场景:
SSL的server端提供证书这里假设为server.crt为单向认证的服务端
我是这么理解的,客户端拿到这边server.crt,然后客户端用keytool生产keystore假设步骤如下
1、keytool -genkey -alias test11 -keyalg RSA -keysize 2048 -keypass 123456 -storepass 123456 -dname "CN=服务端的ip地址,OU=test,O=test,L=FZ,ST=FZ,C=CN" -ext san=ip:服务端的ip地址 -validity 3600 -keystore D:\test11.keystore
2、把服务端的证书添加到客户端生成的test11.keystore
keytool -export -file D:\server.crt -alias test11 -keystore D:\test11.keystore
3、就是java的获取ssl factory,代码如下
public static SSLSocketFactory getSSLSocktet() throws Exception {
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream("D:\\test11.keystore"),"123456".toCharArray());
// Create key manager
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyManagerFactory.init(keyStore, "123456".toCharArray());
KeyManager[] km = keyManagerFactory.getKeyManagers();
// Create trust manager
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
trustManagerFactory.init(keyStore);
TrustManager[] tm = trustManagerFactory.getTrustManagers();
// Initialize SSLContext
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(km, tm, null);
return sslContext.getSocketFactory();
}
4、就是单向认证的发送连接了
在mqtt的option里配置了true
connOpts.setSSLHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String arg0, SSLSession arg1) {
return true;
}
});
==================================================================================
按我的理解这时候客户端应该能正常和服务器进行单向认证的SSL通信了,
但是一直报错
抓包 Client hello->Server Hello,Certifacate,Server Hello Done ->Client回了Certifacate Unknown
代码里看了报错是No subject alternative names matching IP address “ 服务器的IP“
到这里我就整懵了,keystore明明加了服务器ip,而且option的的HostnameVerifier我也重写为true了啊,有了解这个的小伙伴帮忙指点下哈,,
