首页 文章

无法将mongodb与ssl连接,获取异常com.mongodb.MongoSocketOpenException:异常打开套接字

提问于
浏览
0

尝试创建一个Java客户端以连接到安全的Mongodb服务器(具有身份验证和自签名证书 . )

它失败,除了“com.mongodb.MongoSocketOpenException:异常打开套接字” .

我可以使用robomongo客户端通过autom和ssl选项连接到服务器,该客户端安装在我运行代码的同一台机器上 .

此外,我验证了Java客户端工作正常,只有mongodb服务器中的身份验证,只有ssl它失败 .

我的代码看起来像这样:

String uri = "mongodb://<user>:<password>@<ip>:<port>/admin?ssl=true&sslInvalidHostNameAllowed=true";
MongoClientURI connectionString = new MongoClientURI(uri);
MongoClient mongoClient = new MongoClient(connectionString);
DB db = mongoClient.getDB(connectionString.getDatabase());

版本:

Mongo v3.4.5

Jdk 1.8

Mongo-java-driver 3.2.2

完整堆栈跟踪:

com.mongodb.MongoSocketWriteException: Exception sending message
    at com.mongodb.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:462)
    at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:205)
    at com.mongodb.connection.CommandHelper.sendMessage(CommandHelper.java:89)
    at com.mongodb.connection.CommandHelper.executeCommand(CommandHelper.java:32)
    at com.mongodb.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:83)
    at com.mongodb.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:43)
    at com.mongodb.connection.InternalStreamConnection.open(InternalStreamConnection.java:115)
    at com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:128)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
    at sun.security.ssl.AppOutputStream.write(Unknown Source)
    at com.mongodb.connection.SocketStream.write(SocketStream.java:75)
    at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:201)
    ... 7 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
    at sun.security.util.HostnameChecker.matchIP(Unknown Source)
    at sun.security.util.HostnameChecker.match(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 17 more

2 回答

  • 0

    这是证书的问题,您在uri中使用IP . 尝试使用主机名或向证书添加备用名称 .

    这是另一种可能的解决方案:https://www.ibm.com/support/knowledgecenter/SS3NGB_5.1.0.3/ioc/ts_liberty_ip.html

  • 0

    最后,我找到了问题并正确解决了问题 . 第一个问题是证书,因为我使用的是自签名证书,我必须在创建客户端时明确地传递它,但我不相信SSL . 因为代码是:

    public static SSLSocketFactory validateCert(String hostIP) {
            HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> hostname.equals(hostIP));
            TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
    
                @Override
                public X509Certificate[] getAcceptedIssuers() {
                    return null;
                }
    
                @Override
                public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
    
                }
    
                @Override
                public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
    
                }
            } };
    
            // Install the all-trusting trust manager
            try {
                SSLContext sc = SSLContext.getInstance("TLS");
                sc.init(null, trustAllCerts, null);
                return sc.getSocketFactory();
            } catch (GeneralSecurityException e) {
            }
            return null;
        }
    

    第二个问题是我使用凭据的方式 . 实际上,如果你使用URL方法,默认类型的mongo凭证是“MONGODB-CR”,但当我使用其他方式的身份验证,即“SCRAM-SHA-1”时,它工作正常 . 这个代码是:

    ServerAddress seeds = new ServerAddress(mongodbIP, Integer.parseInt(mongodbPort));
            List<MongoCredential> credentialsList = new ArrayList<MongoCredential>();
            credentialsList
                    .add(MongoCredential.createScramSha1Credential(mongoUser, mongoDefaultDB, mongoPassword.toCharArray()));
            SSLSocketFactory socketFactory = CertificateHelper.validateCert(mongodbIP);
            MongoClientOptions optionsBuilder = builder().sslEnabled(true).socketFactory(socketFactory)
                    .sslInvalidHostNameAllowed(true).build();
            this.mongoClient = new MongoClient(seeds, credentialsList, optionsBuilder);
    

相关问题