我的服务器出现 TLS 问题,我想查看它提供的证书,以帮助诊断问题。通常,我会使用 openssl 显示证书,如下所示:
$ openssl s_client -connect facebook.com:443
但是,我不知道哪个 CA 签署了此服务器的证书。我想法这是我们的内部 CA,但测试表明并非如此。因此,我无法使用 openssl-CAfile
或-CApath
标志来指定 CA。
还有一个限制。该服务器不是 HTTP 服务器(它是 postgres),否则我就只使用curl --insecure
。
我尝试使用-verify
标志,因为根据OpenSSL 的文档:
要使用的验证深度。这指定了服务器证书链的最大长度并启用服务器证书验证。目前,验证操作在出现错误后继续,因此可以看到证书链的所有问题。作为副作用,连接永远不会因服务器证书验证失败而失败。
它声称在出现所有错误后继续,因此可以看到所有问题。但是,我得到的只是:
1737:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
这就是我无论有没有 都会收到的错误消息-verify
。
那么如何查看服务器出示的证书呢?
答案1
当证书由未知 CA 签名时,如何显示服务器的证书?
这很简单(CA 不会考虑这些因素)... 使用选项s_client
将输出x509
作为输入通过管道传输-text -noout
。以下命令还支持 SNI 和 TLS 1.0。
$ openssl s_client -connect facebook.com:443 -servername facebook.com -tls1 | openssl x509 -text -noout
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify error:num=20:unable to get local issuer certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0e:cb:09:39:b2:b1:01:54:b8:95:70:c7:b2:2b:7a:47
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
Validity
Not Before: Aug 28 00:00:00 2014 GMT
Not After : Dec 30 12:00:00 2016 GMT
Subject: C = US, ST = CA, L = Menlo Park, O = "Facebook, Inc.", CN = *.facebook.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d8:d1:dd:35:bd:e2:59:b6:fb:9b:1f:54:15:8c:
db:bf:4e:58:bd:47:be:b8:10:fc:22:e9:d2:9e:98:
f8:49:2a:25:fb:94:46:e4:42:99:84:50:1c:5f:01:
fd:14:25:31:5c:4e:d9:64:fd:c5:0c:b3:46:d2:a1:
bc:70:b4:87:8e
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
X509v3 Subject Key Identifier:
43:09:93:40:FA:11:4B:30:33:EC:F2:87:6E:8D:71:18:CF:8A:BC:8E
X509v3 Subject Alternative Name:
DNS:*.facebook.com, DNS:*.facebook.net, DNS:*.fb.com, DNS:*.fbcdn.net, DNS:*.fbsbx.com, DNS:*.m.facebook.com, DNS:*.messenger.com, DNS:*.xx.fbcdn.net, DNS:*.xy.fbcdn.net, DNS:*.xz.fbcdn.net, DNS:facebook.com, DNS:fb.com, DNS:messenger.com
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/sha2-ha-server-g5.crl
Full Name:
URI:http://crl4.digicert.com/sha2-ha-server-g5.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Policy: 2.23.140.1.2.2
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
Timestamp : Dec 16 15:50:03.515 2015 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:28:C8:7D:86:5D:F1:14:32:9D:3A:50:3E:
2F:C2:99:80:EC:13:C8:F9:1F:5D:9F:8A:0A:81:FB:F9:
EA:02:8C:F5:02:20:28:6F:7F:97:B3:27:01:66:BB:89:
4D:C5:A8:53:3A:34:CE:F6:AB:46:AE:F1:70:BD:B8:27:
2D:C2:03:28:F6:2C
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 68:F6:98:F8:1F:64:82:BE:3A:8C:EE:B9:28:1D:4C:FC:
71:51:5D:67:93:D4:44:D1:0A:67:AC:BB:4F:4F:FB:C4
Timestamp : Dec 16 15:50:03.453 2015 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:FB:7B:CE:FA:1D:74:6B:EB:76:20:77:
16:E3:C0:58:72:B3:21:35:9A:C0:43:2D:A8:90:77:E1:
B7:9A:DA:5F:6D:02:20:04:AA:8B:42:D2:AC:CA:D1:87:
DF:70:54:C7:1E:22:20:53:36:DF:93:5B:B8:1F:5B:FC:
80:05:D1:9A:5A:AB:B0
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 56:14:06:9A:2F:D7:C2:EC:D3:F5:E1:BD:44:B2:3E:C7:
