Java 将 8 升级到 11 导致 LDAPS 连接出现问题(连接或出站已关闭)
Java upgrade 8 to 11 causing issue with LDAPS connection (Connection or outbound has closed)
java 升级后出现此问题:
- 具有 DNS 别名的 LDAP 无法连接到 java 11.0.2
java 8
下面的 DNS 别名保持不变,这里没有变化,唯一的变化是 java 将 8 升级到 11:
$ nslookup ad1.XXXXX.zz
Server: 10.222.249.209
Address: 10.222.249.209#53
Name: ad1.XXXXX.zz
Address: 10.222.249.205
Name: ad1.XXXXX.zz
Address: 10.222.249.204
Name: ad1.XXXXX.zz
Address: 10.222.249.210
- 使用 java 11.0.2 的 LDAP 直接 IP 没有问题:
$ nslookup qdegsf.XXXXX.zz
Server: 10.222.249.209
Address: 10.222.249.209#53
Name: qdegsf.XXXXX.zz
Address: 10.222.249.210
工艺参数:
/opt/3rdparty/jdk_installed/jdk-11.0.2/bin/java -Dsserver -Djdk.serialFilter=* -Dfile.encoding=UTF8 -Djavax.net.ssl.trustStore=/opt/3rdparty/tomcat/conf/svrtrust -Djavax.net.ssl.trustStore密码=XXXX -Djavax.net.ssl.keyStore=/opt/3rdparty/tomcat/conf/svrkeystore.jks
下面是建立 ldap 连接时的问题跟踪
java.lang.RuntimeException: connection to ldap server failed;url;ldaps://ad1.XXXXX.zz:636;authDN;sa_XXX@XXXXX.zz
javax.naming.CommunicationException: simple bind failed: ad1.XXXXX.zz:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
java.net.SocketException: Connection or outbound has closed
Trace for the thrown exceptions:
java.lang.RuntimeException: connection to ldap server failed;url;ldaps://ad1.XXXXX.zz:636;authDN;sa_XXX@XXXXX.zz
at auth.ldap.LdapConnection.testConnection(LdapConnection.java:46)
Caused by: javax.naming.CommunicationException: simple bind failed: ad1.XXXXX.zz:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at auth.ldap.LdapConnection.testConnection(LdapConnection.java:41)
... 3 more
Caused by: java.net.SocketException: Connection or outbound has closed
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 15 more
javax.naming.CommunicationException: simple bind failed: ad1.XXXXX.zz:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at auth.ldap.LdapConnection.testConnection(LdapConnection.java:41)
Caused by: java.net.SocketException: Connection or outbound has closed
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 15 more
java.net.SocketException: Connection or outbound has closed
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at nims.auth.ldap.LdapConnection.testConnection(LdapConnection.java:41)
at auth.LdapAuthenticationService.doTestConnection(LdapAuthenticationService.java:50)
> 更新以下错误:
$ openssl s_client -connect ad1.XXXXX-ru.zz:636
已连接(00000003)
深度=0
验证 error:num=20:无法获取本地颁发者证书
验证 return:1
深度=0
验证 error:num=27:证书不受信任
验证 return:1
深度=0
验证 error:num=21:无法验证第一个证书
验证 return:1
证书链
0 秒:
i:/DC=zz/DC=XXXXX-ru/CN=XXXXX-ru-ROOT-CA
服务器证书
-----开始证书-----
MIIFfjCCBGagAwIBAgITLwAAAKgllUHEZUjzRwAAAAAAqDANBgkqhkiG9w0BA .....................
