我正在尝试连接到安装了 RapidSSL 256 位证书的 Windows 2012 R2 服务器上的服务器 SMTP。我需要测试 SMTP 服务器是否可以向我们的一位客户发送电子邮件,该客户的证书似乎存在问题。他们告诉我我的证书无法支持新的 SHA256 加密,但这是错误的。这是我启动的命令:
openssl s_client -starttls smtp -connect www.omniservice2.it:25 -crlf
我得到了这个:
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=www.omniservice2.it
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=www.omniservice2.it
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
---
No client certificate CA names sent
---
SSL handshake has read 3697 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
Start Time: 1487243991
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 OK
然后我选择:
HELO
AUTH LOGIN
然后我输入以 base64 编码的用户名/密码。凭证是正确的,它们是正常的 Windows 身份验证用户名/密码,并且我们所有的 .NET 应用程序都可以正确使用它们来访问 SMTP 服务器。因此,以 base64 编码的凭证肯定是正确的,但输入后,系统提示 DONE,连接关闭,shell 返回。这是什么意思?
这是我的命令的顺序:
>HELO
250 www.omniservice2.it Hello [37.159.171.6]
>AUTH LOGIN
>334 VNXlcm5hbWU6
(my Windows username encoded in base64)
>334 UGFzc3dvcmQ6
(my Windows password encoded in base 64)
>DONE
>prompt returned here
如果在 HELO 之后我发送STARTTLS命令,它会告诉我已启动了 TLS 会话。如前所述,我确实需要直接连接并测试该 SMTP 服务器,并找出它无法向该唯一客户发送电子邮件的原因。我的证书可能出了什么问题?
更新
这是我使用 PLAIN 身份验证模式尝试的结果,均使用 telnet 和 openssl:
telnet www.omniservice2.it 25
Trying 94.177.162.33...
Connected to www.omniservice2.it.
Escape character is '^]'.
220 www.omniservice2.it Microsoft ESMTP MAIL Service, Version: 8.5.9600.16384 ready at Thu, 16 Feb 2017 16:28:00 +0100
EHLO www.omniservice2.it
250-www.omniservice2.it Hello [37.159.171.6]
250-TURN
250-SIZE 4194304
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250 OK
STARTTLS
220 2.0.0 SMTP server ready
AUTH PLAIN
Connection closed by foreign host.
MacBook-Pro-di-lorenzo:~ lory$ openssl s_client -starttls smtp -connect www.omniservice2.it:25 -crlf
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=www.omniservice2.it
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=www.omniservice2.it
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
---
No client certificate CA names sent
---
SSL handshake has read 3697 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B61C00007D21763C94DBF1394AEC1B84768F4DAED89FC3BEC2E74A0321090A71
Session-ID-ctx:
Master-Key: 829BFD1853358B1471837EDEAD068905D9652E7A33121BF6186BBC971F20DB5FBEC0658464DAC6040DD5FD9ACB3BA4AA
Key-Arg : None
Start Time: 1487258920
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 OK
AUTH PLAIN
504 5.7.4 Unrecognized authentication type
答案1
我为这个问题苦苦思索了好几天才发现 openssl s_client 将密码开头的 Q 字符解释为“退出”命令并关闭连接。
如果您的密码在 base64 编码时以 Q 开头,请将其-quiet作为开关传递给 openssl s_client 命令,它将停止关闭连接。
答案2
另一个解决方法是在密码前添加一个空格字符。在我的例子中,身份验证成功。