到目前为止,我已经使用 HTTPS 很长时间了,所以我认为服务器证书没有任何问题。现在我尝试将其添加到 lighttpd.conf 中:
ssl.engine = "enable"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.pemfile = "/etc/ssl/private/steinbitglis.domain.pem"
ssl.ca-file = "/etc/ssl/private/GandiStandardSSLCA.pem"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.enforce = "enable"
lighttpd 错误日志显示如下:
(connections.c.299) SSL: 1 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Firefox 声明如下:
ssl_error_handshake_failure_alert
我的目标是用浏览器证书替换用户名+密码,但我甚至还无法从浏览器请求任何证书。如果有人知道一个好的来源来了解我使用这项技术所需的所有细节,那就太好了。
这是我从远程机器进行的测试。
$ openssl s_client -CAfile GandiStandardSSLCA.pem -showcerts -connect steinbitglis.domain:443
CONNECTED(00000003)
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = steinbitglis.domain
verify return:1
139713412519584:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1195:SSL alert number 40
139713412519584:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=steinbitglis.domain
i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=steinbitglis.domain
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
Acceptable client certificate CA names
/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
SSL handshake has read 2657 bytes and written 347 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID: CFD6D9A88B96888E9114F1EFF5DD23C83082D24F571B30105BA793FD06A1C311
Session-ID-ctx:
Master-Key: 4106EE7BB7FF8DE9793431CFFD4175842D02C08AC055D315DBEF7B9BCAD3FF5032769A18775142BEA2AF9E80694A32B3
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1338161044
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
答案1
No client certificate CA names sent
这意味着 Lighttpd 不会告诉客户端哪些 CA 对客户端证书有效。这通常意味着客户端不会发送客户端证书(因为它无法决定使用哪个证书)。
这不是很清楚,但是第 1288 章意味着ssl.ca-file
指令用于指定客户端身份验证的受信任 CA,我认为这将用于将可接受的 CA 列表发送给客户端。确保您的 CAca-file
包含客户端证书由其签名的 CA。