SSLHandshakeException: No subject alternative names matching IP address found

阿新 • • 發佈：2019-02-04

一、異常日誌

javax.net.ssl.SSLHandshakeException:
    Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 110.75.244.16 found
        at sun.security.util.HostnameChecker.matchIP(Unknown Source)
	at sun.security.util.HostnameChecker.match(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
	... 12 more

二、異常程式碼

public class SslHandshakeExc_NsanMatchingIp{
	
	public static void main(String[] args) throws Exception {

		URL url = new URL("https://110.75.244.16/gateway.do"); // openapi.alipay.com

		HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();

		conn.connect();

		InputStream is = conn.getInputStream();
		BufferedReader br = new BufferedReader(new InputStreamReader(is));

		String line;
		while ((line = br.readLine()) != null) {
			System.out.println(line);
		}

		br.close();
		is.close();

	}
	
}

三、處理方案

public class SslHandshakeExc_NsanMatchingIp{
	
	public static void main(String[] args) throws Exception {

		URL url = new URL("https://110.75.244.16/gateway.do"); // openapi.alipay.com

		HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();

		// 新增部分
		conn.setHostnameVerifier(new SslHandshakeExc_NsanMatchingIp().new TrustAnyHostnameVerifier());

		conn.connect();

		InputStream is = conn.getInputStream();
		BufferedReader br = new BufferedReader(new InputStreamReader(is));

		String line;
		while ((line = br.readLine()) != null) {
			System.out.println(line);
		}

		br.close();
		is.close();

	}

	// 定製Verifier
	public class TrustAnyHostnameVerifier implements HostnameVerifier {
		public boolean verify(String hostname, SSLSession session) {
			return true;
		}
	}
	
}

四、補充說明

在建立 SSL 連線時，HttpsClient 步驟並進行基本的伺服器身份驗證，以防止 URL 欺騙，其中包括驗證伺服器的名稱是否在證書中
HttpsClient 主要使用 HostNameChecker 檢查主機名和證書中指定的名稱。如果失敗了，HostNameVerifier 就會出現，它被用來驗證主機名
在 HostNameVerifier 沒有被重寫時，預設是這個驗證是錯誤的，也就意味著 HostNameChecker 失敗後就會丟擲這個異常
HostNameChecker 在實現上，如果傳入的主機名是 IP 地址，將由 matchIP 方法在可用的條目中搜索IP地址對應的名稱，同時在沒有條目可以提供和IP地址匹配的名稱時丟擲 CertificateException 異常
所以，如果想通過使用 IP 作為主機名連線，證書中應該包含名稱和與其匹配的 IP 地址這個條目

SSLHandshakeException: No subject alternative names matching IP address found

SSLHandshakeException: No subject alternative names matching IP address found

“No subject alternative names present” 異常解決

Genymotion-The virtual device got no ip address(改了IP也沒用可參考我的方案)

啟動Genymotion模擬器時，顯示The virtual device got no IP address

Determining if ip address is already in use for device eth0

IP address and subnet mask address

Warning: Permanently added the RSA host key for IP address '52.74.223.119' to the list of known hosts.

auto drop ssh failed ip address

dubbo could not get local host ip address will use 127.0.0.1 instead 異常處理

關於在地址池下綁定IP時報錯The IP address‘s status is error解決方法

Linux下network提示Determining if ip address

Permanently added the RSA host key for IP address '192.30.253.113' to the list of known hosts.

LeetCode-468. Validate IP Address

spring mvc No matching handler method found for servlet request:

vmware+centos set static ip address

IP address prefixes

在windows下執行docker的問題【Error getting IP address: ***】

[LeetCode] Validate IP Address

Java呼叫ssl異常，javax.net.ssl.SSLHandshakeException: No appropriate protocol

Oracle 安裝報錯 [INS-06101] IP address of localhost could not be determined 解決方法

SSLHandshakeException: No subject alternative names matching IP address found

相關推薦