确定 X.509 证书撤销的原因?

确定 X.509 证书撤销的原因?

我正在尝试连接到人权观察。页面没有加载,浏览器也没有提供太多信息。浏览器显示“同行的证书已被撤销。(错误代码:sec_error_revoked_certificate)”

我想了解更多信息并可能忽略该问题,但浏览器不允许我查看证书或提供证书被撤销的原因:

在此处输入图片描述

从 OpenSSL 命令行工具,我相信 Symantec 颁发了证书(见下文)。添加-crl_check-crl_check_all没有提供更多信息。

如何确定原因并获取有关证书撤销的更多信息?


$ openssl s_client -connect hrw.org:443 -servername hrw.org -tls1 | openssl x509 -text -noout
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            76:59:2a:47:97:66:58:7a:44:a8:8b:b4:0e:d1:be:02
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
        Validity
            Not Before: Mar  5 00:00:00 2015 GMT
            Not After : Mar  5 23:59:59 2019 GMT
        Subject: C=US, ST=New York, L=New York, O=Human Rights Watch, OU=Online, CN=hrw.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e6:ec:72:2e:03:b2:54:5a:dd:2a:78:08:67:bc:
                    5a:e0:6c:c3:6e:20:70:f1:86:c6:de:78:93:15:b4:
                    02:c3:8f:77:98:99:d1:8f:25:4c:27:72:6a:0c:3e:
                    aa:a2:8a:53:10:07:af:4d:9d:be:9c:e6:79:0c:62:
                    50:5a:b2:27:dc:f1:13:a2:9f:16:5f:c3:3e:ad:44:
                    f4:7e:be:81:4a:24:7d:ac:1c:e9:b7:db:47:39:41:
                    41:d5:db:9c:5b:8d:35:07:30:fe:15:70:8e:0d:92:
                    c0:9e:f8:81:b3:00:72:10:42:b0:50:81:98:a4:d7:
                    dd:bb:fe:7d:b4:78:19:bc:ae:77:45:ff:a5:b9:ad:
                    2e:84:46:be:2e:a0:68:f9:b2:22:2e:f1:66:00:d6:
                    13:15:2d:50:7e:59:70:bf:53:67:ff:2c:30:38:fc:
                    c9:01:8d:6d:1a:62:fc:1f:df:02:16:27:3c:e6:c7:
                    7d:d8:68:14:79:99:e7:9c:b6:4d:2d:01:b4:77:3c:
                    44:8e:f9:67:5d:8e:7d:b3:9f:4b:02:ab:4c:53:c2:
                    92:b7:d0:8b:2a:12:68:1e:47:e9:8d:87:f8:a4:4f:
                    b1:d2:ee:0e:2d:3c:cc:19:fd:f5:f1:46:40:c7:54:
                    c4:5e:9b:58:6f:96:53:49:81:4f:0f:a6:0e:64:88:
                    30:59
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:features.hrw.org, DNS:hrw.org
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://ss.symcb.com/ss.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://d.symcb.com/cps
                  User Notice:
                    Explicit Text: https://d.symcb.com/rpa

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Authority Key Identifier: 
                keyid:5F:60:CF:61:90:55:DF:84:43:14:8A:60:2A:B2:F5:7A:F4:43:18:EF

            Authority Information Access: 
                OCSP - URI:http://ss.symcd.com
                CA Issuers - URI:http://ss.symcb.com/ss.crt

    Signature Algorithm: sha256WithRSAEncryption
         92:72:97:e5:92:1a:d8:f4:8e:fe:39:4a:8a:f1:ec:73:4f:5f:
         66:f9:27:fe:bf:9e:e9:c7:fa:49:fb:3c:4b:64:5b:2c:d8:e4:
         9c:a2:85:49:03:40:fd:de:a2:37:f1:b9:87:bc:72:23:6d:72:
         b7:a4:79:99:d0:79:e8:1d:20:6a:cc:bf:88:59:55:26:77:22:
         8c:c9:54:81:44:c9:d4:13:2c:3f:e4:2c:f5:9a:5e:51:e2:fe:
         a4:a0:28:d1:cd:71:b8:04:72:6a:26:b2:41:f8:c5:13:9f:82:
         72:93:ae:fc:11:0a:fd:38:2c:ef:64:64:e8:51:68:a8:1d:d4:
         3e:9e:56:60:55:26:6c:ff:a5:27:46:01:89:57:ab:50:7b:27:
         cc:20:04:9f:c9:2c:6e:ff:7a:fd:23:e6:d4:bb:ab:3a:d6:19:
         12:5b:0e:35:b3:f0:59:fd:3e:53:62:f7:6e:bf:a3:af:51:74:
         fb:95:a1:0e:04:a6:ff:42:0a:57:4d:50:62:30:05:26:57:0b:
         ae:4e:44:78:45:8b:1a:4b:dc:a8:32:02:19:0f:04:e9:1f:85:
         89:a2:16:fb:3f:2f:82:85:c4:c6:18:8c:19:0e:4f:13:d2:98:
         ff:2b:c2:08:c8:a0:3b:76:0d:19:48:f6:a3:f7:fc:78:5c:4e:
         63:48:83:29

答案1

撤销列表 (CRL) 或协议 (OCSP) 中没有有用的原因信息。没有文本表示详细信息,但您只有单个位。

详细查看 OCSP 验证过程,我将看到响应的以下详细信息:

 revocationTime: 2015-03-06 15:25:37 (UTC)
 revocationReason: unspecified (0)

鉴于该证书仅自 2015 年 3 月 5 日起有效,这意味着该证书在颁发 1 天后就已被撤销,原因不明。

还请注意,hrw.org 与 www.hrw.org 是不同的 IP 地址。www.hrw.org 位于内容传送网络之后,并与 api.weibo.com 等网站以及各种日文和韩文域名共享相同的证书。

另请注意,如果您使用的是 Chrome 浏览器而不是 Firefox,那么您就不会遇到此错误,因为 Chrome 使用自己的机制进行撤销检查(CRL 集) 仅包括被认为重要的撤销:(

顺便说一句,我认为这种问题更适合security.stackexchange.com。

相关内容