与 AD 通信时出错 - 服务器证书更改在重新协商期间受到限制
[英]Error communicating with AD - server certificate change is restrictedduring renegotiation
问题描述
We've been getting an error intermittently where our app can't connect to our Active Directory.
在我们的应用程序无法连接到Active Directory.下,我们间歇性地收到错误消息Active Directory.
We're current on jBoss 5 and Java 7 with plans to upgrade to 6 and 8 in the future.我们目前正在使用jBoss 5和Java 7并计划在未来升级到 6 和 8。 Could this be because of bad certificates on the domain controllers?这可能是因为域控制器上的证书不好?
Error错误
javax.naming.CommunicationException: simple bind failed: ad.xxx.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
Caused by: javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:269)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1409)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
... 54 more
1 个解决方案
解决方案1
1 2018-02-17 10:28:58
I believe this error message in client layer code is a consequence of code hardening following "SSL V3.0 Poodle Vulnerability - CVE-2014-3566 " from Java updates.我相信客户端层代码中的此错误消息是遵循 Java 更新中的“SSL V3.0 Poodle Vulnerability - CVE-2014-3566 ”进行代码强化的结果。
IMHO, this is a bug from Java.恕我直言,这是来自 Java 的错误。
From what I have observed and understand this is caused by the Java client have had an Existing SSL connection with the same server (Microsoft Active Directory) in your case.根据我的观察和理解,这是由于 Java 客户端在您的情况下与同一服务器(Microsoft Active Directory)建立了现有 SSL 连接。
The Java Client attempts to fails to perform a Full Handshake and tries to Resume the TLS handshake the previous connection. Java 客户端尝试执行完全握手失败并尝试恢复先前连接的 TLS 握手。
Appears you may be able to perform a workaround by disable SSL v3.0 in TLS Client Oracle JDK and JRE .看来您可以通过在 TLS Client Oracle JDK 和 JRE 中禁用 SSL v3.0来执行解决方法。
Any other feedback on this issue would be appreciated.对此问题的任何其他反馈将不胜感激。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.