BlogJava-David.Turing's Security Blog-随笔分类-Security异常问题http://www.blogjava.net/security/category/8306.htmlJava Security, CAPICOM, CryptoAPI/CSP, BouncyCastle, Openssl, JCE/JCA, SSO, CAS, Tivoli, CA, PKI <br> <font color="#00f100">本站内容只兼容IE浏览器</font> <br> <font color="#00f100">重要的文章包均含本人的PGP签名,本人愿意对自己的言论负责</font> <br>zh-cnTue, 27 Feb 2007 13:52:38 GMTTue, 27 Feb 2007 13:52:38 GMT60Tomcat/Weblogic在SSL握手中,IE提交证书窗口为空的问题http://www.blogjava.net/security/archive/2006/09/27/ssl_cacerts_no_certificate.htmldavid.turingdavid.turingWed, 27 Sep 2006 03:38:00 GMThttp://www.blogjava.net/security/archive/2006/09/27/ssl_cacerts_no_certificate.htmlhttp://www.blogjava.net/security/comments/72258.htmlhttp://www.blogjava.net/security/archive/2006/09/27/ssl_cacerts_no_certificate.html#Feedback0http://www.blogjava.net/security/comments/commentRss/72258.htmlhttp://www.blogjava.net/security/services/trackbacks/72258.html访问https://yourmachine:8843/webapp的时候,客户端提交了空的证书窗口,如下图所示
no_certificate_for_ssl.gif

如果使用的是Tomcat,则需要检查JDK/Jre/lib/security下的cacerts是否包含了客户端用户
的Key所对应的CA证书,如果没有,则客户端出现上述窗口,因为,服务器端不
会不信任为客户端的Private Key所签名的ca证书!

如果使用Weblogic,需要要区分Use Custom Indentity和Use Java Keystore两种方式,
前者,往Weblogic的JKS导入客户端PK所对应的CA证书(链),后者,检查
Jre/lib/security的cacerts,做法跟上面一样。

david.turing 2006-09-27 11:38 发表评论
]]>发现GDCA USBKey(电子钥匙)的CSP数字签名实现存在缺陷http://www.blogjava.net/security/archive/2006/09/26/gdca_signature_problem.htmldavid.turingdavid.turingTue, 26 Sep 2006 09:33:00 GMThttp://www.blogjava.net/security/archive/2006/09/26/gdca_signature_problem.htmlhttp://www.blogjava.net/security/comments/72073.htmlhttp://www.blogjava.net/security/archive/2006/09/26/gdca_signature_problem.html#Feedback4http://www.blogjava.net/security/comments/commentRss/72073.htmlhttp://www.blogjava.net/security/services/trackbacks/72073.html阅读全文

david.turing 2006-09-26 17:33 发表评论
]]>Yale CAS异常问题总结(2)Unable to validate ProxyTicketValidator之unable to find valid certification path to requested targethttp://www.blogjava.net/security/archive/2006/09/06/ProxyTicketValidator_unable_to_find_valid_certification_path_to_requested_target.htmldavid.turingdavid.turingWed, 06 Sep 2006 01:08:00 GMThttp://www.blogjava.net/security/archive/2006/09/06/ProxyTicketValidator_unable_to_find_valid_certification_path_to_requested_target.htmlhttp://www.blogjava.net/security/comments/67944.htmlhttp://www.blogjava.net/security/archive/2006/09/06/ProxyTicketValidator_unable_to_find_valid_certification_path_to_requested_target.html#Feedback2http://www.blogjava.net/security/comments/commentRss/67944.htmlhttp://www.blogjava.net/security/services/trackbacks/67944.htmlunable to find valid certification path to requested target  阅读全文

