找不到匹配graph.facebook.com的名称(SSLHandshakeException / CertificateException) [英] No name matching graph.facebook.com found (SSLHandshakeException/CertificateException)

查看:1118
本文介绍了找不到匹配graph.facebook.com的名称(SSLHandshakeException / CertificateException)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在我们的QC服务器上,我们完成了以下步骤:

  openssl genrsa -out server.key 2048 
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name some-alias -CAfile ca.crt -caname root

keytool -importkeystore -deststorepass changeit -destkeypass changeit
-destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass
changeit -alias server

(CAfile从来没有创建,所以还没有使用它。)



这些步骤是基于SO引用完成的:


1 / 在Java密钥库中导入现有x509证书和私钥以在ssl中使用



2 / 信任存储vs密钥存储 - 使用keytool创建


此外,我使用/测试了Altassian的SSLPoke实用程序( https://confluence.atlassian.com/download/attachments/180292346/SSLPoke.java?version= 1& modificationDate = 1236556497004& api = v2 ),并且在同一服务器上似乎也使用以下命令:

  java -Djavax.net.ssl.keyStore = server.keystore 
-Djavax.net.ssl.keyStorePassword = changeit -Djavax.net.debug = all SSLPoke
facebook.com 443 $ b $问题是使用apache + tomcat,当连接到 https://graph.facebook.com 是通过java代码生成的。



如何我可以克服这个异常吗?



以下是在server.keystore中的facebook certificat的列表:

  #keytool -list -v -keystore server.keystore -alias facebook.com 
输入密钥库密码:
别名:facebook.com
创建日期: 2014年6月17日
条目类型:trustedCertEntry

所有者:CN = *。facebook.com,O =Facebook,Inc.,L = Menlo Park,ST = CA,C = US
发行人:CN = DigiCert高保证CA-3,OU = www.digicert.com,O = DigiCert Inc,C = US
序列号:771430e2db21fb0b295cdb959c98454
有效期:Sat Mar 01 05:30:00 IST 2014直到:Mon Apr 13 17:30:00 IST 2015
证书指纹:
MD5:D3:A6:3C:18:15:C6:4B:BB: 75:7B:AC:ED:7D:2B:80
SHA1:BD:01:2A:89:B2:CC:9E:49:F8:1F:47:BF:BD:52:DE:48 :A0:4E:D3:AB
签名算法名称:SHA1withRSA
版本:3

扩展名:

#1:ObjectId:2.5.29.15 Criticality = true
KeyUsage [
DigitalSignature
Key_Encipherment
]

#2:ObjectId:2.5.29.19 Criticality = true
BasicConstraints:
CA:false
PathLen:undefined
]

#3:ObjectId:2.5.29.14 Criticality = false
SubjectKeyIdentifier [
KeyIdentifier [
0000:A4 5F 2C 39 02 78 AE 38 57 D1 42 5D 3B 43 CE 4F ._,9.x.8W.B]; CO
0010:AF F0 97 72 ... r
]
]

#4:ObjectId:1.3.6.1.5.5.7.1.1 Criticality = false
AuthorityInfoAccess [
[
accessMethod :1.3.6.1.5.5.7.48.1
accessLocation:URIName:http://ocsp.digicert.com,
accessMethod:1.3.6.1.5.5.7.48.2
accessLocation:URIName :http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt]
]

#5:ObjectId:2.5.29.31 Criticality = false
CRLDistributionPoints [
[DistributionPoint:
[URIName:http://crl3.digicert.com/ca3-g27.crl]
,DistributionPoint:
[URIName:http://crl4.digicert.com /ca3-g27.crl]
]]

#6:ObjectId:2.5.29.32 Criticality = false
CertificatePolicies [
[CertificatePolicyId:[2.16.840.1。 114412.1.1]
[PolicyQualifierInfo:[
qualifierID:1.3.6.1.5.5.7.2.1
限定符:0000:16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di
0010:67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS

]]]
]

#7:ObjectId:2.5.29.37 Criticality = false
ExtendedKeyUsages [
serverAuth
clientAuth
]