APpwNrloBJjZo2bJ7pqe4gXN
-----证书结束-----
主题=
发行人=/DC=zz/DC=XXXXX-ru/CN=XXXXX-ru-ROOT-CA
未发送客户端证书 CA 名称
服务器临时密钥:ECDH,prime256v1,256 位
SSL 握手已读取 1980 字节并写入 441 字节
新,TLSv1/SSLv3,密码是 ECDHE-RSA-AES256-SHA384
服务器 public 密钥是 2048 位
支持安全重新协商
压缩:NONE
扩展:NONE
SSL会话:
协议:TLSv1.2
密码:ECDHE-RSA-AES256-SHA384
会话 ID:C51900006745E495E1C8CA132C0EDF901C3638DE9E5EEA506551E298E2374372
会话 ID-ctx:
万能钥匙:A8B4C4E2B01FE11822CE047D3B7D692EE1C001DA551DFE63FBC314737177BE7A285F79D6FF36B67D3E1AFF72C1402D2D
关键参数:None
Krb5 校长:None
PSK 身份:None
PSK 身份提示:None
开始时间:1574232095
超时:300(秒)
验证return代码:21(无法验证第一个证书)
请提供建议。
谢谢
根据您使用的 Java 8 的版本,此错误可能有多种原因:
- Java 11(以及 Java 8 的最新版本)现在强制执行主机名
建立 SSL 连接时的验证。所以服务器的
证书与您尝试连接的主机名非常匹配。
- Java 11 也有更新的密码套件和 TLS 版本,并弃用了一些旧的密码套件。您可能想要启用 SSL
调试以查看在 SSL 层上交换了什么。
- 最后,Java11 早期版本的密码套件 TLS(1.3) 存在一些问题,因此您可能需要切换到
最新更新 (11.0.5)
您可以通过修改文件 java.security 来更改 RSA 密钥大小等默认参数。但是,请注意还有第二个文件 java.config(位于 Linux 上:/etc/crypto-policies/back-ends/java.config)覆盖 java.security.
中的参数
这由 属性(在 java.security 中)控制:
security.useSystemPropertiesFile=true
所以,要么将 属性 更改为 false,要么直接修改 java.config 中的参数。
我坚持了很长时间!
写了一个测试脚本来连接 ldap(启用 ssl 日志)@ jdk 11
/opt/soft/jdk_installed/jdk-11.0.2/bin/java -XX:+UseSerialGC -DLdapsConnect -Djavax.net.debug=all -Djavax.net.ssl.trustStore=/opt/soft/tomcat/conf/svrtrust -Djavax.net.ssl.trustStore密码=hsqlIiza -Djavax.net.ssl.keyStore=/opt/soft/tomcat/conf/svrkeystore.jks -Djavax.net.ssl.keyStore密码=hsqlIiza -classpath /tmp/ LdapsConnect $*
在 ssl 日志中发现以下错误
javax.net.ssl|ERROR|1D|Thread-0|2020-01-22 10:55:21.632 CET|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): 没有主题备用 DNS 名称找到匹配 ad1.xxxx.zz。
Conclusion/Solution : Ldap 证书应该被修改为 ad1.ngssm-ru.zz 缺失。
由于 Java 8u181 在 ldap 支持方面有如下更改,在 java 版本 8u181 及更高版本之后不允许使用旧方法。
Java 正在尝试确保连接配置中的主机名与远程 LDAPS TLS 服务器证书中的主机名匹配,并且证书中的那些主机名有效。安全连接的正确解决方案是让您的 LDAP 服务器管理员更正 LDAP 服务器正在使用的 LDAP 证书,以便改进的端点识别算法起作用。这是为了保护我们。
https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
变化
core-libs/javax.命名
?改进 LDAP 支持
已在 LDAPS 连接上启用端点识别。
为了提高 LDAPS(基于 TLS 的安全 LDAP)连接的稳健性,端点识别算法已默认启用。
请注意,在某些情况下,以前能够成功连接到 LDAPS 服务器的某些应用程序可能不再能够这样做。如果他们认为合适,此类应用程序可能会使用新系统禁用端点识别 属性:com.sun.jndi.ldap.object.disableEndpointIdentification。
定义此系统属性(或将其设置为 true)以禁用端点识别算法。
java 升级后出现此问题:
- 具有 DNS 别名的 LDAP 无法连接到 java 11.0.2 java 8
下面的 DNS 别名保持不变,这里没有变化,唯一的变化是 java 将 8 升级到 11:
$ nslookup ad1.XXXXX.zz
Server: 10.222.249.209
Address: 10.222.249.209#53
Name: ad1.XXXXX.zz
Address: 10.222.249.205
Name: ad1.XXXXX.zz
