It looks like the certificate of the server you are trying to connect to doesn't match its hostname.
当 HTTPS 客户端连接到服务器时,它会验证证书中的主机名是否与服务器的主机名匹配.仅仅信任证书是不够的,它还必须与您想与之交谈的服务器相匹配.(打个比方,即使您相信护照是合法的,您仍然必须检查它是否适合您要与之交谈的人,而不仅仅是您认为合法的任何护照.)
When an HTTPS client connects to a server, it verifies that the hostname in the certificate matches the hostname of the server. It's not enough for a certificate to be trusted, it has to match the server you want to talk to too. (As an analogy, even if you trust a passport to be legitimate, you still have to check that it's the one for the person you want to talk to, not just any passport you would trust to be legitimate.)
在 HTTP 中,这是通过检查:
In HTTP, this is done by checking that:
证书包含与主机名匹配的 DNS 主题备用名称(这是标准扩展名)条目;
the certificate contains a DNS subject alternative name (this is a standard extension) entry matching the hostname;
如果失败,主题专有名称的最后一个 CN(如果需要,这是主名称)与主机名匹配.(请参阅 RFC 2818.)
failing that, the last CN of your subject distinguished name (this is the main name if you want) matches the hostname. (See RFC 2818.)
在没有证书的情况下很难判断主题备用名称是什么(尽管,如果您连接浏览器并查看其内容的更多详细信息,您应该能够看到它.)主题专有名称似乎是:
It's hard to tell what the subject alternative name is without having the certificate (although, if you connect with your browser and check its content in more details, you should be able to see it.) The subject distinguished name seems to be:
EMAILADDRESS=info@plesk.com, CN=plesk, OU=Plesk, O=Parallels, L=Herndon, ST=Virginia, C=US
(因此,如果您没有带有 DNS:ssl.someUrl.de 的主题备用名称,则它需要是 CN=ssl.someUrl.de 而不是 CN=plesk;我猜您没有t.)
(It would thus need to be CN=ssl.someUrl.de instead of CN=plesk, if you don't have a subject alternative name with DNS:ssl.someUrl.de already; my guess is that you don't.)
您可以使用 HttpsURLConnection.setHostnameVerifier(..).编写一个基于验证的自定义 HostnameVerifier 应该不会太难,尽管我建议仅当证书是此处特别关注的证书时才这样做.您应该能够使用 SSLSession 参数及其 getPeerCertificates() 方法获得该信息.
You may be able to bypass the hostname verification using HttpsURLConnection.setHostnameVerifier(..). It shouldn't be too hard to write a custom HostnameVerifier that bybasses the verification, although I would suggest doing it only when the certificate its the one concerned here specifically. You should be able to get that using the SSLSession argument and its getPeerCertificates() method.
(此外,您不需要像以前那样设置 javax.net.ssl.* 属性,因为无论如何您都在使用默认值.)
(In addition, you don't need to set the javax.net.ssl.* properties the way you've done it, since you're using the default values anyway.)
或者,如果您可以控制要连接的服务器及其证书,您可以创建一个与上述命名规则匹配的证书(CN 应该足够了,尽管主题备用名称是一种改进).如果自签名证书足以满足您的命名要求,请确保其公用名 (CN) 是您尝试与之通信的主机名(没有完整的 URL,只有主机名).
Alternatively, if you have control over the server you're connecting to and its certificate, you can create a certificate of it that matches the naming rules above (CN should be sufficient, although subject alternative name is an improvement). If a self-signed certificate is good enough for what you name, make sure its common name (CN) is the host name you're trying to talk to (no the full URL, just the hostname).
这篇关于CertificateException:找不到与 ssl.someUrl.de 匹配的名称的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
