找不到与 ex.ample.com 匹配的主题备用 DNS 名称
对于在 ex.ample.com 上运行的应用程序,我有来自 StartSSL/StartCom 的以下证书:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 163069 (0x27cfd)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
Validity
Not Before: Nov 27 21:26:01 2010 GMT
Not After : Nov 29 15:32:05 2011 GMT
Subject: description=303703-Sv1xMdnmzg6garMt, C=NL, O=Persona Not Validated, OU=StartCom Free Certificate Member, CN=ex.ample.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
....
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
31:68:B2:7B:A2:7C:79:54:B7:3E:66:FD:12:04:18:FC:FB:9B:34:64
X509v3 Authority Key Identifier:
keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45
X509v3 Subject Alternative Name:
DNS:ex.ample.com, DNS:ample.com
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.23223.1.2.2
CPS: http://www.startssl.com/policy.pdf
CPS: http://www.startssl.com/intermediate.pdf
User Notice:
Organization: StartCom Ltd.
Number: 1
Explicit Text: Limited Liability, see section *Legal Limitations* of the StartCom Certification Authority Policy available at http://www.startssl.com/policy.pdf
X509v3 CRL Distribution Points:
URI:http://www.startssl.com/crt1-crl.crl
URI:http://crl.startssl.com/crt1-crl.crl
Authority Information Access:
OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
CA Issuers - URI:http://www.startssl.com/certs/sub.class1.server.ca.crt
X509v3 Issuer Alternative Name:
URI:http://www.startssl.com/
Signature Algorithm: sha1WithRSAEncryption
.....
我已正确安装此证书。当我使用 Firefox 访问该应用程序时,它可以工作。 当我使用 Java 的 HttpURLConnection 从中检索页面时,我收到以下错误:
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ex.ample.com found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:285)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:271)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1012)
... 14 more
我不明白为什么会发生这种情况。 ex.ample.com 是证书中的通用名称 (CN),也在 SAN 中列出。 我已将 StarSLL 的证书导入到我的信任库中,所以这不是这里的问题。
For my application running at ex.ample.com I have the following certificate from StartSSL/StartCom:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 163069 (0x27cfd)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
Validity
Not Before: Nov 27 21:26:01 2010 GMT
Not After : Nov 29 15:32:05 2011 GMT
Subject: description=303703-Sv1xMdnmzg6garMt, C=NL, O=Persona Not Validated, OU=StartCom Free Certificate Member, CN=ex.ample.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
....
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
31:68:B2:7B:A2:7C:79:54:B7:3E:66:FD:12:04:18:FC:FB:9B:34:64
X509v3 Authority Key Identifier:
keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45
X509v3 Subject Alternative Name:
DNS:ex.ample.com, DNS:ample.com
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.23223.1.2.2
CPS: http://www.startssl.com/policy.pdf
CPS: http://www.startssl.com/intermediate.pdf
User Notice:
Organization: StartCom Ltd.
Number: 1
Explicit Text: Limited Liability, see section *Legal Limitations* of the StartCom Certification Authority Policy available at http://www.startssl.com/policy.pdf
X509v3 CRL Distribution Points:
URI:http://www.startssl.com/crt1-crl.crl
URI:http://crl.startssl.com/crt1-crl.crl
Authority Information Access:
OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
CA Issuers - URI:http://www.startssl.com/certs/sub.class1.server.ca.crt
X509v3 Issuer Alternative Name:
URI:http://www.startssl.com/
Signature Algorithm: sha1WithRSAEncryption
.....
I have this certificate installed correctly. It works when I access the app with Firefox.
When I use Java's HttpURLConnection to retrieve a page from it though, I get the following error:
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ex.ample.com found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:285)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:271)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1012)
... 14 more
I don't understand why this happens. ex.ample.com is the Common Name (CN) in the cert and is also listed in the SANs.
I've imported StarSLL's certificates in my truststore, so that's not the problem here.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不确定您是否仍在寻找答案。可能不是!
这里的问题是您的证书中的 DNS 条目与您在应用程序中提供的服务器/主机名不匹配。您的代码在某处进行了主机名验证。删除该代码或将您提供的主机名更改为证书中的 DNS 名称。
Not sure if you are still looking for answer. Probably not!
The issue here is the DNS entry in your certificate is not matching with the server/host name you are providing in the application. Your code have a hostname verification somewhere. Either remove that bit of code or change the hostname you are providing to the DNS name in the certificate.
我们最近遇到了这个问题,这是一场噩梦,因为我们只能在生产服务器中重现它,而调试访问权限几乎为零。其余环境运行良好。我们的堆栈是 JDK 1.8.x+、JBoss EAP 7+、Java Spring Boot 应用程序和 Okta 作为身份提供商(从 Okta 恢复众所周知的配置时,SSL 握手失败,其中 okta 在 AWS 云 - 虚拟服务器中可用)。
最后,我们发现(没有人知道为什么)我们使用的 JBoss EAP 应用程序服务器有一个额外的 JVM 系统属性:
jsse.enableSNIExtension = false
这阻止了建立 TLS 连接,我们我们能够通过在其他环境中添加相同的系统属性/值来重现该问题。因此,解决方案很简单,删除不需要的属性和值。
根据 Java 安全文档,对于 Java 7+,此属性默认设置为 true (请参阅 https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization)
We faced this issue recently, it was a nightmare because we were able to reproduce it only in Production servers, were access to debug is near to zero. The rest of environments were just working fine. Our stack was JDK 1.8.x+, JBoss EAP 7+, Java Spring Boot app and Okta as identity provider (the SSL handshake was failing when recovering the well-known configuration from Okta, where okta is available in AWS Cloud - virtual servers).
Finally, we discover that (no one knows why) the JBoss EAP application server that we were using it was having an additional JVM System Property:
jsse.enableSNIExtension = false
This was preventing to establish TLS connection and we were able to reproduce the issue by adding that same system property/value in other environments. So the solution was simple to remove that undesired property and value.
As per Java Security Doc, this property is set by default to true for Java 7+ (refer to https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallationAndCustomization)