SSL证书升级引起的问题
[英]SSL Certificate Upgrade causing Issues
问题描述
We are talking to a remote server for authenticating a user. 
我们正在与远程服务器进行身份验证。 The web server uses a SSL certificate signed by Verisign. Web服务器使用由Verisign签名的SSL证书。 The data is exchanged over HTTPs and we have configured our ThreadSafeClientConnManager to use the JVM default SSL factory: 数据是通过HTTP交换的,我们已经将ThreadSafeClientConnManager配置为使用JVM默认的SSL工厂:
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
schemeRegistry.register(new Scheme("https", SSLSocketFactory
.getSocketFactory(), 443));
ClientConnectionManager manager = new ThreadSafeClientConnManager(
sDefaultHttpParams, schemeRegistry);
Recently, the web server updated their SSL certificates and this has caused our application to break. 最近,Web服务器更新了其SSL证书,这导致我们的应用程序损坏。 What can we do to avoid this problem? 我们怎样做才能避免这个问题?
Please help. 请帮忙。
1 个解决方案
解决方案1
2 已采纳 2011-03-29 00:40:05
There is nothing you can really do to "avoid" the problem because it isn't really a problem, it is a core "feature" of SSL certificates and authority trust. 您真的无法采取任何措施来“避免”该问题,因为这并不是真正的问题,它是SSL证书和授权信任的核心“功能”。
This is a pretty broad question, more detail could help pinpoint the exact problem, but here are the first 2 things to check. 这是一个相当广泛的问题,更多细节可以帮助您找到确切的问题,但这是需要检查的前两件事。
- What CA did they upgrade their SSL cert to use? 他们升级了哪个CA来使用SSL证书? Is it self-signed? 它是自签名的吗?
If the site has been upgraded to use an SSL cert that either uses a non-standard root certificate authority then you need to either import the specific SSL cert using keytool to tell your local JVM that the cert is trusted.如果站点已升级为使用使用非标准根证书颁发机构的SSL证书,则您需要使用keytool导入特定的SSL证书,以告知本地JVM该证书是受信任的。 If they are using a new authority (and your organization trusts that root authority) then you may need to import a new root certificate authority, most majors are supported by default but I have been forced to import new ones on occasion. 如果他们使用新的证书颁发机构(并且您的组织信任该根证书颁发机构),那么您可能需要导入新的根证书颁发机构,默认情况下大多数专业都受支持,但是有时我不得不被迫导入新证书。
http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html http://download.oracle.com/javase/1.4.2/docs/tooldocs/windows/keytool.html
- Make sure their cert is chained correctly. 确保其证书正确链接。 The 2nd most common problem I have seen is cert chaining (install) by the site admins. 我看到的第二个最常见的问题是站点管理员的证书链接(安装)。 Unfortunately IE/Mozilla/Java... all use different validation mechanisms to make sure SSL certs are "valid" and I have found that many site admins don't know how to properly chain a cert to the appropriate root authority on their site. 不幸的是,IE / Mozilla / Java ...都使用不同的验证机制来确保SSL证书“有效”,而且我发现许多站点管理员不知道如何将证书正确链接到其站点上的相应根权限。 You should open the cert in a browser (I would open it in multiple) and inspect the chain of trust to make sure the cert chains from the site all the way back up to the expected root CA. 您应该在浏览器中打开证书(我会以多种方式打开它),并检查信任链,以确保从站点一直到期望的根CA的证书链。 (This is also how you can check the root CA for #1). (这也是检查#1的根CA的方式)。 If it does not have a chain of trust then the JVM SSL validation will fail (whereas I have seen Internet Explorer call a non-chained cert "valid" in older versions of IE). 如果没有信任链,则JVM SSL验证将失败(而我已经看到Internet Explorer在较旧版本的IE中将非链接证书称为“有效”)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.