# 8:ObjectId:2.5.29.35 Criticality = false
AuthorityKeyIdentifier [
KeyIdentifier [
0000:50 EA 73 89 DB 29 FB 10 8F 9E E5 01 20 D4 DE 79 Ps。)... ... .. $
0010:99 48 83 F7 .H ..
]

]

#9:ObjectId:2.5.29.17 Criticality = false
SubjectAlternativeName [
DNSName:* .facebook.com
DNSName:facebook.com
DNSName:* .fbsbx.com
DNSName:* .fbcdn。 net
DNSName:* .xx.fbcdn.net
DNSName:* .xy.fbcdn.net
]

pre>

解决方案

原来我们有防火墙问题。



我们的QC服务器被阻止IP的Facebook。
SSLPoke到google显示没有错误,而同样的Facebook显示无效的证书,由于ping从内部防火墙返回,因此证书例外graph.facebook.com,未找到名称。


At our QC server we have done the following steps:

openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name some-alias   -CAfile ca.crt -caname root

keytool -importkeystore -deststorepass changeit -destkeypass changeit 
-destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass 
changeit -alias server

(The CAfile never got created, so have not used it yet.)

These steps were done based on SO references:

1/importing an existing x509 certificate and private key in Java keystore to use in ssl

2/Trust Store vs Key Store - creating with keytool

Further, I have used/tested the SSLPoke utility from Altassian(https://confluence.atlassian.com/download/attachments/180292346/SSLPoke.java?version=1&modificationDate=1236556497004&api=v2) and the same seems to work with the following command on the same server:

java -Djavax.net.ssl.keyStore=server.keystore 
-Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.debug=all  SSLPoke 
facebook.com 443

The problem is with apache+tomcat, which is throwing the said exception when a connection to https://graph.facebook.com is made via java code.

How can I overcome this exception?

Here is the listing of the facebook certificat in the server.keystore:

#keytool -list -v -keystore server.keystore -alias facebook.com
Enter keystore password:  
Alias name: facebook.com
Creation date: 17 Jun, 2014
Entry type: trustedCertEntry

Owner: CN=*.facebook.com, O="Facebook, Inc.", L=Menlo Park, ST=CA, C=US
Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 771430e2db21fb0b295cdb959c98454
Valid from: Sat Mar 01 05:30:00 IST 2014 until: Mon Apr 13 17:30:00 IST 2015
Certificate fingerprints:
     MD5:  D3:A6:3C:18:15:C6:4B:BB:BE:75:7B:AC:ED:7D:2B:80
     SHA1: BD:01:2A:89:B2:CC:9E:49:F8:1F:47:BF:BD:52:DE:48:A0:4E:D3:AB
     Signature algorithm name: SHA1withRSA
     Version: 3

Extensions: 

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A4 5F 2C 39 02 78 AE 38   57 D1 42 5D 3B 43 CE 4F  ._,9.x.8W.B];C.O
0010: AF F0 97 72                                        ...r
]
]

#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ocsp.digicert.com, 
   accessMethod: 1.3.6.1.5.5.7.48.2
   accessLocation: URIName: http://cacerts.digicert.com/DigiCertHighAssuranceCA-3.crt]
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/ca3-g27.crl]
, DistributionPoint:
     [URIName: http://crl4.digicert.com/ca3-g27.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
]

#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 50 EA 73 89 DB 29 FB 10   8F 9E E5 01 20 D4 DE 79  P.s..)...... ..y
0010: 99 48 83 F7                                        .H..
]

]

#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.facebook.com
  DNSName: facebook.com
  DNSName: *.fbsbx.com
  DNSName: *.fbcdn.net
  DNSName: *.xx.fbcdn.net
  DNSName: *.xy.fbcdn.net
]
#

解决方案

It turned out that we had a firewall issue.

Our QC server was under blocked IP's for facebook. An SSLPoke to google showed no error, while the same to facebook showed invalid certificate due to the ping being returned from the internal firewall, and hence the certificate exception for graph.facebook.com, name not found.

这篇关于找不到匹配graph.facebook.com的名称(SSLHandshakeException / CertificateException)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