SSL Troubleshooting and Reference Guide - CAS User Manual - Apereo Wiki

标签: | 发表时间:2017-12-21 16:59 | 作者:
出处:https://wiki.jasig.org

Troubleshooting SSL Errors

This section contains the most often-cited SSL errors reported by the CAS server and CAS clients in typical CAS integration scenarios.

PKIX path building failed

PKIX Example Stack Trace
Sep  28 2009  4 : 13 : 26  PM org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator retrieveResponseFromServer
SEVERE: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
       at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
       at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
       at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
       at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java: 35 )
       at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java: 178 )
       at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java: 132 )
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 235 )

PKIX path building errors are by far the most common SSL errors reported on the  cas-user@lists.jasig.org mailing list. The problem here is that the CAS  client does not trust the certificate presented by the CAS server; most often this occurs because of using a  self-signed certificate on the CAS server. To resolve this error, import the CAS server certificate into the system truststore of the CAS client. If the certificate is issued by your own PKI, it is better to import the root certificate of your PKI into the CAS client truststore. See  Import Trusted Certificate for examples of importing a trusted certificate into a Java truststore.

If you have multiple java editions installed on your machine, make sure that your app / web server is pointing to the correct jdk/jre version (The one to which the certificate has been exported correctly) One common mistake that occurs while generating self-validated certifcates is that the java_home might be different than that used by the server (especially if it is run within an IDE like Eclipse or Websphere)

No subject alternative names present

Sample Alt Name Stack Trace
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

In most cases this is a hostname/SSL certificate CN mismatch. This commonly happens when a self-signed certificate issued to localhost is placed on a machine that is accessed by IP address. It should be noted that generating a certificate with an IP address for a common name, e.g. CN=192.168.1.1,OU=Middleware,dc=vt,dc=edu, will not work in most cases where the client making the connection is Java. For example the Java CAS client will throw SSL errors on connecting to a CAS server secured with a certificate containing an IP address in the CN.

HTTPS hostname wrong

Sample Wrong Host Name Stack Trace
ava.lang.RuntimeException: java.io.IOException: HTTPS hostname wrong:  should be <eiger.iad.vt.edu>
     org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java: 203 )
     org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java: 185 )
     org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java: 132 )
     org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java: 102 )

The above error occurs most commonly when the CAS client ticket validator attempts to contact the CAS server and is presented a certificate whose CN does not match the fully-qualified host name of the CAS server. There are a few common root causes of this mismatch:

  • CAS client misconfiguration (usually a bad serverName init param)
  • Complex multi-tier server environment (e.g. clustered CAS server)
  • Host name too broad for scope of wildcard certificate

It is also worth checking that the certificate your CAS server is using for SSL encryption matches the one the client is checking against. For example, if your CAS server's ticket validator URL is https://subdomain.correctdomain.com/<something> and you have accidentally configured Tomcat to use the certificate for *.wrongdomain.com in it's SSL connector. You will get a bad certificate warning in the browser on the login page to hint at a problem but you ignore that warning (because you are using self signed certificates during development) and continue. Ticket validation will then fail with "java.security.cert.CertificateException: No name matching subdomain.correctdomain.com found" because the public key the CAS server is providing is for *.wrongdomain.com. The CAS client looks for the *.wrongdomain.com certificate in cacerts and then tries to find a matching CN or alternate within that certificate. It will completely ignore the beautifully crafted *.correctdomain.com certificate you carefully imported into cacerts.

Wildcard Certificates

JSSE support for wildcard certificates is limited to hosts strictly in the same domain as the wildcard. For example, a certificate with CN= .vt.edu matches hosts *a.vt.edu and  b.vt.edu, but  not a.b.vt.edu.

unrecognized_name Error

JDK unrecognized_name SSL error
javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

 

The above error occurs mainly in Oracle JDK 7 CAS Server installations. In JDK7,  SNI (Server Name Indication) is enabled by default. When the HTTPD Server does not send the correct Server Name back, the JDK HTTP Connection refuses to connect and the exception stated above is thrown.

