IIS 不再信任任何 CA 进行客户端身份验证

tag-icon tag-icon windows iis ssl-certificate https certificate-authority
IIS 不再信任任何 CA 进行客户端身份验证

昨天,我们构建服务器(运行 Windows Server 2012)上的 IIS 开始拒绝我们客户端的证书。证书使用我们自己的自签名 CA 证书进行签名,该证书已添加到受信任的根证书颁发机构(本地计算机)。直到昨天,它一直运行正常。我一直在拼命地试图找出可能导致这种情况的变化。我在事件查看器中没有看到 Schannel 错误或警告。

然而,在服务器上运行 openssl 后,我发现了一些可疑的东西。看起来 IIS 在其受信任的客户端证书颁发机构列表中没有发送任何 CA。日志如下所示:

CONNECTED(00000144)
depth=0 CN = Localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = Localhost
verify return:1
---
Certificate chain
 0 s:/CN=Localhost
   i:/CN=Localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIQOkacw1RkE4tI9+HnyEXFvzANBgkqhkiG9w0BAQsFADAU
MRIwEAYDVQQDEwlMb2NhbGhvc3QwHhcNMTMwODA1MDgwOTU1WhcNMzkxMjMxMjM1
OTU5WjAUMRIwEAYDVQQDEwlMb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC/kc5BLMcmuNoZe8jkrJQt/kZFD7EnVOtvEEJt0dZJG008TqXD
MdXnybBWPCbvQIFoxREY6wjPExcU39SzbCWLGV99Z+eR0zFkOpK3SSppe9fulkP7
ktiDWTSkgJUx1/EpHeJHL1hy7YKRFYOtPlewZYjaklh/wND5F88mOri/lEoENpWO
0fLrJS+Nnizeti7LEzstNtU7+AH4h6njCujrQwjwdCr1QTggjLj3iOy7fpUqYwKe
mNGNIAR8XI06JzYAFDpcdo4PMZScNfd0cqcMIHJuWUoaciW9qwrbHWyr1B3hBCX0
luQSF4uHVbT+8yOI4fOWL4PTL/6ZNEfl4WrxAgMBAAGjSTBHMEUGA1UdAQQ+MDyA
EHhoR/6NVn2yfadGy1PvZ26hFjAUMRIwEAYDVQQDEwlMb2NhbGhvc3SCEDpGnMNU
ZBOLSPfh58hFxb8wDQYJKoZIhvcNAQELBQADggEBAIujtVAr3UvG7dB55SBgQP5p
AiOum0DM9xULarl+Wz/GdTvdK65PcUB34DlG8pEhz5nRsX5I/nZvLF/7U5OCICp2
Gnvbm2jLYnlacB16+ds/4cgG65a/CddSdVyRIYa2YdGXZGiJ6zTkEQWEH4tXmkO+
InzHsBEVO1MT1nAfkZp6MzgEbCv8Xus3QIxdnJZZYHMzXcD+48oQEfP5BhHXW/iN
MlNsuN8wwwpS61r2g9Bu8AhMcbnvoMNdYbBtPC5+ltlOQK0RNNTcqOr4kJj/BwO3
fGS8/lh9FTZFq8c4ES94hoEu4szUfA4jkTvt9SWossOBPehhIWKUgx5MIdC6Hgc=
-----END CERTIFICATE-----
subject=/CN=Localhost
issuer=/CN=Localhost
---
No client certificate CA names sent
---
SSL handshake has read 1291 bytes and written 487 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID: C1480000D74420B9A5C00326C73B6ACC652ED4D077CD02C72CE347CE2F603CA8

