我正在尝试连接到人权观察。页面没有加载,浏览器也没有提供太多信息。浏览器显示“同行的证书已被撤销。(错误代码:sec_error_revoked_certificate)”。
我想了解更多信息并可能忽略该问题,但浏览器不允许我查看证书或提供证书被撤销的原因:
从 OpenSSL 命令行工具,我相信 Symantec 颁发了证书(见下文)。添加-crl_check
并-crl_check_all
没有提供更多信息。
如何确定原因并获取有关证书撤销的更多信息?
$ openssl s_client -connect hrw.org:443 -servername hrw.org -tls1 | openssl x509 -text -noout
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:59:2a:47:97:66:58:7a:44:a8:8b:b4:0e:d1:be:02
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
Validity
Not Before: Mar 5 00:00:00 2015 GMT
Not After : Mar 5 23:59:59 2019 GMT
Subject: C=US, ST=New York, L=New York, O=Human Rights Watch, OU=Online, CN=hrw.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e6:ec:72:2e:03:b2:54:5a:dd:2a:78:08:67:bc:
5a:e0:6c:c3:6e:20:70:f1:86:c6:de:78:93:15:b4:
02:c3:8f:77:98:99:d1:8f:25:4c:27:72:6a:0c:3e:
aa:a2:8a:53:10:07:af:4d:9d:be:9c:e6:79:0c:62:
50:5a:b2:27:dc:f1:13:a2:9f:16:5f:c3:3e:ad:44:
f4:7e:be:81:4a:24:7d:ac:1c:e9:b7:db:47:39:41:
41:d5:db:9c:5b:8d:35:07:30:fe:15:70:8e:0d:92:
c0:9e:f8:81:b3:00:72:10:42:b0:50:81:98:a4:d7:
dd:bb:fe:7d:b4:78:19:bc:ae:77:45:ff:a5:b9:ad:
2e:84:46:be:2e:a0:68:f9:b2:22:2e:f1:66:00:d6:
13:15:2d:50:7e:59:70:bf:53:67:ff:2c:30:38:fc:
c9:01:8d:6d:1a:62:fc:1f:df:02:16:27:3c:e6:c7:
7d:d8:68:14:79:99:e7:9c:b6:4d:2d:01:b4:77:3c:
44:8e:f9:67:5d:8e:7d:b3:9f:4b:02:ab:4c:53:c2:
92:b7:d0:8b:2a:12:68:1e:47:e9:8d:87:f8:a4:4f:
b1:d2:ee:0e:2d:3c:cc:19:fd:f5:f1:46:40:c7:54:
c4:5e:9b:58:6f:96:53:49:81:4f:0f:a6:0e:64:88:
30:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:features.hrw.org, DNS:hrw.org
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://ss.symcb.com/ss.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: https://d.symcb.com/cps
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:5F:60:CF:61:90:55:DF:84:43:14:8A:60:2A:B2:F5:7A:F4:43:18:EF
Authority Information Access:
OCSP - URI:http://ss.symcd.com
CA Issuers - URI:http://ss.symcb.com/ss.crt
Signature Algorithm: sha256WithRSAEncryption
92:72:97:e5:92:1a:d8:f4:8e:fe:39:4a:8a:f1:ec:73:4f:5f:
66:f9:27:fe:bf:9e:e9:c7:fa:49:fb:3c:4b:64:5b:2c:d8:e4:
9c:a2:85:49:03:40:fd:de:a2:37:f1:b9:87:bc:72:23:6d:72:
b7:a4:79:99:d0:79:e8:1d:20:6a:cc:bf:88:59:55:26:77:22:
8c:c9:54:81:44:c9:d4:13:2c:3f:e4:2c:f5:9a:5e:51:e2:fe:
a4:a0:28:d1:cd:71:b8:04:72:6a:26:b2:41:f8:c5:13:9f:82:
72:93:ae:fc:11:0a:fd:38:2c:ef:64:64:e8:51:68:a8:1d:d4:
3e:9e:56:60:55:26:6c:ff:a5:27:46:01:89:57:ab:50:7b:27:
cc:20:04:9f:c9:2c:6e:ff:7a:fd:23:e6:d4:bb:ab:3a:d6:19:
12:5b:0e:35:b3:f0:59:fd:3e:53:62:f7:6e:bf:a3:af:51:74:
fb:95:a1:0e:04:a6:ff:42:0a:57:4d:50:62:30:05:26:57:0b:
ae:4e:44:78:45:8b:1a:4b:dc:a8:32:02:19:0f:04:e9:1f:85:
89:a2:16:fb:3f:2f:82:85:c4:c6:18:8c:19:0e:4f:13:d2:98:
ff:2b:c2:08:c8:a0:3b:76:0d:19:48:f6:a3:f7:fc:78:5c:4e:
63:48:83:29
答案1
撤销列表 (CRL) 或协议 (OCSP) 中没有有用的原因信息。没有文本表示详细信息,但您只有单个位。
详细查看 OCSP 验证过程,我将看到响应的以下详细信息:
revocationTime: 2015-03-06 15:25:37 (UTC)
revocationReason: unspecified (0)
鉴于该证书仅自 2015 年 3 月 5 日起有效,这意味着该证书在颁发 1 天后就已被撤销,原因不明。
还请注意,hrw.org 与 www.hrw.org 是不同的 IP 地址。www.hrw.org 位于内容传送网络之后,并与 api.weibo.com 等网站以及各种日文和韩文域名共享相同的证书。
另请注意,如果您使用的是 Chrome 浏览器而不是 Firefox,那么您就不会遇到此错误,因为 Chrome 使用自己的机制进行撤销检查(CRL 集) 仅包括被认为重要的撤销:(
顺便说一句,我认为这种问题更适合security.stackexchange.com。