To fix the issue, you must ensure your HTTPD Server is sending back the correct hostname. E.g. in Apache HTTPD, you must set the ServerAlias in the SSL vhost:

Apache HTTPD ServerAlias to fix SNI error
ServerName your.ssl-server.name
ServerAlias your.ssl-server.name

 

Alternatively, you can disable the SNI detection in JDK7, by adding this flag to the Java options of your CAS Servers' application server configuration:

Disable SNI in JDK7
-Djsse.enableSNIExtension= false

 

Keystore/TrustStore Reference

Import Trusted Certificate

By default the Java system truststore is at  $JAVA_HOME/jre/lib/security/cacerts. The certificate to be imported  MUST be a DER-encoded file. If the contents of the certificate file are binary, it's likely DER-encoded; if the file begins with the text  --- BEGIN CERTIFICATE---, it is PEM-encoded and needs to be converted to DER encoding. The following example demonstrates a conversion command using OpenSSL.

Convert PEM-encoded Cert to DER Encoding
openssl x509 -in etc/pki/incommon-root-cert.pem -out tmp/incommon-root-cert.der -outform DER

Once the certificate file is properly in the DER-encoded format, it may be imported using the  keytool command.

Keytool Import Command
keytool - import  -keystore $JAVA_HOME/jre/lib/security/cacerts -file tmp/incommon-root-cert.der -alias incommon

List Trusted Certificates

keytool -v -list -keystore $JAVA_HOME/jre/lib/security/cacerts

Alternatives to Sun keytool Utility

  • Portecle is a Java GUI tool that can handle all the keystore and certificate formats I've ever encountered. Very easy to use and recommended if you are uncomfortable with CLI tools.
  • keystoreis a CLI tool that has a couple notable improvements on keytool:
    • Support for both PEM and DER-encoded files.
    • You can import a certificate/key pair directly into a keystore. (With keytool, keys never leave the keystore; you generate them, then a corresponding CSR, then import the matching certificate once it is issued.)

When All Else Fails

If you have read, understood, and tried all the troubleshooting tips on this page and continue to have problems, please perform an SSL trace and attach it to a posting to the  cas-user@lists.jasig.org mailing list. An SSL trace is written to STDOUT when the following system property is set,  javax.net.debug=ssl. An example follows of how to do this in the Tomcat servlet container.

Sample setenv.sh Tomcat Script
# Uncomment the next  4  lines  for  custom SSL keystore
# used by all deployed applications
#KEYSTORE= "$HOME/path/to/custom.keystore"
#CATALINA_OPTS=$CATALINA_OPTS " -Djavax.net.ssl.keyStore=$KEYSTORE"
#CATALINA_OPTS=$CATALINA_OPTS " -Djavax.net.ssl.keyStoreType=BKS"
#CATALINA_OPTS=$CATALINA_OPTS " -Djavax.net.ssl.keyStorePassword=changeit"
 
# Uncomment the next  4  lines to allow custom SSL trust store
# used by all deployed applications
#TRUSTSTORE= "$HOME/path/to/custom.truststore"
#CATALINA_OPTS=$CATALINA_OPTS " -Djavax.net.ssl.trustStore=$TRUSTSTORE"
#CATALINA_OPTS=$CATALINA_OPTS " -Djavax.net.ssl.trustStoreType=BKS"
#CATALINA_OPTS=$CATALINA_OPTS " -Djavax.net.ssl.trustStorePassword=changeit"
 
# Uncomment the next line to print SSL debug trace in catalina.out
#CATALINA_OPTS=$CATALINA_OPTS " -Djavax.net.debug=ssl"
 
export CATALINA_OPTS

相关 [ssl troubleshooting and] 推荐:

SSL Troubleshooting and Reference Guide - CAS User Manual - Apereo Wiki

- -
This section contains the most often-cited SSL errors reported by the CAS server and CAS clients in typical CAS integration scenarios.. If the certificate is issued by your own PKI, it is better to import the root certificate of your PKI into the CAS client truststore.

oracle listener troubleshooting 小结

- - CSDN博客数据库推荐文章
1.tnsping的作用及适用场景:. 检查tnsnames.ora文件中的连接串是否配置,或者配置是否符合语法. 根据执行tnsping命令所消耗的时间来诊断数据库的性能问题. 检查服务器端的监听是否启动. tnsping主要检查的是远程监听是否启动在相应的IP地址和端口上,并不检查监听中的实例服务和句柄(handle).

nginx配置ssl

- - 邢红瑞的blog
先生成网关证书 ,仿照CA模式.

