当前位置: 首页 > 服务器 > 服务器知识 > 正文

SSL中证书能否使用IP而不是域名

时间:2015-11-21

前言:以前听别人说生成证书时可以用IP地址,今天用例子证实了下用IP地址是不行的。

情景一:

生成证书时指定的名称为IP地址

例子是做单点登录时的例子,web.xml中配置如下:

<!--该过滤器负责用户的认证工作,必须启用它 -->  
    <filter>  
        <filter-name>CASFilter</filter-name>  
        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>  
        <init-param>  
            <param-name>casServerLoginUrl</param-name>  
            <param-value>https://172.18.113.78:8443/CasServer/login</param-value>  
            <!--这里的server是服务端的IP -->  
        </init-param>  
        <init-param>  
            <param-name>serverName</param-name>  
            <param-value>http://127.0.0.1:8080/</param-value>  
        </init-param>  
    </filter>  
    <filter-mapping>  
        <filter-name>CASFilter</filter-name>  
        <url-pattern>/*</url-pattern  
    </filter-mapping>  
       
    <!-- 该过滤器负责对Ticket的校验工作,必须启用它 -->  
    <!-- ValidationFilter 这个filter负责对请求参数ticket进行验证(ticket参数是负责子系统与CAS进行验证交互的凭证)casServerUrlPrefix:CAS服务访问地址serverName:当前应用所在的主机名 -->  
    <filter>  
        <filter-name>CAS Validation Filter</filter-name>  
        <filter-class>  
            org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter  
        </filter-class>  
        <init-param>  
            <param-name>casServerUrlPrefix</param-name>  
            <param-value>https://172.18.113.78:8443/CasServer</param-value>  
        </init-param>  
        <init-param>  
            <param-name>serverName</param-name>  
            <param-value>http://127.0.0.1:8080</param-value>  
        </init-param>  
        <init-param>  
            <param-name>encoding</param-name>  
            <param-value>UTF-8</param-value>  
        </init-param>  
    </filter>  
    <filter-mapping>  
        <filter-name>CAS Validation Filter</filter-name>  
        <url-pattern>/*</url-pattern>  
    </filter-mapping>

如上配置中指定使用HTTPS协议,生成证书时指定的名称为上图中的172.18.113.78,访问后出错,结果如下:

严重: Servlet.service() for servlet [jsp] in context with path [/uum] threw exception  
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present  
    at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)  
    at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)  
    at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)  
    at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)  
    at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169)  
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)  
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)  
    at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116)  
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)  
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)  
    at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)  
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)  
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)  
    at fi.common.filter.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:125)  
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)  
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)  
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)  
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)  
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)  
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)  
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)  
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)  
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)  
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:395)  
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:250)  
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)  
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)  
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)  
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)  
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)  
    at java.lang.Thread.run(Thread.java:619)  
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present  
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)  
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)  
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)  
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)  
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)  
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)  
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)  
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)  
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)  
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)  
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)  
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)  
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)  
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)  
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1026)  
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)  
    at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:328)  
    ... 30 more  
Caused by: java.security.cert.CertificateException: No subject alternative names present  
    at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)  
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)  
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)  
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)  
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)  
    ... 42 more