6
Próbuję wykonać wpis na serwerze TLS dla domyślnych i niestandardowych magazynów kluczy. Po uzyskaniu wystąpienie CloseableHttpClient kiedy robię executePotrzebujesz pomocy w identyfikowaniu i naprawianiu SSLPeerUnverifiedException
CloseableHttpResponse response1 = client.execute(postMethod);
To daje mi javax.net.ssl.SSLPeerUnverifiedException: Certificate for <hostname.domain.com> doesn't match any of the subject alternative names: [] wyjątek na powyższej linii.
Poniżej znajduje się klasa gdzie przygotować instancję klienta
public class ClientelUtil {
public static CloseableHttpClient getHttpClient(String scheme,SSLContext sslContext) {
HttpClientBuilder clientBuilder = HttpClients.custom();
CloseableHttpClient client = null;
if ("https".equalsIgnoreCase(scheme)) {
SSLConnectionSocketFactory sFactory = new SSLConnectionSocketFactory(sslContext);
final Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", new PlainConnectionSocketFactory()).register("https", sFactory).build();
final PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(registry);
clientBuilder = HttpClients.custom().setSSLSocketFactory(sFactory)
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
.setConnectionManager(cm);
}
client = clientBuilder.build();
return client;
}
public static CloseableHttpClient getHttpClient(String scheme) {
return getHttpClient(scheme, getSSLContext());
}
public static CloseableHttpClient getHttpClientWithoutTLSValidation(String scheme) {
return getHttpClient(scheme, getSSLContextWithoutValidation());
}
public static SSLContext getSSLContextWithoutValidation() {
SSLContext sslContext=null;
try {
sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
return true;
}
}).build();
} catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) {
e.printStackTrace();
}
return sslContext;
}
public static SSLContext getSSLContext() {
SSLContext sslContext=null;
try {
JKSInfo jksInfo = JKSUtil.getTrustStoreInfo();
sslContext = HttpSSLUtil.getSSLContext(jksInfo.getJksPath(), jksInfo.getJksPassword());
} catch (HttpSSLException e) {
e.printStackTrace();
}
return sslContext;
}
}
Tu używam powyżej klasy w moim programie
public String post(String host,int port,Map<String,String> data) {
CloseableHttpClient client = null;
String response = null;
String protocol = HTTP;
try{
if(isServerSSLEnabled()){ //returns a boolean tru or false. In this case it is true
protocol = HTTPS;
}
client = ClientelUtil.getHttpClient(protocol);
//RequestConfig requestConfig = RequestConfig.custom().setCircularRedirectsAllowed(true).build();
URIBuilder builder = new URIBuilder()
.setScheme(protocol)
.setHost(host).setPort(port)
.setPath(CONNECT_URI);
URI uri = builder.build();
HttpPost postMethod = new HttpPost(uri);
//postMethod.setConfig(requestConfig);
logger.debug("Sending request on host [" + host +"], port ["+ port+"], Protocol ["+ protocol + "] connectURI ["+CONNECT_URI+"]");
addRequestHeaders(postMethod);
ArrayList<NameValuePair> postParameters = new ArrayList<NameValuePair>();
try {
for(Map.Entry<String,String> entry : data.entrySet()) {
postParameters.add(new BasicNameValuePair(entry.getKey(),entry.getValue()));
}
postMethod.setEntity(new UrlEncodedFormEntity(postParameters));
CloseableHttpResponse response1 = client.execute(postMethod); // <-- SSLPeerUnverifiedException at this point
response = EntityUtils.toString(response1.getEntity());
} catch (IOException e) {
logger.error("Error while running the scenario on node host [" + host+"]",e);
} finally{
postMethod.releaseConnection();
}
} catch (URISyntaxException e1) {
e1.printStackTrace();
}finally {
if(client!=null)
try {
client.close();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
return response;
}
Używam Apache klienta 4.5 do tego, proszę o pomoc na określenie tego, co tu jest nie tak.
Wymagany jest również CN=FQDN w magazynie kluczy używany w metodzie getSSLContext, ponieważ używam NoopHostnameVerifier.INSTANCE do utworzenia HttpClientBuilder?
Dzięki
Aktualizacja
stworzyłem nowy plik zaufanych z Common Name (e.g. server FQDN or YOUR name) []: jako mojego hosta, po którym powyższy kod działa (teraz używam hosta dostęp do mojego kodu serwera zamiast hostname.domain.com jak wspomniano powyżej w moim pytaniu).
Teraz moje pytanie jest, w przypadku gdy CN | Common Name nie występuje w pliku zaufanych certyfikatów, czy można go zweryfikować za pomocą pewnych modyfikacji w powyższym kodzie? Proszę zasugeruj. Dzięki jeszcze raz.
Aktualizacja
zamieszczaniu pełną ślad stosu. Dobrą praktyką jest zwracanie wartości true w przypadku weryfikatora nazwy hosta, tak aby ignorował weryfikację nazwy hosta, a operacje polegające na braku CN lub SAN są dostarczane w produkcji (proszę dać mi znać, kiedy można to wykorzystać iw inny sposób)?
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <hostname.domain.com> doesn't match any of the subject alternative names: []
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:467)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at com.code.app.myapp.utils.HttpUtil.post(HttpUtil.java:102)
at com.code.app.myapp2.RequestDispatcher.dispatchRequest(RequestDispatcher.java:61)
at com.code.app.chain.commands.FetchDiagnosticsInfo.executeOperation(FetchDiagnosticsInfo.java:82)
at com.informatica.tools.ui.isomorphic.DSCommand.execute(DSCommand.java:45)
at com.code.app.chain.commands.BaseDSCommand.execute(BaseDSCommand.java:59)
at com.informatica.tools.ui.isomorphic.RPCCommand.execute(RPCCommand.java:43)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166)
at com.informatica.tools.ui.isomorphic.RPCController.execute(RPCController.java:97)
at com.code.app.ui.IsomorphicController.execute(IsomorphicController.java:115)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166)
at org.apache.struts.chain.commands.ExecuteCommand.execute(ExecuteCommand.java:70)
at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166)
at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:175)
at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:166)
at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.code.app.ui.security.UserIdentifierFilter.doFilter(UserIdentifierFilter.java:352)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.code.app.ui.i18n.InfEncodingFilter.doFilter(InfEncodingFilter.java:156)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.code.app.config.InfSessionTimeoutManagerFilter.doFilter(InfSessionTimeoutManagerFilter.java:79)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.code.app.ui.security.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:26)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:615)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
To jest problem z certyfikatem serwera lub mapowaniem DNS, a nie z kodem. – EJP
@EJP: Dzięki, również jest "CN = FQDN" wymagane w magazynie kluczy używane w getSSLContext metody, jak używam 'NoopHostnameVerifier.INSTANCE' do tworzenia HttpClientBuilder? – abi1964
Proszę zaksięgować kompletny ślad stosu w swoim pytaniu. – EJP