![](/img/trans.png)
[英]server certificate change is restricted during renegotiation for TLS_1.2 with Java 8
[英]Error communicating with AD - server certificate change is restrictedduring renegotiation
在我們的應用程序無法連接到Active Directory.
下,我們間歇性地收到錯誤消息Active Directory.
我們目前正在使用jBoss 5
和Java 7
並計划在未來升級到 6 和 8。 這可能是因為域控制器上的證書不好?
錯誤
javax.naming.CommunicationException: simple bind failed: ad.xxx.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
Caused by: javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:269)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1409)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
... 54 more
我相信客戶端層代碼中的此錯誤消息是遵循 Java 更新中的“SSL V3.0 Poodle Vulnerability - CVE-2014-3566 ”進行代碼強化的結果。
恕我直言,這是來自 Java 的錯誤。
根據我的觀察和理解,這是由於 Java 客戶端在您的情況下與同一服務器(Microsoft Active Directory)建立了現有 SSL 連接。
Java 客戶端嘗試執行完全握手失敗並嘗試恢復先前連接的 TLS 握手。
看來您可以通過在 TLS Client Oracle JDK 和 JRE 中禁用 SSL v3.0來執行解決方法。
對此問題的任何其他反饋將不勝感激。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.