尽管将“disableCNCheck”设置为true,但https URL主机名与公共名称(CN)不匹配 [英] https URL hostname not matching Common Name (CN) despite setting 'disableCNCheck' to true
问题描述
我设法正确配置了基于CXF的客户端,以便为运行Web服务的服务器找到正确的SSL证书:
I managed to configure my CXF-based client properly so that it finds the correct SSL certificate for the server on which I am running a web service:
<http:conduit name="https://myserver/myws/register/soap?wsdl:{http://glob.reg.com/myws}.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="JKS" password="changeit"
file="C:\Program Files (x86)\Java\jdk1.6.0_45\jre\lib\security\cacerts"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="changeit"
file="C:\Program Files (x86)\Java\jdk1.6.0_45\jre\lib\security\cacerts"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
<sec:UserName>Betty</sec:UserName>
<sec:Password>password</sec:Password>
</http:authorization>
<http:client AutoRedirect="true" Connection="Keep-Alive"/>
</http:conduit>
但是......因为证书是针对与我服务器的机器不同的子域名(映射到我收到以下错误:
But... because the certificate is for a subdomain name that's different than my server's machine (maps to the same IP address), I am getting the following error:
Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore. Make sure serv
er certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:183)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1293)
... 18 more
所以...... 因为这是一个开发/测试系统,我就像所提出的消息一样(设置了CXF客户端TLS配置属性) disableCNCheck为true):
So... since this is a development/test system, I did just as the message proposed (set the CXF client TLS configuration property "disableCNCheck" to true):
<http:tlsClientParameters disableCNCheck="true">
Plus ,我将以下代码添加到我客户的主类(每个建议在此主题中):
Plus, I added the following code to my client's main class (per the suggestion in this thread):
static {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()
{
@Override
public boolean verify(String hostname, SSLSession session)
{
return true;
}
});
}
但是...... 我还是得到了相同的错误:
But... I am still getting the same error:
Caused by: java.io.IOException: The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore. Make sure serv
er certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1234)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:183)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1293)
... 18 more
任何想法为什么?
我的意思是,上述解决方法之一应该足以让客户端忽略证书URL不匹配,但在我的情况下,既不起作用也不起作用。
I mean, one of the above workarounds should have been enough to let the client ignore the certificate URL mismatch but, in my case, neither works nor the combination thereof.
为什么?
推荐答案
我在几个实例中使用了CXF
I have used CXF in several instances where
<http:tlsClientParameters disableCNCheck="true">
足以禁用CN检查。
您确定您的客户端正在使用该管道配置吗?我的理解是管道名称模式需要以某种方式匹配端点URI。
Are you certain your client is using that conduit configuration? My understanding is the conduit name pattern needs to match the endpoint URI in some fashion.
尝试按如下方式设置管道名称,以便任何端点匹配并查看是否有任何改变:
Try setting the conduit name as follows such that any endpoint will match and see if that changes anything:
<http:conduit name="*.http-conduit">
2015年1月2日更新
转out http-conduit 配置名称匹配有两种模式格式。一个涉及服务的命名空间和端口名称。另一种受支持的格式是与用于创建客户端的WSDL中指定的URL端点匹配的正则表达式。
Update 2 Jan 2015
It turns out the http-conduit configuration name matching has two pattern formats. One involves the service's namespace and port name. The other supported format is a regular expression matched against URL endpoint specified in WSDL used to create client.
引用 Apache CXF用户指南关于 http-conduit 元素:
该名称包含服务的命名空间,WSDL端口名称(在
中找到wsdl:WSDL的服务部分)和.http-conduit。
它遵循以下模板:
The name includes the service's namespace, the WSDL port name (as found in the wsdl:service section of the WSDL), and ".http-conduit". It follows this template:
{WSDL Namespace} portName.http-conduit
注意:它是PORT名称,而不是服务名称。
Note: it's the PORT name, not the service name.
..
的另一个选项name属性是一个reg-ex表达式(例如, http://myserver.example.com :*)
的原始网址为端点。配置在
管道创建时匹配,因此WSDL中使用的地址或用于
JAX-WS Service.create(...)调用的地址可用于名称。
Another option for the name attribute is a reg-ex expression (e.g., "http://myserver.example.com:*") for the ORIGINAL URL of the endpoint. The configuration is matched at conduit creation so the address used in the WSDL or used for the JAX-WS Service.create(...) call can be used for the name.
这篇关于尽管将“disableCNCheck”设置为true,但https URL主机名与公共名称(CN)不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
