解决LDAPS连接时报错 No subject alternative names present

源码分析报错的原因,对症下药

JDK7使用自签证书使用LDAPS完全没问题,后来升级JDK14后就无法连接,查看日志打印 No subject alternative names present,查看源码分析:

定位到:sun.security.util.HostnameChecker
JDK14 需要验证扩展属性中的IP,我的证书域名时IP地址,如果是域名则会验证DNS
 /**
     * Check if the certificate allows use of the given IP address.
     *
     * From RFC2818:
     * In some cases, the URI is specified as an IP address rather than a
     * hostname. In this case, the iPAddress subjectAltName must be present
     * in the certificate and must exactly match the IP in the URI.
     */
    private static void matchIP(String expectedIP, X509Certificate cert)
            throws CertificateException {
        Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
        //之前是V1的证书没有扩展属性,这里返回的是null
        if (subjAltNames == null) {
            throw new CertificateException
                                ("No subject alternative names present");
        }
        for (List<?> next : subjAltNames) {
            // For IP address, it needs to be exact match
            if (((Integer)next.get(0)).intValue() == ALTNAME_IP) {
                String ipAddress = (String)next.get(1);
                if (expectedIP.equalsIgnoreCase(ipAddress)) {
                    return;
                } else {
                    // compare InetAddress objects in order to ensure
                    // equality between a long IPv6 address and its
                    // abbreviated form.
                    try {
                        if (InetAddress.getByName(expectedIP).equals(
                                InetAddress.getByName(ipAddress))) {
                            return;
                        }
                    } catch (UnknownHostException e) {
                    } catch (SecurityException e) {}
                }
            }
        }
        throw new CertificateException("No subject alternative " +
                        "names matching " + "IP address " +
                        expectedIP + " found");
    }

解决办法重新生成证书

1、jdk14需要检查证书扩展属性,验证IP
2、使用openssl 生成v3证书增加服务器IP的扩展属性
2.1、增加v3证书扩展属性 需求修改openssl.cnf vi /etc/pki/tls/openssl.cnf

#部分配置  
#先搜搜看是否有  没有在文件底部新增,

[ alternate_names ]
IP.1 = 172.17.1.2
# IP.2 = 172.17.1.3
# DNS.1  = example1.com
# DNS.2  = example2.com

#找到 v3_req
# 添加 subjectAltName = @alternate_names

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names

生成V3版本的证书

1、首先安装openssl,已安装请忽略

yum -y install openssl

2、生成server端的私钥

cd /etc/openldap/certs/
openssl genrsa -out ldap.key 2048  //私钥

3、生成签名请求

openssl req -new -key ldap.key -out ldap.csr //生成签名请求

只有Common Name项一定要填写Sever的IP或域名,其余项可不填写。

 openssl x509 -req   -extfile /etc/pki/tls/openssl.cnf -extensions v3_req  -in ldap.csr -out ldap.cer -signkey ldap.key  -days 3650   
 
\\ -extfile /etc/pki/tls/openssl.cnf -extensions v3_req  参数是生成 X509 V3 版本的证书的必要条件。

检查生成的证书

[root@localhost certs]# openssl x509 -in ldap.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15873729664147508607 (0xdc4ad106e417cd7f)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=qq, ST=qq, L=qq, O=qq, OU=qq, CN=172.17.1.2/emailAddress=qq
        Validity
            Not Before: Jul 16 07:02:35 2020 GMT
            Not After : Jul 16 07:02:35 2023 GMT
        Subject: C=qq, ST=qq, L=qq, O=qq, OU=qq, CN=172.17.1.2/emailAddress=qq
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:e7:73:6e:86:ad:46:5e:37:b8:39:37:a2:aa:
                    07:aa:60:d1:1b:35:a9:31:d1:1e:09:48:61:bc:2b:
                    d3:10:f1:78:27:20:26:94:49:82:d7:f5:dd:8b:4e:
                    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                    83:9d:42:f6:02:25:d1:f8:39:b4:c0:f9:c5:46:a1:
                    9b:29:40:b3:68:c8:30:5d:96:5d:63:c2:4b:cb:0a:
                    25:48:30:ba:b5:29:14:c3:e2:23:f5:5c:bc:ef:68:
                    ae:e0:03:e8:36:e5:e0:4c:9d:17:01:af:e5:a4:1e:
                    f7:d7:28:1e:e4:20:79:86:cc:59:f0:fb:5f:de:d2:
                    f8:80:4c:8e:af:96:71:b7:f2:d2:d6:21:50:07:20:
                    2b:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                IP Address:172.17.1.2
                #可以看到这个就是成功了
    Signature Algorithm: sha256WithRSAEncryption
         17:65:fb:46:1d:e3:82:9f:b4:84:57:bb:43:68:44:a5:da:e7:
         5a:0f:77:4d:06:5b:be:33:0f:5c:bd:50:35:d0:28:29:03:5b:
         bb:89:92:09:b6:92:39:bb:ab:8a:5f:a2:3c:e5:36:83:b0:36:
         XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
         a0:a5:5d:4a:f0:f3:43:98:21:ea:04:4e:62:5a:94:91:37:b8:
         f9:9b:c1:d7:31:49:33:93:06:51:4e:d1:6f:0c:1b:31:fa:13:
         9a:47:56:53




最后记得重启ldap 让证书生效

ps -ef | grep ldap #查询PID
kill-9  PID
slapd -h "ldap:/// ldaps:///"
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值