前言:曾经听别人说生成证书时能够用IP地址。今天用样例证实了下用IP地址是不行的。

情景一:

生成证书时指定的名称为IP地址

样例是做单点登录时的样例。web.xml中配置例如以下:

<!--该过滤器负责用户的认证工作。必须启用它 -->

    <filter>

        <filter-name>CASFilter</filter-name>

        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

        <init-param>

            <param-name>casServerLoginUrl</param-name>

            <param-value>https://172.18.113.78:8443/CasServer/login</param-value>

            <!--这里的server是服务端的IP -->

        </init-param>

        <init-param>

            <param-name>serverName</param-name>

            <param-value>http://127.0.0.1:8080/</param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>CASFilter</filter-name>

        <url-pattern>/*</url-pattern

    </filter-mapping>

    <!-- 该过滤器负责对Ticket的校验工作。必须启用它 -->

    <!-- ValidationFilter 这个filter负责对请求參数ticket进行验证(ticket參数是负责子系统与CAS进行验证交互的凭证)casServerUrlPrefix:CAS服务訪问地址serverName:当前应用所在的主机名 -->

    <filter>

        <filter-name>CAS Validation Filter</filter-name>

        <filter-class>

            org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

        </filter-class>

        <init-param>

            <param-name>casServerUrlPrefix</param-name>

            <param-value>https://172.18.113.78:8443/CasServer</param-value>

        </init-param>

        <init-param>

            <param-name>serverName</param-name>

            <param-value>http://127.0.0.1:8080</param-value>

        </init-param>

        <init-param>

			<param-name>encoding</param-name>

			<param-value>UTF-8</param-value>

		</init-param>

    </filter>

    <filter-mapping>

        <filter-name>CAS Validation Filter</filter-name>

        <url-pattern>/*</url-pattern>

    </filter-mapping>

如上配置中指定使用HTTPS协议,生成证书时指定的名称为上图中的172.18.113.78,訪问后出错,结果例如以下:

严重: Servlet.service() for servlet [jsp] in context with path [/uum] threw exception

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)

	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)

	at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)

	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)

	at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

	at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

	at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

	at fi.common.filter.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:125)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)

	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)

	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)

	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)

	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)

	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)

	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)

	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

	at java.lang.Thread.run(Thread.java:619)

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)

	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)

	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)

	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)

	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)

	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)

	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)

	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)

	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)

	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1026)

	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)

	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:328)

	... 30 more

Caused by: java.security.cert.CertificateException: No subject alternative names present

	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)

	at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)

	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)

	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)

	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)

	... 42 more

情景二:

生成证书时指定名称为域名(測试用的,改动了本地host文件)

样例同情景一中的样例,仅仅是把web.xml中的IP地址改为了域名,測试结果为通过。

假设client訪问出现例如以下错误:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

这样的错误往往是证书路径不正确导致的。

可能原因一:tomcat使用的jdk和证书导入的jdk不是同一个

可能原因二:导入完毕后须要重新启动(静态导入),重新启动一次不行建议重新启动第二次

可能原因三:jdk中的证书导入错误

结论

所以得出结论,生成证书时须要指定域名而非用IP地址。

SSL 中证书能否够使用IP而不是域名的更多相关文章

  1. wordpress域名解析到了网站,但是点击其他页面会出现ip而不是域名

         1.前提域名可以访问你的网站证明解析没问题 2.那就是wp后台的设置问题,将url和站点url改为你的域名http://www.eovision.cc清理缓存即可 亲测可用,如果改了出现页面 ...

  2. Charles的HTTPS抓包方法及原理,下载安装ssl/https证书

    转自:https://zhubangbang.com/charles-https-packet-capture-method-and-principle.html 本文的Charles,适应windo ...

  3. Charles的https抓包方法及原理/下载ssl/http证书

    本文的Charles,适应windows/MAC/IOS/Android,避免抓包HTTPS失败和乱码: charles如果不配置SSL通用证书: 会导致HPPTS协议的域名抓取失败/乱码的现象: 首 ...

  4. SSL/TLS协议详解(中)——证书颁发机构

    本文转载自SSL/TLS协议详解(中)--证书颁发机构 导语 上一篇中,我们讨论了关于Diffie Hellman算法的SSL/TLS密钥交换.我们最终认为需要第三方来验证服务器的真实性,并提出了证书 ...

  5. 如何在AWS中为自己的S3托管站点添加SSL/TSL证书(https)

    概要 利用AWS的S3服务托管静态网站后,如何将自己的域名与该站点绑定,并为此域名提供SSL/TSL证书(https). 面向人群 已经掌握如何利用S3服务托管静态网站. 已经拥有自己的域名. 希望为 ...

  6. [转]浅谈https\ssl\数字证书

    浅谈https\ssl\数字证书 http://www.cnblogs.com/P_Chou/archive/2010/12/27/https-ssl-certification.html 全球可信的 ...

  7. 浅谈https\ssl\数字证书

    全球可信的SSL数字证书申请:http://www.shuzizhengshu.com 在互联网安全通信方式上,目前用的最多的就是https配合ssl和数字证书来保证传输和认证安全了.本文追本溯源围绕 ...

  8. 免费 SSL 安全证书

    为了保证网上传输信息的安全而在自己的 Linode VPS 上部署 SSL 加密服务.商业 CA 较贵,所以使用了自己签发的 CA.网友神爱的留言提到了 StartSSL 的免费 CA,稍做了一些调查 ...

  9. 【转】浅谈https\ssl\数字证书

    转载请注明出处:http://www.cnblogs.com/P_Chou/archive/2010/12/27/https-ssl-certification.html 全球可信的SSL数字证书申请 ...

随机推荐

  1. 分享一个Redis帮助类

    最近在项目中使用了redis来存储已经下载过的URL,项目中用的是ServiceStack来操作Redis,一开始ServiceStack的版本用的是最新的,后来发现ServiceStack已经商业化 ...

  2. Error creating bean with name 'org.springframework.validation.beanvalidation.LocalValidatorFactory

    Error creating bean with name ‘org.springframework.validation.beanvalidation.LocalValidatorFactoryBe ...

  3. redis(三)redis+Keepalived主从热备秒级切换

    一 简介 安装使用centos 5.10 Master 192.168.235.135 Slave 192.168.235.152 Vip 192.168.235.200 编译环境 yum -y in ...

  4. 翻转句子中单词的顺序 C语言

    输入一个英文句子,翻转句子中单词的顺序,但单词内字符的顺序不变.句子中单词以空格符隔开. 为简单起见,标点符号和普通字母一样处理. 比如将"I am a student"转化为&q ...

  5. 蓝牙Profile的概念和常见种类

    蓝牙Profile Bluetooth的一个很重要特性,就是所有的Bluetooth产品都无须实现全部 的Bluetooth规范.为了更容易的保持Bluetooth设备之间的兼容,Bluetooth规 ...

  6. ultraedit比较两个文件差异经验

    链接地址:http://jingyan.baidu.com/article/fcb5aff7876551edab4a714b.html 程序开发人员经常要使用到两个文件的对比,有很多工具可以实现该功能 ...

  7. 11-UIKit(Storyboard、View的基本概念、绘制图形、UIBezierPath)

    目录: 1. Storyboard 2. Views 3. View的基本概念介绍 4. 绘制图形 5. UIBezierPath 回到顶部 1. Storyboard 1.1 静态表视图 1)Sec ...

  8. 02-UIKit控件、MVC

    目录: 一.控件使用 二.动态类型和静态类型 三.MVC 四.UIAlertView对话框 回到顶部 一.控件使用 1 事件源,事件处理方法有一个参数传进来,那个参数就是触发这个事件的时间源. UIS ...

  9. The Meta-Object System

    The Meta-Object System Qt元对象系统为对象之间的交互提供了信号与槽机制,运行时信息和动态属性系统. 元对象系统基于三件事: 1.      Qobject类作为所有要利用元对象 ...

  10. Thread.sleep还是TimeUnit.SECONDS.sleep

    转http://stevex.blog.51cto.com/4300375/1285767/ 刚看到TimeUnit.SECONDS.sleep()方法时觉得挺奇怪的,这里怎么也提供sleep方法? ...