david.turing 2006-09-06 09:08 发表评论
]]>Yale CAS异常问题总结(1)Unable to validate ProxyTicketValidator之HTTPS hostname wrong: should be.....http://www.blogjava.net/security/archive/2006/09/05/Yale_CAS_ProxyTicketValidator_Exception_Solutions_HTTPS_hostname_wrong.htmldavid.turingdavid.turingTue, 05 Sep 2006 10:20:00 GMThttp://www.blogjava.net/security/archive/2006/09/05/Yale_CAS_ProxyTicketValidator_Exception_Solutions_HTTPS_hostname_wrong.htmlhttp://www.blogjava.net/security/comments/67865.htmlhttp://www.blogjava.net/security/archive/2006/09/05/Yale_CAS_ProxyTicketValidator_Exception_Solutions_HTTPS_hostname_wrong.html#Feedback0http://www.blogjava.net/security/comments/commentRss/67865.htmlhttp://www.blogjava.net/security/services/trackbacks/67865.html 严重: edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator prox
yList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://192.168.1.111:8443/cas/proxyValidate] ticket=[ST-0-9h7Mx5HK3pfsdxRv
MD3y] service=[http%3A%2F%2F192.168.1.222%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]

这个CAS异常是从CAS Client里面抛出,是当我们不使用证书的CN去访问域名的时候(比如下文是用IP访问而且证书的CN是该IP对应的域名而非该IP),CASClient无法信任,因为你证书的CN命名写着abc.com,192.168.1.111这个IP是无法被CAS Client识别。

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList = [ null ] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl = [https: // 192.168.1.111:8443/cas/proxyValidate] ticket=[ST-0-9h7Mx5HK3pfsdxRvMD3y] service=[http%3A%2F%2F192.168.1.222%3A8080%2Fservlets-examples%2Fservlet%2FHelloWorldExample] renew=false]]]
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 52 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java: 455 )
    at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java: 378 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 173 )
    at filters.ExampleFilter.doFilter(ExampleFilter.java: 101 )
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java: 202 )
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 173 )
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java: 213 )
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java: 178 )
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java: 432 )
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java: 126 )
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java: 105 )
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java: 107 )
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: 148 )
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java: 869 )
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java: 664 )
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java: 527 )
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java: 80 )
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java: 684 )
    at java.lang.Thread.run(Thread.java: 595 )
Caused by: java.io.IOException: HTTPS hostname wrong:  should be  < 192.168 . 1.111 >
    at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java: 493 )
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java: 418 )
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java: 170 )
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java: 905 )
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java: 234 )
    at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java: 84 )
    at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java: 212 )
    at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java: 50 )

解决办法:
用域名访问,域名就是证书的CN。

david.turing 2006-09-05 18:20 发表评论
]]>Certificate chain received from 客户端- 192.168.10.10 was not trusted causing SSL handshake failurehttp://www.blogjava.net/security/archive/2006/07/13/Certificate_chain_received_not_trusted.htmldavid.turingdavid.turingThu, 13 Jul 2006 09:48:00 GMThttp://www.blogjava.net/security/archive/2006/07/13/Certificate_chain_received_not_trusted.htmlhttp://www.blogjava.net/security/comments/58032.htmlhttp://www.blogjava.net/security/archive/2006/07/13/Certificate_chain_received_not_trusted.html#Feedback1http://www.blogjava.net/security/comments/commentRss/58032.htmlhttp://www.blogjava.net/security/services/trackbacks/58032.html以Tomcat为例,你需要在conf/server.xml中指定你的keystore并且配置好KeyAlias,
同时,Tomcat会到JAVA_HOME/jre/lib/security目录下读取cacerts文件。
在Weblogic中,你也需要配置Trust.jks和Identity.jks(可以参考WebLoigc Security In Action)。

问题是,IE究竟根据什么来提交证书(包含私钥的证书)?
很简单,服务器提交他的证书到客户端,客户端会根据服务器的证书的DN,检索本地私钥,
选择那些由此DN签发证书X,然后确定使用X对应的本地私钥,用于SSL握手。
cacerts是JDK容器信任的证书列表,如果cacerts中没有包含客户端私钥对应的证书链中的
信任证书,则服务器会拒绝任何从客户端的SSL请求。
典型的Weblogic日志就是:
<Certificate chain received from 客户端- 192.168.10.10 was not trusted causing SSL handshake failure.>



