問題描述
”XMLHttpRequest: 網(wǎng)絡(luò)錯誤 0x2ef3, 由于出現(xiàn)錯誤 00002ef3 而導(dǎo)致此項(xiàng)操作無法完成”錯誤秽之,chrome成肘、firefox和Safari等ssl和非ssl沒有問題,但是IE在使用ssl時(shí)會出現(xiàn)以上錯誤(前置條件使用cros方式解決ajax跨域問題)
使用openssl制作myrootca證書準(zhǔn)備及環(huán)境mycompany
- win10 64
- 下載[http://slproweb.com/products/Win32OpenSSL.html][opensslwin64],版本W(wǎng)in64 OpenSSL v1.1.0h Light
- 按照默認(rèn)選項(xiàng)進(jìn)行安裝到window中
制作私有到CA受信任證書
- 默認(rèn)安裝到地址window主機(jī)中渺杉,配置環(huán)境變量C:\OpenSSL-Win64\bin\至path
- 準(zhǔn)備生成OpenSSL文件夾蛇数,以生成根證書及服務(wù)器證書
- 新建文件夾E:\sslca
- 將C:\OpenSSL-Win64\bin\openssl.cfg放到E:\sslca中
-
修改openssl.cfg配置文件,配置CA證書生成內(nèi)容及版本等信息
- 將eq_extensions = v3_req的#取消
req_extensions = v3_req # The extensions to add to a certificate request- 在[ v3_req ]加入subjectAltName = @alt_names
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = mycompany.com DNS.2 = *.mycompany.com
- 加入[ alt_names ]值是越,為誰簽發(fā)證書耳舅,注意括號前后的空格,DNS.x 的數(shù)量可以自己加, 這里的DNS就是你網(wǎng)站的地址倚评,效果如下
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = mycompany.com
DNS.2 = *.mycompany.com
-
修改證書默認(rèn)路徑浦徊,原來
dir = ./demoCA,修改為如下[ CA_default ] dir = ./rootCA # Where everything is kept 和 [ tsa_config1 ] # These are used by the TSA reply generation only. dir = ./rootCA # TSA root directory
-
在E:\sslca生成必要的文件夾天梧,以便生成CA跟證書盔性,(這些文件和文件夾是 openssl.cfg 要求的)
- 進(jìn)入E:\sslca
- 執(zhí)行以下命令
> mkdir rootCA\private rootCA\newcerts > type nul > rootCA\index.txt > echo 01 > rootCA\serial 生成CA自簽名跟證書,用戶導(dǎo)入系統(tǒng)呢岗,負(fù)責(zé)系統(tǒng)信任(如CA證書提前導(dǎo)入相同)
- 生產(chǎn)RootCA證書冕香,進(jìn)入進(jìn)入E:\sslca執(zhí)行
> openssl req -new -x509 -newkey rsa:2048 -days 3650 -keyout rootCA\private\MyRootCA.key -out rootCA\MyRootCA.crt -passout pass:123456 -config openssl.cfg
命令說明:
參數(shù) | 描述
---------------------| ---------------------
-days 3650 | 根證書的有效期是 10年
-passout pass:123456 | CA的密鑰是 123456
-config openssl.cfg | 使用當(dāng)前文件夾的openssl.cfg作為默認(rèn)設(shè)置, 如果不使用這個命令的話, 將使用C:\OpenSSL-Win64\bin \openssl.cfg
控制臺輸出:
Generating a 2048 bit RSA private key
..............................................+++
.......................+++
writing new private key to 'rootCA\private\MyRootCA.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompanya
Organizational Unit Name (eg, section) []:mycompany.com
Common Name (e.g. server FQDN or YOUR name) []:MyRootCA
Email Address []:
- 生產(chǎn)用戶證書
- 生產(chǎn)用戶RSA秘鑰對
>openssl genrsa -des3 -out mycompany.com.key -passout pass:123456
控制臺輸出:
Generating RSA private key, 2048 bit long modulus
.............+++
.............................................+++
e is 65537 (0x010001)
- 根據(jù)秘鑰對生成用戶證書
>openssl req -new -days 3650 -key mycompany.com.key -out mycompany.com.csr -config openssl.cfg
控制臺輸出,輸入密碼時(shí)看不到輸入后豫,其實(shí)已經(jīng)輸入悉尾,另外下面中的Country Name、Some-State挫酿、company必須與MyRootCA一致, 原因:
openssl.cfg中有這樣一段, 當(dāng)然你可以按需修改
```
[ policy_match ]
countryName = match #證書請求與證書本身一樣
stateOrProvinceName = match #證書請求與證書本身一樣
organizationName = match #證書請求與證書本身一樣
organizationalUnitName = optional #可選項(xiàng)
commonName = supplied #證書請求中必須能存在該項(xiàng)
emailAddress = optional #可選項(xiàng)
```
控制臺輸出 :
Enter pass phrase for mycompany.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mycompanya
Organizational Unit Name (eg, section) []:mycompany.com
Common Name (e.g. server FQDN or YOUR name) []:mycompany.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-
使用CA證書簽發(fā)用戶證書构眯,如果此處的用戶證書和rootCA證書CN等信息不匹配,則無法生成證書
>openssl ca -in mycompany.com.csr -out mycompany.com.crt -cert rootCA\MyRootCA.crt -keyfile rootCA\private\MyRootCA.key -extensions v3_req -config openssl.cfg
控制臺輸出:
```
Using configuration from openssl.cfg
Enter pass phrase for rootCA\private\MyRootCA.key:
Can't open ./rootCA/index.txt.attr for reading, No such file or directory
14380:error:02001002:system library:fopen:No such file or directory:crypto\bio\bss_file.c:74:fopen('./rootCA/index.txt.attr','r')
14380:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:81:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 17 03:13:48 2018 GMT
Not After : May 17 03:13:48 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = mycompanya
organizationalUnitName = mycompany.com
commonName = mycompany.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:mycompany.com, DNS:*.mycompany.com, DNS:*.uuu.mycompany.com, DNS:*.sss.mycompany.com, DNS:auth.uuu.mycompany.com
Certificate is to be certified until May 17 03:13:48 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
```
注意:如果出現(xiàn)./rootCA/newcerts is not a directory需要修改openssl.cfg文件早龟,將rootCA修改為自定義的rootCA目錄鸵赖,前邊有講述如何設(shè)置
-
生產(chǎn)p12證書,用于web服務(wù)器設(shè)置
>openssl pkcs12 -export -inkey mycompany.com.key -in mycompany.com.crt -out mycompany.com.p12
控制臺輸出:
```
Enter pass phrase for mycompany.com.key:
Enter Export Password:
Verifying - Enter Export Password:
```
證書必要說明
-
為什么用戶證書的CN拄衰、SiChuan、YourCompany必須與MyRootCA一致?
openssl.cfg中有這樣一段, 當(dāng)然你可以按需修改
[ policy_match ] countryName = match #證書請求與證書本身一樣 stateOrProvinceName = match #證書請求與證書本身一樣 organizationName = match #證書請求與證書本身一樣 organizationalUnitName = optional #可選項(xiàng) commonName = supplied #證書請求中必須能存在該項(xiàng) emailAddress = optional #可選項(xiàng)
證書驗(yàn)證
將RootCA證書安裝到受信任的根證書頒發(fā)機(jī)構(gòu)饵骨,首先安裝RootCA證書翘悉,否則用戶證書是不被信任的跟證書(安裝到本地受信任的根證書頒發(fā)機(jī)構(gòu),安裝過程請自行查找)
在Tomcat8.5中的server.xml中加入證書配置
-
配置內(nèi)容如下:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="E:/ssl/mycompany.com.p12" type="RSA" certificateKeystoreType="PKCS12" certificateKeystorePassword="123456"/> </SSLHostConfig> </Connector> 瀏覽器訪問時(shí)居触,證書是屬于受信任的證書妖混,不會在彈出安全提示
