java https URL 主机名与服务器证书上的通用名称 (CN) 不匹配
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13206155/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
The https URL hostname does not match the Common Name (CN) on the server certificate
提问by user1795961
I am getting the following error
我收到以下错误
javax.xml.ws.soap.SOAPFaultException: Marshalling Error: The https URL hostname does not match the Common Name (CN) on the server certificate. To disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
when I try to connect and use the Web Services.
当我尝试连接和使用 Web 服务时。
I have added the following lines in cxf.xml but it still doesn't work.
我在 cxf.xml 中添加了以下几行,但它仍然不起作用。
<http-conf:conduit name="*.http-conduit">
<!-- deactivate HTTPS url hostname verification (localhost, etc)
WARNING ! disableCNcheck=true should NOT be used in production -->
<http-conf:tlsClientParameters disableCNCheck="true" />
The cxf.xml file is placed under WEB-INF/classes/CxfService.
cxf.xml 文件位于 WEB-INF/classes/CxfService 下。
Kindly let me know on what would be the issue?.
请让我知道会出现什么问题?
回答by AgilePro
There may be no real issue with this configuration. The host name that you use in the URL to the web service does not match the host name in the certificate, but this might be for a number of legitimate reasons, while still allowing the access to the right data.
这种配置可能没有真正的问题。您在 Web 服务的 URL 中使用的主机名与证书中的主机名不匹配,但这可能是出于多种合法原因,同时仍允许访问正确的数据。
SSL provides two kind of protections.
SSL 提供两种保护。
- Privacy: It provides an encrypted channel over which the data passes so that nobody else can see that data
- Source Assurance: It also provides assurance that you are connected to site that you asked to be connected to.
- 隐私:它提供了数据通过的加密通道,以便其他人无法看到该数据
- 来源保证:它还保证您已连接到您要求连接的站点。
You can then see three levels of security:
然后,您可以看到三个级别的安全性:
- no protections at all
- encrypted channel so nobody can see your data
- encrypted channel, as well as assurance that you are connected to the site you expect to.
- 根本没有保护措施
- 加密通道,因此没有人可以看到您的数据
- 加密通道,以及确保您连接到您期望的站点。
It is that latter function that you are disabling. The site provides an encrypted certificate that can be decoded to state the DNS name that was used to access the site. If the name you used, and the name in the certificate do not match, you get this warning. As you probably know, there are multiple ways to address a server, and the certificate only matches the one DNS name that the certificate is for. Perhaps you are not accessing the service with the correct name? Or possibly you have a "self-signed" service which offers the encrypted channel, but not the source assurance.
您禁用的正是后一种功能。该站点提供了一个加密证书,可以对其进行解码以说明用于访问该站点的 DNS 名称。如果您使用的名称与证书中的名称不匹配,则会收到此警告。您可能知道,有多种方法可以对服务器进行寻址,并且证书仅匹配证书所针对的一个 DNS 名称。也许您没有使用正确的名称访问该服务?或者您可能有一个“自签名”服务,它提供加密通道,但不提供源保证。
The question to ask yourself: are you worried that someone will hack the DNS system, and cause your request (by DNS name) to be routed to a server which then will serve up false data in place of the web service you expect. It certainly can happen, and I am not going to say that it never happens, but it is very rare. See more discussion of this.
要问自己的问题:您是否担心有人会入侵 DNS 系统,并导致您的请求(通过 DNS 名称)被路由到服务器,然后该服务器将提供虚假数据来代替您期望的 Web 服务。它肯定会发生,我不会说它永远不会发生,但它非常罕见。请参阅有关此的更多讨论。
That is the potential issue: someone may spoof the web service you are calling. The security experts will never recommend a compromise position, but you should assess the value of the data, the likelihood of a spoofed service, and the damage that such a spoofing would cause. If this is a significant problem, then you must use a hostname that matches the certificate, or you must get a certificate that matched the hostname that you use.
这就是潜在的问题:有人可能会欺骗您正在调用的 Web 服务。安全专家永远不会推荐妥协方案,但您应该评估数据的价值、欺骗服务的可能性以及此类欺骗会造成的损害。如果这是一个重大问题,那么您必须使用与证书匹配的主机名,或者您必须获得与您使用的主机名匹配的证书。
