前言:曾经听别人说生成证书时能够用IP地址。今天用样例证实了下用IP地址是不行的。

情景一:

生成证书时指定的名称为IP地址

样例是做单点登录时的样例。web.xml中配置例如以下:

<!--该过滤器负责用户的认证工作。必须启用它 -->

    <filter>

        <filter-name>CASFilter</filter-name>

        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>

        <init-param>

            <param-name>casServerLoginUrl</param-name>

            <param-value>https://172.18.113.78:8443/CasServer/login</param-value>

            <!--这里的server是服务端的IP -->

        </init-param>

        <init-param>

            <param-name>serverName</param-name>

            <param-value>http://127.0.0.1:8080/</param-value>

        </init-param>

    </filter>

    <filter-mapping>

        <filter-name>CASFilter</filter-name>

        <url-pattern>/*</url-pattern

    </filter-mapping>

    <!-- 该过滤器负责对Ticket的校验工作。必须启用它 -->

    <!-- ValidationFilter 这个filter负责对请求參数ticket进行验证(ticket參数是负责子系统与CAS进行验证交互的凭证)casServerUrlPrefix:CAS服务訪问地址serverName:当前应用所在的主机名 -->

    <filter>

        <filter-name>CAS Validation Filter</filter-name>

        <filter-class>

            org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

        </filter-class>

        <init-param>

            <param-name>casServerUrlPrefix</param-name>

            <param-value>https://172.18.113.78:8443/CasServer</param-value>

        </init-param>

        <init-param>

            <param-name>serverName</param-name>

            <param-value>http://127.0.0.1:8080</param-value>

        </init-param>

        <init-param>

			<param-name>encoding</param-name>

			<param-value>UTF-8</param-value>

		</init-param>

    </filter>

    <filter-mapping>

        <filter-name>CAS Validation Filter</filter-name>

        <url-pattern>/*</url-pattern>

    </filter-mapping>

如上配置中指定使用HTTPS协议,生成证书时指定的名称为上图中的172.18.113.78,訪问后出错,结果例如以下:

严重: Servlet.service() for servlet [jsp] in context with path [/uum] threw exception

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)

	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)

	at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)

	at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)

	at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

	at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

	at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

	at fi.common.filter.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:125)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)

	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)

	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)

	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)

	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)

	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)

	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)

	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

	at java.lang.Thread.run(Thread.java:619)

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)

	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)

	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)

	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)

	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)

	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)

	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)

	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)

	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)

	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)

	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1026)

	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)

	at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:328)

	... 30 more

Caused by: java.security.cert.CertificateException: No subject alternative names present

	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)

	at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)

	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)

	at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)

	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)

	... 42 more

情景二:

生成证书时指定名称为域名(測试用的,改动了本地host文件)

样例同情景一中的样例,仅仅是把web.xml中的IP地址改为了域名,測试结果为通过。

假设client訪问出现例如以下错误:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

这样的错误往往是证书路径不正确导致的。

可能原因一:tomcat使用的jdk和证书导入的jdk不是同一个

可能原因二:导入完毕后须要重新启动(静态导入),重新启动一次不行建议重新启动第二次

可能原因三:jdk中的证书导入错误

结论

所以得出结论,生成证书时须要指定域名而非用IP地址。

SSL 中证书能否够使用IP而不是域名的更多相关文章

  1. wordpress域名解析到了网站,但是点击其他页面会出现ip而不是域名

         1.前提域名可以访问你的网站证明解析没问题 2.那就是wp后台的设置问题,将url和站点url改为你的域名http://www.eovision.cc清理缓存即可 亲测可用,如果改了出现页面 ...

  2. Charles的HTTPS抓包方法及原理,下载安装ssl/https证书

    转自:https://zhubangbang.com/charles-https-packet-capture-method-and-principle.html 本文的Charles,适应windo ...

  3. Charles的https抓包方法及原理/下载ssl/http证书

    本文的Charles,适应windows/MAC/IOS/Android,避免抓包HTTPS失败和乱码: charles如果不配置SSL通用证书: 会导致HPPTS协议的域名抓取失败/乱码的现象: 首 ...

