0

我有一个 grails 应用程序,它尝试使用 OpenID4Java 向我们自己的 OpenID 提供程序进行身份验证。

我们的提供商提供的证书来自 RapidSSL,已由 GeoTrust Global 签署。

浏览器自动接受证书。

我在 Mac 上尝试将 GeoTrustGlobalCA 添加到 cacerts 中,/Library/Java/Home/lib/security/cacerts结果提示Certificate already exists in keystore under alias <keychainrootca-132>我再次添加它。

在 STS 中启动 grails-Djavax.net.debug=ssl run-app -https

我可以在输出中找到以下内容;

adding as trusted cert:
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x23456
  Valid from Tue May 21 14:00:00 EST 2002 until Sat May 21 14:00:00 EST 2022

adding as trusted cert:
  Subject: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x18acb56afd69b6153a636cafdafac4a1
  Valid from Mon Nov 27 11:00:00 EST 2006 until Thu Jul 17 09:59:59 EST 2036

但是,尝试从应用程序访问服务会导致;

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
  at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
  at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
  at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
  at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
  at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
  at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
  at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
  at org.openid4java.util.HttpCache.head(HttpCache.java:335)
  at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:400)
  at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:248)
  at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232)
  at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166)
  at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
  at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
  at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
  at org.openid4java.consumer.ConsumerManager$discover.call(Unknown Source)
4

2 回答 2

0

我通过绕过证书检查解决了这个问题。当你新建一个 ConsumerManager 对象时,不要使用默认的 Constructor。示例代码在这里:

private ConsumerManager getFreeHttpsManager() throws NoSuchAlgorithmException, KeyManagementException {
    //ignore all
    TrustManager trm = new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        public void checkClientTrusted(X509Certificate[] certs, String authType) {

        }

        public void checkServerTrusted(X509Certificate[] certs, String authType) {
        }
    };

    SSLContext sc = SSLContext.getInstance("TLS");
    sc.init(null, new TrustManager[]{trm}, null);
    //  HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    X509HostnameVerifier verifier = new X509HostnameVerifier() {

        @Override
        public void verify(String string, SSLSocket ssls) throws IOException {
        }

        @Override
        public void verify(String string, X509Certificate xc) throws SSLException {
        }

        @Override
        public void verify(String string, String[] strings, String[] strings1) throws SSLException {
        }

        @Override
        public boolean verify(String string, SSLSession ssls) {
            return true;
        }
    };
    Discovery discovery = new Discovery();
    discovery.setYadisResolver(new YadisResolver(new HttpFetcherFactory(sc, verifier)));
    return new ConsumerManager(
            new RealmVerifierFactory(new YadisResolver(new HttpFetcherFactory(sc, verifier))),
            discovery,  // uses HttpCache internally
            new HttpFetcherFactory(sc, verifier));
}
于 2014-01-23T02:26:11.207 回答
0

我们通过附加的 Apache 指令解决了这个问题

SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt

由于我们的发行人是谁,我们似乎需要一个中间 CA 条目。

于 2012-05-16T00:17:41.153 回答