Address: 10.222.249.204
Name: ad1.XXXXX.zz
Address: 10.222.249.210
- 使用 java 11.0.2 的 LDAP 直接 IP 没有问题:
$ nslookup qdegsf.XXXXX.zz
Server: 10.222.249.209
Address: 10.222.249.209#53
Name: qdegsf.XXXXX.zz
Address: 10.222.249.210
工艺参数:
/opt/3rdparty/jdk_installed/jdk-11.0.2/bin/java -Dsserver -Djdk.serialFilter=* -Dfile.encoding=UTF8 -Djavax.net.ssl.trustStore=/opt/3rdparty/tomcat/conf/svrtrust -Djavax.net.ssl.trustStore密码=XXXX -Djavax.net.ssl.keyStore=/opt/3rdparty/tomcat/conf/svrkeystore.jks
下面是建立 ldap 连接时的问题跟踪
java.lang.RuntimeException: connection to ldap server failed;url;ldaps://ad1.XXXXX.zz:636;authDN;sa_XXX@XXXXX.zz
javax.naming.CommunicationException: simple bind failed: ad1.XXXXX.zz:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
java.net.SocketException: Connection or outbound has closed
Trace for the thrown exceptions:
java.lang.RuntimeException: connection to ldap server failed;url;ldaps://ad1.XXXXX.zz:636;authDN;sa_XXX@XXXXX.zz
at auth.ldap.LdapConnection.testConnection(LdapConnection.java:46)
Caused by: javax.naming.CommunicationException: simple bind failed: ad1.XXXXX.zz:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at auth.ldap.LdapConnection.testConnection(LdapConnection.java:41)
... 3 more
Caused by: java.net.SocketException: Connection or outbound has closed
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 15 more
javax.naming.CommunicationException: simple bind failed: ad1.XXXXX.zz:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at auth.ldap.LdapConnection.testConnection(LdapConnection.java:41)
Caused by: java.net.SocketException: Connection or outbound has closed
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 15 more
java.net.SocketException: Connection or outbound has closed
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
at java.naming/javax.naming.InitialContext.<init>(InitialContext.java:208)
at java.naming/javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at nims.auth.ldap.LdapConnection.testConnection(LdapConnection.java:41)
at auth.LdapAuthenticationService.doTestConnection(LdapAuthenticationService.java:50)
> 更新以下错误:
$ openssl s_client -connect ad1.XXXXX-ru.zz:636
已连接(00000003) 深度=0 验证 error:num=20:无法获取本地颁发者证书 验证 return:1 深度=0 验证 error:num=27:证书不受信任 验证 return:1 深度=0 验证 error:num=21:无法验证第一个证书 验证 return:1
证书链 0 秒: i:/DC=zz/DC=XXXXX-ru/CN=XXXXX-ru-ROOT-CA
服务器证书 -----开始证书----- MIIFfjCCBGagAwIBAgITLwAAAKgllUHEZUjzRwAAAAAAqDANBgkqhkiG9w0BA .....................
