Grails使用OpenID4Java导致SSLPeerUnverifiedException

Question

我有一个grails应用程序，它尝试使用OpenID4Java向我们自己的OpenID提供程序进行身份验证。

我们的提供商提供的证书来自RapidSSL，该证书已由GeoTrust全球公司签署。

浏览器自动接受证书。

我在一台Mac上，试图在/Library/Java/Home/lib/security/cacerts的cacerts中添加GeoTrustGlobalCA，结果在提示Certificate already exists in keystore under alias <keychainrootca-132>中我又添加了它。

使用-Djavax.net.debug=ssl run-app -https在STS中启动grails

我可以在输出中找到以下内容；

adding as trusted cert:
  Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x23456
  Valid from Tue May 21 14:00:00 EST 2002 until Sat May 21 14:00:00 EST 2022

adding as trusted cert:
  Subject: CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Issuer:  CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x18acb56afd69b6153a636cafdafac4a1
  Valid from Mon Nov 27 11:00:00 EST 2006 until Thu Jul 17 09:59:59 EST 2036

然而，尝试从应用程序访问服务会导致；

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
  at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
  at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
  at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
  at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
  at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
  at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:101)
  at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:381)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
  at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554)
  at org.openid4java.util.HttpCache.head(HttpCache.java:335)
  at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:400)
  at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:248)
  at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:232)
  at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:166)
  at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
  at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
  at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
  at org.openid4java.consumer.ConsumerManager$discover.call(Unknown Source)

Answer 1

我们通过一个额外的Apache指令解决了这个问题

SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt

似乎我们需要一个中间CA条目，因为我们的颁发者是谁。

Answer 2

我通过绕过证书检查解决了这个问题。新建ConsumerManager对象时，请不要使用默认构造函数。示例代码如下：

private ConsumerManager getFreeHttpsManager() throws NoSuchAlgorithmException, KeyManagementException {
    //ignore all
    TrustManager trm = new X509TrustManager() {
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        public void checkClientTrusted(X509Certificate[] certs, String authType) {

        }

        public void checkServerTrusted(X509Certificate[] certs, String authType) {
        }
    };

    SSLContext sc = SSLContext.getInstance("TLS");
    sc.init(null, new TrustManager[]{trm}, null);
    //  HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    X509HostnameVerifier verifier = new X509HostnameVerifier() {

        @Override
        public void verify(String string, SSLSocket ssls) throws IOException {
        }

        @Override
        public void verify(String string, X509Certificate xc) throws SSLException {
        }

        @Override
        public void verify(String string, String[] strings, String[] strings1) throws SSLException {
        }

        @Override
        public boolean verify(String string, SSLSession ssls) {
            return true;
        }
    };
    Discovery discovery = new Discovery();
    discovery.setYadisResolver(new YadisResolver(new HttpFetcherFactory(sc, verifier)));
    return new ConsumerManager(
            new RealmVerifierFactory(new YadisResolver(new HttpFetcherFactory(sc, verifier))),
            discovery,  // uses HttpCache internally
            new HttpFetcherFactory(sc, verifier));
}