    Session-ID-ctx:
    Master-Key: F8E3625F2A36FE2CA963F2FE2A0774B7B6AEEC0D0592DC9CD46C5FC98ADECD77
82FE8CF91D71C318A970BEEA4BE384A8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1377623899
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

read:errno=10054
---
Certificate chain
 0 s:/CN=Localhost
   i:/CN=Localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIQOkacw1RkE4tI9+HnyEXFvzANBgkqhkiG9w0BAQsFADAU
MRIwEAYDVQQDEwlMb2NhbGhvc3QwHhcNMTMwODA1MDgwOTU1WhcNMzkxMjMxMjM1
OTU5WjAUMRIwEAYDVQQDEwlMb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC/kc5BLMcmuNoZe8jkrJQt/kZFD7EnVOtvEEJt0dZJG008TqXD
MdXnybBWPCbvQIFoxREY6wjPExcU39SzbCWLGV99Z+eR0zFkOpK3SSppe9fulkP7
ktiDWTSkgJUx1/EpHeJHL1hy7YKRFYOtPlewZYjaklh/wND5F88mOri/lEoENpWO
0fLrJS+Nnizeti7LEzstNtU7+AH4h6njCujrQwjwdCr1QTggjLj3iOy7fpUqYwKe
mNGNIAR8XI06JzYAFDpcdo4PMZScNfd0cqcMIHJuWUoaciW9qwrbHWyr1B3hBCX0
luQSF4uHVbT+8yOI4fOWL4PTL/6ZNEfl4WrxAgMBAAGjSTBHMEUGA1UdAQQ+MDyA
EHhoR/6NVn2yfadGy1PvZ26hFjAUMRIwEAYDVQQDEwlMb2NhbGhvc3SCEDpGnMNU
ZBOLSPfh58hFxb8wDQYJKoZIhvcNAQELBQADggEBAIujtVAr3UvG7dB55SBgQP5p
AiOum0DM9xULarl+Wz/GdTvdK65PcUB34DlG8pEhz5nRsX5I/nZvLF/7U5OCICp2
Gnvbm2jLYnlacB16+ds/4cgG65a/CddSdVyRIYa2YdGXZGiJ6zTkEQWEH4tXmkO+
InzHsBEVO1MT1nAfkZp6MzgEbCv8Xus3QIxdnJZZYHMzXcD+48oQEfP5BhHXW/iN
MlNsuN8wwwpS61r2g9Bu8AhMcbnvoMNdYbBtPC5+ltlOQK0RNNTcqOr4kJj/BwO3
fGS8/lh9FTZFq8c4ES94hoEu4szUfA4jkTvt9SWossOBPehhIWKUgx5MIdC6Hgc=
-----END CERTIFICATE-----
subject=/CN=Localhost
issuer=/CN=Localhost
---
**No client certificate CA names sent**
---
SSL handshake has read 1291 bytes and written 556 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID: C1480000D74420B9A5C00326C73B6ACC652ED4D077CD02C72CE347CE2F603CA8

    Session-ID-ctx:
    Master-Key: F8E3625F2A36FE2CA963F2FE2A0774B7B6AEEC0D0592DC9CD46C5FC98ADECD77
82FE8CF91D71C318A970BEEA4BE384A8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1377623899
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

注意以下文字:未发送客户端证书 CA 名称。当我使用我们的 Java 客户端进行调试时,我似乎遇到了同样的问题。在握手过程中,它显示:“证书颁发机构:”。

我的理解是 IIS 应该返回受信任的根证书颁发机构中的所有证书。在我的本地开发机器上对 IIS 运行相同的请求证实了这一点。该 IIS 服务器返回了大量证书(包括我们的自签名 CA 证书)。

所以我的问题是:为什么 IIS 在握手期间不再返回任何受信任的 CA 证书?

