避免客户端需要 CAfile

避免客户端需要 CAfile

我正在尝试配置我的 apache,以便它能够传递所有证书文件,从而始终获得肯定的验证。
为了明确起见,任何浏览器都没有问题,我说的是openssl s_clientcurl

例如运行openssl s_client将给出以下输出:

CONNECTED(00000003)
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=DE/CN=xxx
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
...
subject=/C=DE/CN=xxx
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4602 bytes and written 518 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: C45A306052F9815DF5ED7CDC7B6AD21FE4E54AC47A7B51BF3BF433748DECB318
    Session-ID-ctx:
    Master-Key: 8396742DE006FC8CEAEDE280B2CD839D0575D1FAD51498C855825BED82D484CC28F8F1D9F549512F08182FCD3BFF3FCD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 67 85 0d a9 99 68 b2 cc-d6 fb a6 8f ee ba 67 4f   g....h........gO
    0010 - 09 c1 e9 a3 1d 3e a0 49-96 54 7f df cf 0d fb ef   .....>.I.T......
    0020 - 57 3c c3 b4 8b e2 d9 b2-c1 92 db c7 c1 0c 3f 4b   W<............?K
    0030 - 1c 3b 14 f4 bf 8d 94 09-7f 00 f7 20 9a 2b 6f f0   .;......... .+o.
    0040 - 34 48 d2 68 a5 e5 a0 58-3c 84 8b aa 3b 9a 27 27   4H.h...X<...;.''
    0050 - 16 4b cd 3d cb 74 40 b8-08 96 a4 95 52 86 f4 aa   [email protected]...
    0060 - d9 38 fb 9f 3f fc a8 ab-b9 c9 72 20 cd 3c 75 06   .8..?.....r .<u.
    0070 - 2e b6 81 df bb e1 a6 b7-f4 bb 52 e1 8c ba 20 42   ..........R... B
    0080 - e5 db 5c 48 cd 30 d6 f2-23 24 c6 be 6c 23 09 fa   ..\H.0..#$..l#..
    0090 - 9a cf 44 78 13 e7 f6 3e-7d c1 4e e3 1f 81 08 46   ..Dx...>}.N....F
    00a0 - 49 3c 0e 80 00 d4 f5 f1-ad 95 99 9d 6f 33 e9 62   I<..........o3.b
    00b0 - b2 82 14 a2 5d 82 95 49-88 8c 54 e2 d4 64 a6 1d   ....]..I..T..d..
    00c0 - e0 0f 75 88 57 ec 9a 81-41 0c 7b 71 81 8a 93 34   ..u.W...A.{q...4

    Start Time: 1411561048
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
closed

我的 apache 配置如下:

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache2/ssl/....cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/....key.pem
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem

我也尝试使用ca-捆绑包.pem作为SSL证书链文件和/或SSLCA证书文件.
第二项成果19(证书链中的自签名证书)

我如何配置 apache 来提供“正确的” CA 文件以避免在客户端上安装 CA 证书?

怎么了?

谢谢任何提示。

答案1

您无法避免在客户端上安装顶级 CA 证书,CA 证书是建立信任链所必需的。中间证书可以由远程主机或 Apache 提供,但 CA 信任链的顶部,即公共 CA 根证书需要存在于客户端上。

从您的输出来看,您的网络服务器似乎具有由 StartCom Ltd. 又名 Startssl 颁发的证书。

看起来运行 openssl 和 cURL 的主机上的 CA 捆绑证书或 CA 目录不包含 StartCom Ltd. CA 证书,或者在运行这些实用程序时未加载 CA 捆绑证书或目录。我认为这就是导致错误的原因verify error:num=20:unable to get local issuer certificate

我手头没有纯 Debian 机器,但 Ubuntu 可能足够类似,它/etc/ssl/certs是 CA 证书的目录。您可以尝试使用 openssl 命令行上的--CAfile <filename>或强制 CA 文件-CApath /etc/ssl/certs是否正常工作。

相关内容