我有一个配置为相互认证 SSL 的负载均衡器。据我所知,该负载均衡器已配置 Entrust 证书,并已使用我们自己的 CA 作为受信任根进行安装。
客户端方面,我已将我们的 CA 安装为受信任的根,并将来自 CA 的签名证书安装为个人证书。
当我使用 Internet Explorer 连接时,系统提示我选择一个证书,并且客户端证书就在那里,但是一旦我选择它,页面就会失败。
当我连接我的 Java 应用程序时,我的信任库中有 Entrust,我的密钥库中有客户端 .p12,但 SSL 握手失败。
使用 OpenSSL 我得到以下结果:
openssl s_client -connect xxx.xxx.xxx:443 -state -nbio
Loading 'screen' into random state - done
CONNECTED(00000134)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read finished A
SSL_connect:error in SSLv3 read finished A
read R BLOCK
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
1688:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1053:SSL alert number 40
1688:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:838:
有人能帮我找出问题所在吗?问题出在客户端还是服务器上?哪个证书?