调试相互认证 SSL 握手

调试相互认证 SSL 握手

我有一个配置为相互认证 SSL 的负载均衡器。据我所知,该负载均衡器已配置 Entrust 证书,并已使用我们自己的 CA 作为受信任根进行安装。

客户端方面,我已将我们的 CA 安装为受信任的根,并将来自 CA 的签名证书安装为个人证书。

当我使用 Internet Explorer 连接时,系统提示我选择一个证书,并且客户端证书就在那里,但是一旦我选择它,页面就会失败。

当我连接我的 Java 应用程序时,我的信任库中有 Entrust,我的密钥库中有客户端 .p12,但 SSL 握手失败。

使用 OpenSSL 我得到以下结果:

openssl s_client -connect xxx.xxx.xxx:443 -state -nbio
Loading 'screen' into random state - done
CONNECTED(00000134)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read finished A
SSL_connect:error in SSLv3 read finished A
read R BLOCK
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
1688:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1053:SSL alert number 40
1688:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:838:

有人能帮我找出问题所在吗?问题出在客户端还是服务器上?哪个证书?

相关内容