用java去连接SSL网站时,有时候出现:
Caused by: java.security.cert.CertificateException: No name matching ...
这是因为虽然server的certificate被trust了,但是host name verify验证失败,因为你connect的service的hostname和证书中的subject CN name不一致,所以导致了这个问题。
解决办法有两个:
1 客户端可以更改SSL配置去信任所有的hostname。
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}
};
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
// set the allTrusting verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
2 服务端重新制作证书,将证书中的subject CN name signed成自己真正的被客户端连接时使用的hostname.
原文:http://blog.csdn.net/hongchangfirst/article/details/78202635
作者:hongchangfirst
hongchangfirst的主页:http://blog.csdn.net/hongchangfirst