如何设置 lighttpd 进行 x.509 客户端证书认证

tag-icon tag-icon ssl http lighttpd certificate
如何设置 lighttpd 进行 x.509 客户端证书认证

到目前为止,我已经使用 HTTPS 很长时间了,所以我认为服务器证书没有任何问题。现在我尝试将其添加到 lighttpd.conf 中:

ssl.engine                  = "enable"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.pemfile                 = "/etc/ssl/private/steinbitglis.domain.pem"
ssl.ca-file                 = "/etc/ssl/private/GandiStandardSSLCA.pem"
ssl.verifyclient.activate   = "enable"
ssl.verifyclient.enforce    = "enable"

lighttpd 错误日志显示如下:

(connections.c.299) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

Firefox 声明如下:

ssl_error_handshake_failure_alert

我的目标是用浏览器证书替换用户名+密码,但我甚至还无法从浏览器请求任何证书。如果有人知道一个好的来源来了解我使用这项技术所需的所有细节,那就太好了。

这是我从远程机器进行的测试。

$ openssl s_client -CAfile GandiStandardSSLCA.pem -showcerts -connect steinbitglis.domain:443
CONNECTED(00000003)
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = steinbitglis.domain
verify return:1
139713412519584:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1195:SSL alert number 40
139713412519584:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=steinbitglis.domain
   i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=steinbitglis.domain
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
Acceptable client certificate CA names
/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
SSL handshake has read 2657 bytes and written 347 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: CFD6D9A88B96888E9114F1EFF5DD23C83082D24F571B30105BA793FD06A1C311
    Session-ID-ctx: 
    Master-Key: 4106EE7BB7FF8DE9793431CFFD4175842D02C08AC055D315DBEF7B9BCAD3FF5032769A18775142BEA2AF9E80694A32B3
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1338161044
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

答案1

No client certificate CA names sent

这意味着 Lighttpd 不会告诉客户端哪些 CA 对客户端证书有效。这通常意味着客户端不会发送客户端证书(因为它无法决定使用哪个证书)。

这不是很清楚,但是第 1288 章意味着ssl.ca-file指令用于指定客户端身份验证的受信任 CA,我认为这将用于将可接受的 CA 列表发送给客户端。确保您的 CAca-file包含客户端证书由其签名的 CA。

相关内容