  4. SSL/TLS协议详解(中)——证书颁发机构

    本文转载自SSL/TLS协议详解(中)--证书颁发机构 导语 上一篇中,我们讨论了关于Diffie Hellman算法的SSL/TLS密钥交换.我们最终认为需要第三方来验证服务器的真实性,并提出了证书 ...

  5. 如何在AWS中为自己的S3托管站点添加SSL/TSL证书(https)

    概要 利用AWS的S3服务托管静态网站后,如何将自己的域名与该站点绑定,并为此域名提供SSL/TSL证书(https). 面向人群 已经掌握如何利用S3服务托管静态网站. 已经拥有自己的域名. 希望为 ...

  6. [转]浅谈https\ssl\数字证书

    浅谈https\ssl\数字证书 http://www.cnblogs.com/P_Chou/archive/2010/12/27/https-ssl-certification.html 全球可信的 ...

  7. 浅谈https\ssl\数字证书

    全球可信的SSL数字证书申请:http://www.shuzizhengshu.com 在互联网安全通信方式上,目前用的最多的就是https配合ssl和数字证书来保证传输和认证安全了.本文追本溯源围绕 ...

  8. 免费 SSL 安全证书

    为了保证网上传输信息的安全而在自己的 Linode VPS 上部署 SSL 加密服务.商业 CA 较贵,所以使用了自己签发的 CA.网友神爱的留言提到了 StartSSL 的免费 CA,稍做了一些调查 ...

  9. 【转】浅谈https\ssl\数字证书

    转载请注明出处:http://www.cnblogs.com/P_Chou/archive/2010/12/27/https-ssl-certification.html 全球可信的SSL数字证书申请 ...

随机推荐

  1. 互联网创业十问?good(快速迭代、把握核心用户应对抄袭,不需要把商业模式考虑完备,4种失败的信号,失败者没资格说趁着年轻...)

    著作权归作者所有.商业转载请联系作者获得授权,非商业转载请注明出处.作者:曹政链接:https://www.zhihu.com/question/20264499/answer/28168079来源: ...

  2. jsp字段判空

    是对象吧String jsp的写法 <% if(str == null) { %> str is null <% } else { %> str not null <% ...

  3. CMake入门指南

    原文地址:http://www.cnblogs.com/sinojelly/archive/2010/05/22/1741337.html CMake是一个比make更高级的编译配置工具,它可以根据不 ...

  4. Acitivity创建与配置

    •Activity的创建和配置 –Activity提供了和用户交互的可视化界面.创建一个Activity一般是继承Activity(当然也可以继承ListActivity.MapActivity等), ...

  5. SVProgressHUD的使用

    GitHub:https://github.com/samvermette/SVProgressHUD SVProgressHUD和MBProgressHUD效果差点儿相同,只是不须要使用协议,同一时 ...

  6. c语言,动态数组

    试着直接malloc一个2*3*4的空间来模拟数组: #include <stdio.h> #include <malloc.h> int main(void) { int** ...

  7. Linux入门:文件权限、用户、用户组(比较清楚)

    单个文件名或目录名长度不超过255字符: 文件或目录的绝对路径长度不超过4096字符:   一.文件所有者与用户组     一个文件有很多属性,包括文件类型.文件权限.文件隐藏权限.文件所有者.用户组 ...

  8. encode_json 会对给定的Perl的数据结构转换为一个UTF-8 encoded, binary string.

    use JSON qw/encode_json decode_json/ ; use Encode; my $data = [ { 'name' => 'Ken' , 'age' => 1 ...

  9. 基于visual Studio2013解决面试题之1403插入排序

     题目

  10. Apache服务器学习笔记

    Apache服务器知识 首先我们要知道一共有那几个程序在监听网络端口,即与网络保持活跃连接,打开CMD命令窗口 输入: netstat  –an 指令就能显示出所有与网络保持连接的程序,输入net s ...