我正在 CentOS 设备上运行 openssl 服务器。我正在使用过期的证书,并希望在 /var/log/messages 中看到“证书颁发机构错误”消息,但我的系统日志没有记录任何身份验证消息。我怎样才能解决这个问题?
预期消息:
Certificate error: authority and subject key identifier mismatch
步骤: 在服务器上:
openssl s_server -debug -accept 4443 -cert /tmp/expired.crt -key /tmp/expired.key -tls1 -no_dhe -WWW -cipher DES-CBC3-SHA 1>/tmp/server-normal-tls1-DES-CBC3-SHA-STDOUT 2>/tmp/server-normal-tls1-DES-CBC3-SHA-STDERR &
在客户端:
openssl s_client -connect 5.0.0.1:4443 -tls1 -CAfile /tmp/all.pem -cipher DES-CBC3-SHA 1>/tmp/client-normal-tls1-DES-CBC3-SHA-STDOUT 2>/tmp/client-normal-tls1-DES-CBC3-SHA-STDERR; echo
在服务器上观察/var/log/messages:
[root@<hostname> ~]# cat /var/log/messages
<6>1 2020-07-01T00:04:46.230901+05:30 <hostname> kernel - - e1000: eth0 NIC Link is Up 1000
Mbps Full Duplex, Flow Control: None
<6>1 2020-07-01T00:04:46.238043+05:30 <hostname> kernel - - ADDRCONF(NETDEV_UP): eth0: link is not ready
<6>1 2020-07-01T00:04:46.238084+05:30 <hostname> kernel - - 8021q: adding VLAN 0 to HW filter on device eth0
<6>1 2020-07-01T00:04:46.263186+05:30 <hostname> kernel - - ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
<189>1 2020-07-01T00:04:46.354565+05:30 <hostname> NET 3206 - - /etc/sysconfig/network-scripts/ifup-post : updated /etc/resolv.conf
<6>1 2020-07-01T00:04:46.421362+05:30 <hostname> kernel - - e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
<6>1 2020-07-01T00:04:46.428795+05:30 <hostname> kernel - - ADDRCONF(NETDEV_UP): eth1: link is not ready
<6>1 2020-07-01T00:04:46.428838+05:30 <hostname> kernel - - 8021q: adding VLAN 0 to HW filter on device eth1
<6>1 2020-07-01T00:04:46.444970+05:30 <hostname> kernel - - ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
<6>1 2020-07-01T00:04:46.581818+05:30 <hostname> kernel - - e1000: eth2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
<6>1 2020-07-01T00:04:46.589378+05:30 <hostname> kernel - - ADDRCONF(NETDEV_UP): eth2: link is not ready
<6>1 2020-07-01T00:04:46.589391+05:30 <hostname> kernel - - 8021q: adding VLAN 0 to HW filter on device eth2
<6>1 2020-07-01T00:04:46.605267+05:30 <hostname> kernel - - ADDRCONF(NETDEV_CHANGE): eth2: link becomes ready
<189>1 2020-07-01T00:04:47.419669+05:30 <hostname> NET 3368 - - /etc/sysconfig/network-scripts/ifdown-post : updated /etc/resolv.conf
<6>1 2020-07-01T00:04:47.829926+05:30 <hostname> kernel - - e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
<6>1 2020-07-01T00:04:47.842681+05:30 <hostname> kernel - - ADDRCONF(NETDEV_UP): eth1: link is not ready
<6>1 2020-07-01T00:04:47.842802+05:30 <hostname> kernel - - 8021q: adding VLAN 0 to HW filter on device eth1
<6>1 2020-07-01T00:04:47.871609+05:30 <hostname> kernel - - ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
<30>1 2020-07-01T00:04:48.209339+05:30 <hostname> dnsmasq 1911 - - reading /etc/resolv.conf
<30>1 2020-07-01T00:04:48.209377+05:30 <hostname> dnsmasq 1911 - - using nameserver 10.204.208.221#53
<30>1 2020-07-01T00:04:48.209389+05:30 <hostname> dnsmasq 1911 - - using nameserver 10.204.208.219#53
<30>1 2020-07-01T00:04:48.209398+05:30 <hostname> dnsmasq 1911 - - using nameserver 10.216.116.220#53
<30>1 2020-07-01T00:04:48.209416+05:30 <hostname> dnsmasq 1911 - - using local addresses only for unqualified names
<6>1 2020-07-01T00:04:48.821696+05:30 <hostname> kernel - - e1000: eth2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None
<6>1 2020-07-01T00:04:48.829409+05:30 <hostname> kernel - - ADDRCONF(NETDEV_UP): eth2: link is not ready
<6>1 2020-07-01T00:04:48.829418+05:30 <hostname> kernel - - 8021q: adding VLAN 0 to HW filter on device eth2
<6>1 2020-07-01T00:04:48.845368+05:30 <hostname> kernel - - ADDRCONF(NETDEV_CHANGE): eth2: link becomes ready
<13>1 2020-07-01T00:12:41.993789+05:30 <hostname> root 3800 - - hello
<6>1 2020-07-01T00:28:41.528583+05:30 <hostname> kernel - - Kernel logging (proc) stopped.
<46>1 2020-07-01T00:28:41.539523+05:30 <hostname> rsyslogd - - [origin software="rsyslogd" swVersion="5.8.10" x-pid="1229" x-info="http://www.rsyslog.com"] exiting on signal 15.
/etc/rsyslog.conf配置:
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;user;auth;authpriv;cron.none;syslog;daemon /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
答案1
原因很简单,因为无论您使用哪个软件都不会向系统记录器发送消息。 OpenSSL 本身并不意味着作为守护进程运行,并且默认情况下(或根本不)未配置为登录系统记录器。
进程必须故意向系统记录器发出消息,以便 rsyslog(或另一个系统记录器)接收它们并最终将它们写入日志文件或其他地方。
答案2
您问为什么 SSL 服务器 ( openssl s_server
) 没有记录其自己的 SSL 服务器证书验证失败的原因。
我不相信这是可能的。服务器证书(通常)不由服务器验证。
服务器证书由客户端验证。具体来说,过期的证书会失败,因为“Not after date”相对于系统时钟而言是过去的。客户。由于服务器不知道(它只能猜测)客户端认为现在是什么时间,因此服务器永远不会真正知道客户端是否会接受证书。
AFAIK 当证书在客户端验证失败时,客户端不会通知服务器验证失败的原因。它只是关闭连接,因为它根本不信任服务器。
正如佩德罗指出的 openssl s_server
预计不会写入系统日志。即使它能够确定客户端断开连接的原因,它也没有选择这样做(AFAIK)。您需要捕获输出并通过系统日志客户端发布它,例如记录器。