david.turing 2006-07-13 17:48 发表评论
]]>Unexpected Signal : EXCEPTION_ACCESS_VIOLATIONhttp://www.blogjava.net/security/archive/2006/06/30/56000.htmldavid.turingdavid.turingFri, 30 Jun 2006 09:19:00 GMThttp://www.blogjava.net/security/archive/2006/06/30/56000.htmlhttp://www.blogjava.net/security/comments/56000.htmlhttp://www.blogjava.net/security/archive/2006/06/30/56000.html#Feedback1http://www.blogjava.net/security/comments/commentRss/56000.htmlhttp://www.blogjava.net/security/services/trackbacks/56000.htmlUnexpected Signal : EXCEPTION_ACCESS_VIOLATION occurred at PC=0x6D3B0C4E
Function=[Unknown.]
Library=C:\j2sdk1.4.1_02\jre\bin\client\jvm.dll

NOTE: We are unable to locate the function name symbol for the error
      just occurred. Please refer to release documentation for possible
      reason and solutions.


Current Java thread:
 at jni.JNIInterface.getPrivateKeyAlias(Native Method)
 at jni.JNIInterface.getRSAPrivateKey(JNIInterface.java:478)
 at jni.ReadCertificates.main(ReadCertificates.java:37)

Dynamic libraries:
0x00400000 - 0x00407000  C:\j2sdk1.4.1_02\bin\javaw.exe
0x77F80000 - 0x77FFC000  C:\WINNT\system32\ntdll.dll
0x796D0000 - 0x79735000  C:\WINNT\system32\ADVAPI32.dll
0x77E60000 - 0x77F32000  C:\WINNT\system32\KERNEL32.dll
0x786F0000 - 0x7875F000  C:\WINNT\system32\RPCRT4.dll
0x77DF0000 - 0x77E59000  C:\WINNT\system32\USER32.dll
0x77F40000 - 0x77F7C000  C:\WINNT\system32\GDI32.dll
0x78000000 - 0x78045000  C:\WINNT\system32\MSVCRT.dll
0x75E00000 - 0x75E1A000  C:\WINNT\system32\IMM32.DLL
0x6C330000 - 0x6C338000  C:\WINNT\system32\LPK.DLL
0x65D20000 - 0x65D74000  C:\WINNT\system32\USP10.dll
0x10000000 - 0x1000D000  C:\WINNT\system32\OCMAPIHK.DLL
0x6D340000 - 0x6D46A000  C:\j2sdk1.4.1_02\jre\bin\client\jvm.dll
0x77530000 - 0x77560000  C:\WINNT\system32\WINMM.dll
0x6D1E0000 - 0x6D1E7000  C:\j2sdk1.4.1_02\jre\bin\hpi.dll
0x6D310000 - 0x6D31E000  C:\j2sdk1.4.1_02\jre\bin\verify.dll
0x6D220000 - 0x6D239000  C:\j2sdk1.4.1_02\jre\bin\java.dll
0x6D330000 - 0x6D33D000  C:\j2sdk1.4.1_02\jre\bin\zip.dll
0x0AC90000 - 0x0ACA0000  D:\JavaSource\SecureX\jnicert.dll
0x768D0000 - 0x768FB000  C:\WINNT\system32\WINTRUST.dll
0x79C40000 - 0x79CCC000  C:\WINNT\system32\CRYPT32.dll
0x773F0000 - 0x77401000  C:\WINNT\system32\MSASN1.dll
0x77900000 - 0x77923000  C:\WINNT\system32\IMAGEHLP.dll
0x7CF00000 - 0x7CFEF000  C:\WINNT\system32\ole32.dll
0x7CEA0000 - 0x7CEF3000  C:\WINNT\system32\NETAPI32.dll
0x77960000 - 0x77984000  C:\WINNT\system32\DNSAPI.dll
0x74FD0000 - 0x74FDA000  C:\WINNT\system32\WSOCK32.dll
0x74FB0000 - 0x74FC4000  C:\WINNT\system32\WS2_32.DLL
0x74FA0000 - 0x74FA8000  C:\WINNT\system32\WS2HELP.DLL
0x75150000 - 0x75156000  C:\WINNT\system32\NETRAP.dll
0x77BD0000 - 0x77BE1000  C:\WINNT\system32\NTDSAPI.dll
0x77930000 - 0x7795B000  C:\WINNT\system32\WLDAP32.DLL
0x797B0000 - 0x797BF000  C:\WINNT\system32\SECUR32.DLL
0x750E0000 - 0x750F0000  C:\WINNT\system32\SAMLIB.dll
0x79C00000 - 0x79C13000  C:\WINNT\system32\cryptnet.dll
0x687E0000 - 0x687EB000  C:\WINNT\system32\PSAPI.DLL
0x75A50000 - 0x75A55000  C:\WINNT\system32\SensApi.dll
0x772A0000 - 0x77306000  C:\WINNT\system32\SHLWAPI.dll
0x794D0000 - 0x79534000  C:\WINNT\system32\USERENV.dll
0x4FF90000 - 0x4FFE4000  C:\WINNT\system32\WINHTTP.dll
0x758E0000 - 0x7594F000  C:\WINNT\system32\cryptui.dll
0x71710000 - 0x71794000  C:\WINNT\system32\COMCTL32.dll
0x63000000 - 0x63095000  C:\WINNT\system32\wininet.dll
0x77990000 - 0x77A2B000  C:\WINNT\system32\OLEAUT32.dll
0x7CA00000 - 0x7CA23000  C:\WINNT\system32\rsaenh.dll
0x72960000 - 0x7298D000  C:\WINNT\system32\DBGHELP.dll