更新 1 通过激活详细的 CAPI 日志,我发现了更多信息。

- UserData 
  - CertGetCertificateChain 
  - Certificate 
   [ fileRef]  4FEA293C62EAF436D286F700F618814E72D49347.cer 
   [ subjectName]  lIv-zQE|3M-OywU 

  - AdditionalStore 
  - Certificate 
   [ fileRef]  4FEA293C62EAF436D286F700F618814E72D49347.cer 
   [ subjectName]  lIv-zQE|3M-OywU 

  - ExtendedKeyUsage 
  - Usage 
   [ oid]  1.3.6.1.5.5.7.3.2 
   [ name]  Client Authentication 

  - Flags 
   [ value]  40000004 
   [ CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL]  true 
   [ CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT]  true 

  - ChainEngineInfo 
   [ context]  machine 

  - CertificateChain 
   [ chainRef]  {317A4B99-2193-4AA6-9D3D-768AF747C66D} 
  - TrustStatus 
  - ErrorStatus 
   [ value]  1010040 
   [ CERT_TRUST_REVOCATION_STATUS_UNKNOWN]  true 
   [ CERT_TRUST_IS_OFFLINE_REVOCATION]  true 
   [ CERT_TRUST_IS_PARTIAL_CHAIN]  true 

  - InfoStatus 
   [ value]  0 

  - ChainElement 
  - Certificate 
   [ fileRef]  4FEA293C62EAF436D286F700F618814E72D49347.cer 
   [ subjectName]  lIv-zQE|3M-OywU 

  - SignatureAlgorithm 
   [ oid]  1.2.840.113549.1.1.11 
   [ hashName]  SHA256 
   [ publicKeyName]  RSA 

  - PublicKeyAlgorithm 
   [ oid]  1.2.840.113549.1.1.1 
   [ publicKeyName]  RSA 
   [ publicKeyLength]  2048 

  - TrustStatus 
  - ErrorStatus 
   [ value]  1000040 
   [ CERT_TRUST_REVOCATION_STATUS_UNKNOWN]  true 
   [ CERT_TRUST_IS_OFFLINE_REVOCATION]  true 

  - InfoStatus 
   [ value]  4 
   [ CERT_TRUST_HAS_NAME_MATCH_ISSUER]  true 

  - ApplicationUsage 
   [ any]  true 

   IssuanceUsage 

  - RevocationInfo 
  - RevocationResult The revocation function was unable to check revocation because the revocation server was offline. 
   [ value]  80092013 

  - EventAuxInfo 
   [ ProcessName]  lsass.exe 

  - CorrelationAuxInfo 
   [ TaskId]  {11C0F7E0-B3E6-4B4B-AA98-9A2AE7800A03} 
   [ SeqNumber]  3 

  - Result A certificate chain could not be built to a trusted root authority. 
   [ value]  800B010A

答案1

我遇到了同样的问题,我终于弄清楚了该网站运行正常,但被 openssl 消息欺骗了(这只是协商)

正确的步骤是:

  1. 正确设置 IIS SSL 绑定

  2. netsh http show sslcert并复制值

  3. 使用 覆盖服务器 SSL 证书绑定netsh http update sslcert ipport=0.0.0.0:443 certhash=.... appid=.... sslctlstorename=ClientAuthIssuer clientcertnegotiation=enable (或netsh http delete后跟netsh http add

  4. 验证设置是否已应用netsh http show sslcert

  5. (仅限 Windows 2012 R2)设置HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList为 1

需要 clientcertnegiotiation 来向浏览器/openssl 显示列表,禁用它后,配置良好的客户端仍然可以发送正确的证书。

答案2

我以前也遇到过同样的问题,而且似乎是在 Windows 更新后发生的。这种情况不止一次发生在我身上。(Server 2003 和 Server 2008)。我努力寻找自签名证书的适当解决方案。我经常想知道机器密钥是否发生了变化,或者算法是否发生了变化?Windows 更新后是否还可能发生这种情况?一旦我们发现防病毒软件导致问题,我就会检查,尤其是那些具有所有“反间谍”/“安全互联网浏览器”和“恶意软件”功能的软件 - AVG 在这方面有罪。

无论如何,我们要做的就是重新创建证书,并在本地机器上重新安装 - 客户端基数小,因此很容易推出。最好的解决方案是使用“便宜”的通配符证书进行构建、测试和登台服务器。通配符证书节省了大量时间,并且对于“自发”客户端演示非常有用。

相关内容