pdw22336699
释怀然已
采纳率0%
2021-03-07 10:12

java SSL单向认证问题

场景:

SSL的server端提供证书这里假设为server.crt为单向认证的服务端

我是这么理解的,客户端拿到这边server.crt,然后客户端用keytool生产keystore假设步骤如下

1、keytool -genkey -alias test11 -keyalg RSA -keysize 2048 -keypass 123456 -storepass 123456 -dname "CN=服务端的ip地址,OU=test,O=test,L=FZ,ST=FZ,C=CN" -ext san=ip:服务端的ip地址  -validity 3600  -keystore D:\test11.keystore

2、把服务端的证书添加到客户端生成的test11.keystore

keytool -export -file D:\server.crt -alias test11 -keystore D:\test11.keystore

3、就是java的获取ssl factory,代码如下

    public static SSLSocketFactory getSSLSocktet() throws Exception {        
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(new FileInputStream("D:\\test11.keystore"),"123456".toCharArray());
        // Create key manager
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
        keyManagerFactory.init(keyStore, "123456".toCharArray());
        KeyManager[] km = keyManagerFactory.getKeyManagers();
        // Create trust manager
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
        trustManagerFactory.init(keyStore);
        TrustManager[] tm = trustManagerFactory.getTrustManagers();
        // Initialize SSLContext
        SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
        sslContext.init(km,  tm, null);
        return sslContext.getSocketFactory();
    }

4、就是单向认证的发送连接了

在mqtt的option里配置了true

		connOpts.setSSLHostnameVerifier(new HostnameVerifier() {
			@Override
			public boolean verify(String arg0, SSLSession arg1) {
				return true;
			}
		});

==================================================================================

按我的理解这时候客户端应该能正常和服务器进行单向认证的SSL通信了,

但是一直报错

抓包 Client hello->Server Hello,Certifacate,Server Hello Done ->Client回了Certifacate Unknown

代码里看了报错是No subject alternative names matching IP address “ 服务器的IP“

到这里我就整懵了,keystore明明加了服务器ip,而且option的的HostnameVerifier我也重写为true了啊,有了解这个的小伙伴帮忙指点下哈,,

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答