我们在为证书进行握手时遇到了问题,
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <g.i.t.n.c.com> doesn't match any of the subject alternative names: [*.t.n.c.com]
我们的入口配置为提供一个证书,如果我们通过DNS名称访问它,则使用替代名称g.i.t.n.c.com
,如果我们通过IP访问,则使用*.t.n.c.com
。
但在我们的代码中,我们只有一个Spring WS
客户端在后台使用Apache Http Client
。
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <g.i.t.n.c.com> doesn't match any of the subject alternative names: [*.t.n.c.com]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.springframework.ws.transport.http.HttpComponentsConnection.onSendAfterWrite(HttpComponentsConnection.java:121)
at org.springframework.ws.transport.AbstractWebServiceConnection.send(AbstractWebServiceConnection.java:48)
at org.springframework.ws.client.core.WebServiceTemplate.sendRequest(WebServiceTemplate.java:658)
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:606)
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:555)
不知什么原因,在某个时候,它是确定的,SslSocket
是建立检索正确的证书(就像它通过SNI
主机名数据访问我们的Ingress
主机名),在某个时候(导致上述异常)建立连接的呼叫使用的IP没有DNS hostname
,也没有SNI
数据,我们得到了损坏的证书,只有在SNI
中没有DNS name
的情况下访问我们的入口时才会出现。
要获取SNI
详细信息(ClientHello
消息),您可以运行Java应用程序,
-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager
您将有额外的登录到std.out
,如
javax.net.ssl|DEBUG|02 14|XNIO-1 task-9|2023-09-04 12:48:06.626 MSK|Finished.java:860|Consuming server Finished handshake message (
如何强制它只使用一种连接方式,随时使用DNS名称?
我们使用Java 11。
1条答案
按热度按时间f45qwnt81#
https://bugs.openjdk.org/browse/JDK-8220723这是问题的根本原因
为了解决这个问题,我们强制TLS1.2工作,以避免使用TLS1.3,
添加
或