源码分析报错的原因,对症下药
JDK7使用自签证书使用LDAPS完全没问题,后来升级JDK14后就无法连接,查看日志打印 No subject alternative names present,查看源码分析:
定位到:sun.security.util.HostnameChecker
JDK14 需要验证扩展属性中的IP,我的证书域名时IP地址,如果是域名则会验证DNS
/**
* Check if the certificate allows use of the given IP address.
*
* From RFC2818:
* In some cases, the URI is specified as an IP address rather than a
* hostname. In this case, the iPAddress subjectAltName must be present
* in the certificate and must exactly match the IP in the URI.
*/
private static void matchIP(String expectedIP, X509Certificate cert)
throws CertificateException {
Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
//之前是V1的证书没有扩展属性,这里返回的是null
if (subjAltNames == null) {
throw new CertificateException
("No subject alternative names present");
}
for (List<?> next : subjAltNames) {
// For IP address, it needs to be exact match
if (((Integer)next.get(0)).intValue() == ALTNAME_IP) {
String ipAddress = (String)next.get(1);
if (expectedIP.equalsIgnoreCase(ipAddress)) {
return;
} else {
// compare InetAddress objects in order to ensure
// equality between a long IPv6 address and its
// abbreviated form.
try {
if (InetAddress.getByName(expectedIP).equals(
InetAddress.getByName(ipAddress))) {
return;
}
} catch (UnknownHostException e) {
} catch (SecurityException e) {}
}
}
}
throw new CertificateException("No subject alternative " +
"names matching " + "IP address " +
expectedIP + " found");
}
解决办法重新生成证书
1、jdk14需要检查证书扩展属性,验证IP
2、使用openssl 生成v3证书增加服务器IP的扩展属性
2.1、增加v3证书扩展属性 需求修改openssl.cnf vi /etc/pki/tls/openssl.cnf
#部分配置
#先搜搜看是否有 没有在文件底部新增,
[ alternate_names ]
IP.1 = 172.17.1.2
# IP.2 = 172.17.1.3
# DNS.1 = example1.com
# DNS.2 = example2.com
#找到 v3_req
# 添加 subjectAltName = @alternate_names
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alternate_names
生成V3版本的证书
1、首先安装openssl,已安装请忽略
yum -y install openssl
2、生成server端的私钥
cd /etc/openldap/certs/
openssl genrsa -out ldap.key 2048 //私钥
3、生成签名请求
openssl req -new -key ldap.key -out ldap.csr //生成签名请求
只有Common Name项一定要填写Sever的IP或域名,其余项可不填写。
openssl x509 -req -extfile /etc/pki/tls/openssl.cnf -extensions v3_req -in ldap.csr -out ldap.cer -signkey ldap.key -days 3650
\\ -extfile /etc/pki/tls/openssl.cnf -extensions v3_req 参数是生成 X509 V3 版本的证书的必要条件。
检查生成的证书
[root@localhost certs]# openssl x509 -in ldap.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15873729664147508607 (0xdc4ad106e417cd7f)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=qq, ST=qq, L=qq, O=qq, OU=qq, CN=172.17.1.2/emailAddress=qq
Validity
Not Before: Jul 16 07:02:35 2020 GMT
Not After : Jul 16 07:02:35 2023 GMT
Subject: C=qq, ST=qq, L=qq, O=qq, OU=qq, CN=172.17.1.2/emailAddress=qq
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:e7:73:6e:86:ad:46:5e:37:b8:39:37:a2:aa:
07:aa:60:d1:1b:35:a9:31:d1:1e:09:48:61:bc:2b:
d3:10:f1:78:27:20:26:94:49:82:d7:f5:dd:8b:4e:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
83:9d:42:f6:02:25:d1:f8:39:b4:c0:f9:c5:46:a1:
9b:29:40:b3:68:c8:30:5d:96:5d:63:c2:4b:cb:0a:
25:48:30:ba:b5:29:14:c3:e2:23:f5:5c:bc:ef:68:
ae:e0:03:e8:36:e5:e0:4c:9d:17:01:af:e5:a4:1e:
f7:d7:28:1e:e4:20:79:86:cc:59:f0:fb:5f:de:d2:
f8:80:4c:8e:af:96:71:b7:f2:d2:d6:21:50:07:20:
2b:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:172.17.1.2
#可以看到这个就是成功了
Signature Algorithm: sha256WithRSAEncryption
17:65:fb:46:1d:e3:82:9f:b4:84:57:bb:43:68:44:a5:da:e7:
5a:0f:77:4d:06:5b:be:33:0f:5c:bd:50:35:d0:28:29:03:5b:
bb:89:92:09:b6:92:39:bb:ab:8a:5f:a2:3c:e5:36:83:b0:36:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
a0:a5:5d:4a:f0:f3:43:98:21:ea:04:4e:62:5a:94:91:37:b8:
f9:9b:c1:d7:31:49:33:93:06:51:4e:d1:6f:0c:1b:31:fa:13:
9a:47:56:53
最后记得重启ldap 让证书生效
ps -ef | grep ldap #查询PID
kill-9 PID
slapd -h "ldap:/// ldaps:///"