SSL原理笔记

- - CSDN博客推荐文章
搜索SSL握手的原理,最多是网上转载的Alice和Bob的对话. 用生动、形象的场景说明了一个复杂SSL握手原理. 用公钥加密的数据只有私钥才能解密,相反的,用私钥加密的数据只有公钥才能解密,正是这种不对称性才使得公用密钥密码系统那么有用. 是一个验证身份的过程,目的是使一个实体能够确信对方是他所声称的实体.

SSL工作原理

- - 互联网 - ITeye博客
SSL 是一个安全协议,它提供使用 TCP/IP 的通信应用程序间的隐私与完整性. 超文本传输协议 (HTTP)使用 SSL 来实现安全的通信. 在客户端与服务器间传输的数据是通过使用对称算法(如 DES 或 RC4)进行加密的. 公用密钥算法(通常为 RSA)是用来获得加密密钥交换和数字签名的,此算法使用服务器的SSL数字证书中的公用密钥.

与IO相关的等待事件troubleshooting-系列5

- - CSDN博客推荐文章
        这是另一种常见的等待事件. 他产生于Oracle从磁盘读取多个块到Buffer Cache中非连续("scattered")缓存的时候. 这种读一次最大值是DB_FILE_MULTIBLOCK_READ_COUNT. 这种典型场景像全表扫描(Full Table Scans)和全索引快速扫描(Fast Full Index.

与IO相关的等待事件troubleshooting-系列3

- - CSDN博客数据库推荐文章
        使用Statspack类似的工具对数据库响应时间分析之后,已经表明与IO相关的等待事件限制了系统性能,有许多的方法可以判断这种问题.         接下来的章节会介绍排查等待事件的方法.         有一些方法可以不用管特定的等待事件. 在这个章节,会介绍和解释每个方法背后的概念和基本原理.

与IO相关的等待事件troubleshooting-系列2

- - CSDN博客数据库推荐文章
Troubleshooting步骤:. Troubleshooting与IO相关的等待:. 数据库性能调优方面一项关键的方法就是响应时间分析. 找出时间都花费在数据库的哪些环节. 时间是性能调优中最重要的属性. 用户通过交易或批处理任务的响应时间来感知系统的性能. Oracle的响应时间分析使用如下公式:.

与IO相关的等待事件troubleshooting-系列1

- - CSDN博客数据库推荐文章
近来XX应用充分暴露出开发人员最初只关心功能,未考虑性能的问题,夜维、OLTP应用均出现了不同程度的与数据库相关的性能问题. 这个应用所在磁盘的IO较差,原因在于这块磁盘较旧,已进入更换的流程,但短期内还不能更换,对应用是个极大的隐患. 而且也出现过某段时间IO非常差,导致应用处理速度非常缓慢. 针对与IO相关的性能问题,MOS有篇文章(223117.1)介绍的就是与IO相关的troubleshooting,拜读一下.

SSL窃听攻击实操

- snowflip - 狂人山庄 | Silence,声仔,吴洪声,奶罩
OK,我恶毒的心灵又开始蠢蠢欲动了. 今天带给大家的是SSL窃听攻击从理论到实际操作的成功例子. SSL窃听最主要的是你要有一张合法的SSL证书,并且证书名称必须和被攻击的网站域名一致. 目前各大CA都有很低廉价格的SSL证书申请,最低的价格只需要10美元不到,甚至还有一些域名注册商大批量采购这些证书,并且在你注册域名的时候免费送你一张.