APpwNrloBJjZo2bJ7pqe4gXN -----证书结束-----
主题= 发行人=/DC=zz/DC=XXXXX-ru/CN=XXXXX-ru-ROOT-CA
未发送客户端证书 CA 名称 服务器临时密钥:ECDH,prime256v1,256 位
SSL 握手已读取 1980 字节并写入 441 字节
新,TLSv1/SSLv3,密码是 ECDHE-RSA-AES256-SHA384 服务器 public 密钥是 2048 位 支持安全重新协商 压缩:NONE 扩展:NONE SSL会话: 协议:TLSv1.2 密码:ECDHE-RSA-AES256-SHA384 会话 ID:C51900006745E495E1C8CA132C0EDF901C3638DE9E5EEA506551E298E2374372 会话 ID-ctx: 万能钥匙:A8B4C4E2B01FE11822CE047D3B7D692EE1C001DA551DFE63FBC314737177BE7A285F79D6FF36B67D3E1AFF72C1402D2D 关键参数:None Krb5 校长:None PSK 身份:None PSK 身份提示:None 开始时间:1574232095 超时:300(秒) 验证return代码:21(无法验证第一个证书)
请提供建议。 谢谢
根据您使用的 Java 8 的版本,此错误可能有多种原因:
- Java 11(以及 Java 8 的最新版本)现在强制执行主机名 建立 SSL 连接时的验证。所以服务器的 证书与您尝试连接的主机名非常匹配。
- Java 11 也有更新的密码套件和 TLS 版本,并弃用了一些旧的密码套件。您可能想要启用 SSL 调试以查看在 SSL 层上交换了什么。
- 最后,Java11 早期版本的密码套件 TLS(1.3) 存在一些问题,因此您可能需要切换到 最新更新 (11.0.5)
您可以通过修改文件 java.security 来更改 RSA 密钥大小等默认参数。但是,请注意还有第二个文件 java.config(位于 Linux 上:/etc/crypto-policies/back-ends/java.config)覆盖 java.security.
这由 属性(在 java.security 中)控制:
security.useSystemPropertiesFile=true
所以,要么将 属性 更改为 false,要么直接修改 java.config 中的参数。
我坚持了很长时间!
写了一个测试脚本来连接 ldap(启用 ssl 日志)@ jdk 11
/opt/soft/jdk_installed/jdk-11.0.2/bin/java -XX:+UseSerialGC -DLdapsConnect -Djavax.net.debug=all -Djavax.net.ssl.trustStore=/opt/soft/tomcat/conf/svrtrust -Djavax.net.ssl.trustStore密码=hsqlIiza -Djavax.net.ssl.keyStore=/opt/soft/tomcat/conf/svrkeystore.jks -Djavax.net.ssl.keyStore密码=hsqlIiza -classpath /tmp/ LdapsConnect $*
在 ssl 日志中发现以下错误 javax.net.ssl|ERROR|1D|Thread-0|2020-01-22 10:55:21.632 CET|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): 没有主题备用 DNS 名称找到匹配 ad1.xxxx.zz。
Conclusion/Solution : Ldap 证书应该被修改为 ad1.ngssm-ru.zz 缺失。 由于 Java 8u181 在 ldap 支持方面有如下更改,在 java 版本 8u181 及更高版本之后不允许使用旧方法。
Java 正在尝试确保连接配置中的主机名与远程 LDAPS TLS 服务器证书中的主机名匹配,并且证书中的那些主机名有效。安全连接的正确解决方案是让您的 LDAP 服务器管理员更正 LDAP 服务器正在使用的 LDAP 证书,以便改进的端点识别算法起作用。这是为了保护我们。
https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html 变化 core-libs/javax.命名 ?改进 LDAP 支持 已在 LDAPS 连接上启用端点识别。
为了提高 LDAPS(基于 TLS 的安全 LDAP)连接的稳健性,端点识别算法已默认启用。
请注意,在某些情况下,以前能够成功连接到 LDAPS 服务器的某些应用程序可能不再能够这样做。如果他们认为合适,此类应用程序可能会使用新系统禁用端点识别 属性:com.sun.jndi.ldap.object.disableEndpointIdentification。
定义此系统属性(或将其设置为 true)以禁用端点识别算法。