我无法与 IRC 服务器建立安全连接irc.pirateirc.net。gnutls 无法识别 SSL 证书颁发者,即使该证书是由常规 CA(Comodo)颁发的。
我尝试在 Debian 7 (Wheezy) 和 Ubuntu 12.04 (Precise) 上使用 gnutls-cli。证书指纹与pirateirc 网站:
SSL 指纹(SHA1):97:83:5C:F8:17:71:EC:00:0E:24:5B:47:10:62:9E:FE:F7:48:5A:15
谁能告诉我这里的问题是什么?
请参阅下面的日志:
$ gnutls-cli -p 6697 irc.pirateirc.net
Resolving 'irc.pirateirc.net'...
Connecting to '82.94.160.208:6697'...
- Successfully sent 0 certificate(s) to server.
- Ephemeral Diffie-Hellman parameters
- Using prime: 2048 bits
- Secret key: 2047 bits
- Peer's public key: 2048 bits
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 5 certificates.
- Certificate[0] info:
- subject `OU=Domain Control Validated,OU=EssentialSSL Wildcard,CN=*.pirateirc.net', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=EssentialSSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2012-04-29 00:00:00 UTC', expires `2014-05-29 23:59:59 UTC', SHA-1 fingerprint `97835cf81771ec000e245b4710629efef7485a15'
- Certificate[1] info:
- subject `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `02faf3e291435468607857694df5e45b68851868'
- Certificate[2] info:
- subject `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2005-06-07 08:09:10 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `867539a26c81fa2d78277c3adfdb304312535e57'
- Certificate[3] info:
- subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO Certification Authority', issuer `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-12-01 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `3a6c6d0ce8015d1b3b5cae19952e06f9428c7993'
- Certificate[4] info:
- subject `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=EssentialSSL CA', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-12-01 00:00:00 UTC', expires `2019-12-31 23:59:59 UTC', SHA-1 fingerprint `23bc94154eef52fb485e90665f41c2be809b0667'
- The hostname in the certificate matches 'irc.pirateirc.net'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.2
- Key Exchange: DHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA256
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
:amsterdam-nl.pirateirc.net NOTICE * :*** Looking up your hostname...
答案1
您可能没有将 Commodo 作为受信任的 CA。证书似乎已正确安装:
http://www.sslshopper.com/ssl-checker.html#hostname=irc.pirateirc.net:6697
编辑:
刚刚注意到,您没有处理任何 CA 证书!我不确定您想检查什么gnutls-utils。证书的有效性?
请记住,SSL 是基于信任的。您必须信任某个人(这里是 Comodo CA)的证书是有效的。
尝试以下方法来验证 SSL:
gnutls-cli www.comodo.com
正如预期的那样,这将失败:
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: ARCFOUR 128
- MAC: SHA
- Compression: NULL
- Handshake was completed
然后:
wget --no-check-certificate "https://support.comodo.com/index.php?dload=Download&_m=downloads&_a=downloadfile&downloaditemid=87" -O /tmp/AddTrustExternalCARoot.crt
现在尝试同样的检查:
gnutls-cli --x509cafile /tmp/AddTrustExternalCARoot.crt www.comodo.com
您应该看到:
Processed 1 CA certificate(s).
Resolving 'www.comodo.com'...
Connecting to '91.199.212.176:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
...
- Peer's certificate is trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: ARCFOUR 128
- MAC: SHA
- Compression: NULL
- Handshake was completed