如何比较 2 个 SSL 证书

如何比较 2 个 SSL 证书

我遇到了一个问题,几天前我一直在尝试解决它。

我们有一台生产服务器,它有证书,支持 TLS1、TSL1.1、TLS1.2。我们还有一个临时服务器,用于测试一些设备,它只运行 TLS1.1 和 TLS1.2

据我所知,所有证书变更看起来都一样

问题 :

当我们将设备连接到生产时,它运行良好。

当我们将设备连接到舞台时,它没有连接

第一阶段,关闭连接。

openssl s_client -connect xxxx.bac.com:443 -status -state -quiet
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = BM, O = ABC Limited, CN = ABCDF Root CA 2
verify return:1
depth=1 C = US, O = AAAB , CN = CCDE SSL ICA G2
verify return:1
depth=0 C = CA, ST = ME, L = CCC, O = "xxxx.", CN = xxxx.bac.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify

下面的产品运行良好。

openssl s_client -connect prod.bac.com:443 -quiet  -state -status
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = BM, O = ABSC, CN = ABSC Root CA 2
verify return:1
depth=1 C = US, O = DFFFF, CN = DDFF SSL ICA G2
verify return:1
depth=0 C = CA, ST = ME, L = LEEE, O = "BAC", CN = prod.bac.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A

这里可能存在什么问题?我怀疑可能是由于 TLS_FALLBACK

连接到产品,产品有效。

New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID: B5B4E0FECC197987CAB113484FC33305B257F18F
    Session-ID-ctx: 
    Master-Key: 5EA2D034F4EF9E0F583B58F1437593F1162269C181EF922B2647A796F813C6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1567782512
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

与 stage-bac.com 的连接不起作用。


New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 8055139B925BED1F834E141ED740A2762254213C0DD3
    Session-ID-ctx: 
    Master-Key: 4041914ACE614C18EC696960FD08057E9E348538A2D448184FE3FE18432
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:

知道问题可能出在哪里吗?为什么无法建立连接。

相关内容