-
服務(wù)端代碼
@ResponseBody @RequestMapping("/getinfo") public String getinfo(HttpServletRequest request,HttpServletResponse response){ Map<String,String> map = new HashMap<String,String>(); map.put("result", "hh"); Cookie[] cookies = request.getCookies(); if(null != cookies){ for (int i = 0; i < cookies.length; i++) { Cookie cookie = cookies[i]; System.out.println(cookie.getDomain() + " "+ cookie.getName()+ " "+ cookie.getPath()+ " "+ cookie.getValue() ); } } response.addHeader("Set-Cookie", "id="+request.getSession().getId()+"; Domain=.mycompany.com; Path=/"); response.setHeader("Access-Control-Allow-Origin", request.getHeader("origin")); response.setHeader("Access-Control-Allow-Methods", "POST, GET"); response.setHeader("Access-Control-Max-Age", "3600"); response.setHeader("Access-Control-Allow-Credentials", "true"); response.setHeader("Access-Control-Allow-Headers", "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With"); return "hello"; } -
請求端代碼
jQuery.support.cors = true//加入jQuery.support.cors = true和crossDomain:true,成對加,火狐和google不可以 $('#CORS').click(function (){ $.ajax({ url: "https://common.mycompany.com:8443/app1/getinfo", crossDomain:true, xhrFields: {//加上此處轮洋,火狐制市、chrome、ie7-11都可以弊予,不需要crossDomain:true,和jQuery.support.cors = true withCredentials: true }, success: function(html){ console.log(html); console.log(document.cookie); } }); })
瀏覽器驗(yàn)證
-
IE瀏覽器
默認(rèn)仿真器為IE7祥楣,測試時(shí)會彈出alert警告框,IE8、9仿真器可通過误褪,IE10责鳍、11出現(xiàn)錯誤:
SEC7120: 在 Access-Control-Allow-Origin 標(biāo)頭中未找到源 https://java.mycompany.com:8444。
SCRIPT7002: XMLHttpRequest: 網(wǎng)絡(luò)錯誤 0x80700013, 由于出現(xiàn)錯誤 80700013 而導(dǎo)致此項(xiàng)操作無法完成兽间。
XMLHttpRequest: Network Error 0x80700013, Could not complete the operation due to error 80700013.
解決方法:Internet選項(xiàng)-安全历葛,添加受信任站點(diǎn)(使用ajax的網(wǎng)站,而非ajax調(diào)用的網(wǎng)站嘀略,當(dāng)然都加上也可以)恤溶,同時(shí)將受信任站點(diǎn)安全級別調(diào)整到最低帜羊,IE7咒程、8、9逮壁、10孵坚、11的問題都可以解決
-
火狐瀏覽器
在window安裝完證書后IE可以成功,但是火狐還是會出現(xiàn)https安全提示卖宠,請求ajax連接時(shí)出現(xiàn)以下錯誤:
common.mycompany.com:8443 使用了無效的安全證書词裤。該證書因?yàn)槠漕C發(fā)者證書未知而不被信任刺洒。該服務(wù)器可能未發(fā)送相應(yīng)的中間證書『鹕埃可能需要導(dǎo)入額外的根證書逆航。錯誤代碼: SEC_ERROR_UNKNOWN_ISSUER
解決方法:進(jìn)入火狐瀏覽器的設(shè)置界面,選擇 高級→證書→查看證書→證書機(jī)構(gòu)→導(dǎo)入渔肩,將RootCA證書導(dǎo)入到火狐中即可(火狐和ie等不是使用同一套CA認(rèn)證證書因俐,在火狐瀏覽器中單獨(dú)管理)
-
chrome瀏覽器
chrome瀏覽器沒有問題
-
safari瀏覽器
safari瀏覽器沒有問題,在mac系統(tǒng)中需要將RootCA證書安裝到系統(tǒng)中,并且進(jìn)行信任證書(雙擊證書-證書-點(diǎn)擊對應(yīng)證書-信任)周偎。
可解決的問題
1.ajax調(diào)用時(shí)提示錯誤抹剩,原因?qū)嶋H上發(fā)現(xiàn)IE根本就沒把請求發(fā)送出去, 所以可以說是IE截?cái)嗔苏埱? 具體原因應(yīng)該是和證書有關(guān)系, 因?yàn)镃A頒發(fā)的證書就不存在該問題
SCRIPT7002: XMLHttpRequest: network error 0x2ef3
XMLHttpRequest: 網(wǎng)絡(luò)錯誤 0x2ef3, 由于出現(xiàn)錯誤 00002ef3 而導(dǎo)致此項(xiàng)操作無法完成