46:76:B9:BC:99:11:5C:C0:EF:94:98:55:D6:89:D0:DD
Timestamp : Dec 16 15:50:03.663 2015 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:FE:2C:B6:D4:EF:95:FF:FC:CD:78:71:
81:88:AD:3A:B3:A3:12:0C:82:B2:D8:B5:4C:E6:F1:66:
FE:D4:7E:34:A5:02:20:2D:2B:D5:D5:13:84:9C:99:D9:
16:65:15:08:DC:59:65:C5:C0:2C:6A:95:E7:E9:83:9F:
AF:26:8B:39:10:26:28
Signature Algorithm: sha256WithRSAEncryption
aa:91:ae:52:01:8c:60:f6:02:b6:94:eb:af:6e:eb:dd:3c:c8:
e1:6f:17:ab:b8:28:80:ec:dc:54:82:56:24:c1:16:08:e1:c2:
c8:3e:3c:0f:53:18:40:7f:df:41:36:93:95:5f:b1:d9:35:43:
5e:94:60:f9:d6:a7:83:6a:7d:c7:b4:f6:0b:90:76:f8:b4:0a:
c1:31:0d:16:18:b5:cb:71:5c:f9:93:02:21:aa:bb:40:fd:ee:
0a:1b:a9:f2:c3:0e:25:13:63:67:a2:42:eb:79:ea:5f:8f:fb:
d8:bb:76:8c:5f:61:ca:2c:be:01:44:09:af:36:1e:a9:f7:40:
1c:a4:b3:65:78:42:68:04:f0:4b:0c:7f:1f:d9:13:f6:0a:3b:
35:79:73:69:c7:3c:70:e5:5d:06:98:ea:88:d5:dd:6b:e6:66:
62:57:cf:af:d0:fb:67:9b:e0:c8:20:3a:b9:b6:4f:39:7a:5f:
c4:fd:a0:46:8c:bc:c7:44:a7:b3:ab:52:49:db:86:97:ed:2e:
bc:80:56:95:9f:d2:63:84:57:e7:92:15:32:e4:75:c5:81:52:
cb:3b:26:e1:5d:4b:fd:e0:39:5e:81:06:af:cc:7e:77:d1:9d:
9a:06:6f:ef:f7:fc:e2:86:5a:16:5a:c2:04:de:80:e3:78:1f:
0f:fc:7f:df
我不知道哪个 CA 签署了此服务器的证书。我以为这是我们的内部 CA,但测试表明并非如此。因此我无法使用 openssl 的 -CAfile 或 -CApath 标志来指定 CA。
我不确定你的意思。我怀疑您的内部 CA 已签署 Facebook 的证书。此外,PKIX 仅允许一颁发者,因此证书上不能有两个或多个 CA 签名。这是因为只规定了一个发行人, 一授权密钥标识符等。虽然这是不允许的,但这种用例很有意义;另请参阅具有多个签名者的证书?在 PKIX 邮件列表上。
如果你想openssl s_client
结束Verify return code: 0 (ok)
,然后CAfile
与 DigiCert 的 CA 一起使用。您需要名为“DigiCert 高保证 EV 根 CA”,并且需要将其转换为PEM。
获取 DigiCert 高保证 EV 根 CA
$ wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt
--2016-10-13 16:34:12-- https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt
Resolving www.digicert.com (www.digicert.com)... 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|64.78.193.234|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 969 [application/x-x509-ca-cert]
Saving to: ‘DigiCertHighAssuranceEVRootCA.crt’
DigiCertHighAssuran 100%[===================>] 969 --.-KB/s in 0s
2016-10-13 16:34:13 (11.6 MB/s) - ‘DigiCertHighAssuranceEVRootCA.crt’ saved [969/969]
$
将证书转换为 PEM
$ openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -inform DER \
-out DigiCertHighAssuranceEVRootCA.pem -outform PEM
$
连接并验证
$ openssl s_client -connect facebook.com:443 -servername facebook.com \
-tls1 -CAfile DigiCertHighAssuranceEVRootCA.pem
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = CA, L = Menlo Park, O = "Facebook, Inc.", CN = *.facebook.com
verify return:1
Server did acknowledge servername extension.
---
Certificate chain
0 s:/C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./CN=*.facebook.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
...
Start Time: 1476391066
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
然而我得到的只是:
1737:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
只是猜测,但是...尝试使用 SNI(-servername
选项)和 TLS 1.0 或更高版本(-tls1
选项适用于 TLS 1.0)。