Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address XXXXX found
at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[na:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) ~[na:1.8.0_51] # vim LDAPConnTest.java
Hashtable<String, Object> objEnvironment;
objEnvironment = new Hashtable<String, Object>(11);
objEnvironment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
objEnvironment.put(Context.PROVIDER_URL, "LDAPS://domain:636");
objEnvironment.put(Context.SECURITY_AUTHENTICATION, "simple");
objEnvironment.put(Context.SECURITY_PRINCIPAL, <username>);
objEnvironment.put(Context.SECURITY_CREDENTIALS, <Password>);
objEnvironment.put("java.naming.ldap.attributes.binary", <attributes>);
System.setProperty("javax.net.ssl.trustStore", "certificates".concat(File.separator).concat("cacerts"));
this.objLDAPContext = new InitialLdapContext(objEnvironment, null);# java main -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Note: Do not use the -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true option on production server.
Improve LDAP support Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.
Define this system property (or set it to true) to disable endpoint identification algorithms.Reference:
https://stackoverflow.com/questions/51622117/issue-with-dns-naming-and-certificates-ldap-context
https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
No comments:
Post a Comment