Local Time = Fri Jun 30 17:17:50 2006
Elapsed Time = 5
#
# HotSpot Virtual Machine Error : EXCEPTION_ACCESS_VIOLATION
# Error ID : 4F530E43505002E6
# Please report this error at
# http://java.sun.com/cgi-bin/bugreport.cgi
#
# Java VM: Java HotSpot(TM) Client VM (1.4.1_02-b06 mixed mode)
#
# An error report file has been saved as hs_err_pid2024.log.
# Please refer to the file for further information.
#


It happens when I want to call the CryptoAPI through JNI, Can anyone give some advice?



david.turing 2006-06-30 17:19 发表评论
]]>javax.security.auth.login.LoginException:没有为 XXX 配置LoginModules http://www.blogjava.net/security/archive/2006/03/20/36216.htmldavid.turingdavid.turingMon, 20 Mar 2006 02:17:00 GMThttp://www.blogjava.net/security/archive/2006/03/20/36216.htmlhttp://www.blogjava.net/security/comments/36216.htmlhttp://www.blogjava.net/security/archive/2006/03/20/36216.html#Feedback4http://www.blogjava.net/security/comments/commentRss/36216.htmlhttp://www.blogjava.net/security/services/trackbacks/36216.html阅读全文

david.turing 2006-03-20 10:17 发表评论
]]>javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate foundhttp://www.blogjava.net/security/archive/2006/03/14/35288.htmldavid.turingdavid.turingTue, 14 Mar 2006 12:29:00 GMThttp://www.blogjava.net/security/archive/2006/03/14/35288.htmlhttp://www.blogjava.net/security/comments/35288.htmlhttp://www.blogjava.net/security/archive/2006/03/14/35288.html#Feedback30http://www.blogjava.net/security/comments/commentRss/35288.htmlhttp://www.blogjava.net/security/services/trackbacks/35288.htmljavax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

这个是因为你没有装好TrustCerts,如果你是用Tomcat,请务必检查Tomcat使用的JDK下的JRE(jre/lib/security/cacerts)中,是否已经安装了包含你所需的信任证书,如果没有,请Import,Keytool -import的命令,很简单的,如果你用的是Weblogic,你看看Weblogic Console的Keystore配置,有两项,你关注的应该是TrustKeystore的属性,里面默认的信任证书都是老外的那些,往里面Import你的证书就ok了。

david.turing 2006-03-14 20:29 发表评论
]]>