SSL 中证书是否可以使用IP而不是域名
2014-07-14 09:58
288 查看
前言:以前听别人说生成证书时可以用IP地址,今天用例子证实了下用IP地址是不行的。
例子是做单点登录时的例子,web.xml中配置如下:
如上配置中指定使用HTTPS协议,生成证书时指定的名称为上图中的172.18.113.78,访问后出错,结果如下:
例子同情景一中的例子,只是把web.xml中的IP地址改为了域名,测试结果为通过。
如果客户端访问出现如下错误:
可能原因一:tomcat使用的jdk和证书导入的jdk不是同一个
可能原因二:导入完成后需要重启(静态导入),重启一次不行建议重启第二次
可能原因三:jdk中的证书导入错误
结论
所以得出结论,生成证书时需要指定域名而非用IP地址。
情景一:
生成证书时指定的名称为IP地址例子是做单点登录时的例子,web.xml中配置如下:
<!--该过滤器负责用户的认证工作,必须启用它 --> <filter> <filter-name>CASFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://172.18.113.78:8443/CasServer/login</param-value> <!--这里的server是服务端的IP --> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://127.0.0.1:8080/</param-value> </init-param> </filter> <filter-mapping> <filter-name>CASFilter</filter-name> <url-pattern>/*</url-pattern </filter-mapping> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <!-- ValidationFilter 这个filter负责对请求参数ticket进行验证(ticket参数是负责子系统与CAS进行验证交互的凭证)casServerUrlPrefix:CAS服务访问地址serverName:当前应用所在的主机名 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class> org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter </filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://172.18.113.78:8443/CasServer</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://127.0.0.1:8080</param-value> </init-param> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
如上配置中指定使用HTTPS协议,生成证书时指定的名称为上图中的172.18.113.78,访问后出错,结果如下:
严重: Servlet.service() for servlet [jsp] in context with path [/uum] threw exception java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at fi.common.filter.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:125) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:619) Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1026) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:328) ... 30 more Caused by: java.security.cert.CertificateException: No subject alternative names present at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142) at sun.security.util.HostnameChecker.match(HostnameChecker.java:75) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264) at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014) ... 42 more
情景二:
生成证书时指定名称为域名(测试用的,修改了本地host文件)例子同情景一中的例子,只是把web.xml中的IP地址改为了域名,测试结果为通过。
如果客户端访问出现如下错误:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target这种错误往往是证书路径不对导致的。
可能原因一:tomcat使用的jdk和证书导入的jdk不是同一个
可能原因二:导入完成后需要重启(静态导入),重启一次不行建议重启第二次
可能原因三:jdk中的证书导入错误
结论
所以得出结论,生成证书时需要指定域名而非用IP地址。
相关文章推荐
- SSL 中证书能否够使用IP而不是域名
- delphi 域名转ip并判断ip是否可以联通
- 免费HTTPS证书不是梦!在Ubuntu(Linux)的VPS上使用Let's Encrypt为一堆域名申请并安装HTTPS证书
- YTKNetWork源码解析——针对SSL自产证书认证如何随心所欲的游走在IP和域名之间并开启想要的验证
- cas 配置https改为ip而不是使用域名
- Delphi判断文件是否正在被使用(CreateFile也可以只是为了读取数据,而不是创建)
- 使用HttpClient携带证书报错_Certificate for <IP> doesn't match any of the subject alternative names:[域名]
- ubuntu无线连接使用ip可以访问网站,但是使用域名却不可以访问的解决办法
- 动态DNS——本质上是IP变化,将任意变换的IP地址绑定给一个固定的二级域名。不管这个线路的IP地址怎样变化,因特网用户还是可以使用这个固定的域名 这样看的话,p2p可以用哇
- 如何配置证书服务器以便在 IIS 上与 SSL 结合使用
- 【转】在IIS 7.0上使用自签证书来启用SSL
- 在Windows XP下是否可以使用Ctrl+Alt+Del键锁定计算机?
- WINDOWS SERVER 2003从入门到精通之使用证书在WEB服务器上设置SSL(上)
- 什么是 SSL 证书?如何检查网址是否部署了 SSL 证书?
- 是否可以使用document_innerHTML取得代码
- 什么是 SSL 证书?如何检查网址是否部署了 SSL 证书?
- telnet serverip serverport 可以测试服务器端口是否通
- 虚拟IP实验,遇到场景启用使用虚拟IP就报错,不启用可以正常运行的问题,解决方法
- 使用ssl构建证书中心