使用 cURL 进行相互认证 SSL(mTLS)时调试 HTTP 403 禁止

tag-icon tag-icon tls authentication certificate certificate-authority curl
使用 cURL 进行相互认证 SSL(mTLS)时调试 HTTP 403 禁止

我是安全方面的新手,但我正在尝试通过相互身份验证向服务器发送请求。我得到了

  1. CA pem文件
  2. 客户端证书 pem 文件
  3. 私钥pem文件

现在,我正在尝试建立与服务器的连接,但它一直出现 403 错误,我不确定如何从这里进行调试。

使用 cURL 执行以下命令: curl -H "Content-Type: application/json" -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" --cacert ca.pem --key privateKey.pem --cert client.pem https://svc.server.com -d '{}'

显示 http 403 错误的日志

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 222.222.222.222:443...
* Connected to svc.server.com (222.222.222.222) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: ca.pem
*  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [63 bytes data]
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5573 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ [5482 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} [4024 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
} [264 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=BE; L=Waterloo; O=International Corporated; OU=BIP0 AIDC; CN=svc.server.com
*  start date: Apr  7 19:27:43 2020 GMT
*  expire date: Jul  6 19:57:43 2022 GMT
*  subjectAltName: host "svc.server.com" matched cert's "svc.server.com"
*  issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust CA
*  SSL certificate verify ok.
} [5 bytes data]
> POST /v1/0/activate HTTP/1.1
> Host: svc.server.com
> Accept: */*
> Content-Type: application/json
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> Content-Length: 2
>
} [2 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Type: application/json;charset=UTF-8
< Content-Length: 109
< Date: Fri, 10 Sep 2021 06:55:23 GMT
< Server: Information Not Disclosed
<
{ [109 bytes data]
100   111  100   109  100     2     86      1  0:00:02  0:00:01  0:00:01    87{
  "res": "",
  "code": "AUTHORIZATION_FAILED",
  "description": "Authorization failed."
}
* Connection #0 to host svc.server.com left intact

我也在我的 Windows 客户端机器上安装了证书,服务器团队提到他们这边没有任何问题,因为其他人能够成功发送他们的请求。

此外,不需要进一步的身份验证,只需证书就足够了。

我也检查了跟踪日志并且它似乎是相同的,显示 TLS 握手完成但收到相同的错误。

任何帮助是极大的赞赏。

相关内容