我正在排除与 EPP 服务器建立安全连接时出现的错误。我发出以下命令,发现所有服务器证书都已验证,但仍然出现错误(以粗体突出显示)。验证服务器证书时是否仍存在问题?如果存在,可能是什么问题?
编辑:我剪掉了“可接受的客户端证书 CA 名称”,因为垃圾邮件检测器不喜欢它们。
$ openssl s_client -connect otessl.verisign-grs.com:700 -key /home/ubuntu/foo.key -cert /home/ubuntu/foo.crt -CAfile /home/ubuntu/foo-cert-chain.pem -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2497886, C = US, postalCode = 20190, ST = Virginia, L = Reston, street = 12061 Bluemont Way, O = "Verisign, Inc", OU = Production Operations, CN = otessl.verisign-grs.com
verify return:1
<b>
140403406833312:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1260:SSL alert number 46
140403406833312:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
</b>
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2497886/C=US/postalCode=20190/ST=Virginia/L=Reston/street=12061 Bluemont Way/O=Verisign, Inc/OU=Production Operations/CN=otessl.verisign-grs.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
*snipped*
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2497886/C=US/postalCode=20190/ST=Virginia/L=Reston/street=12061 Bluemont Way/O=Verisign, Inc/OU=Production Operations/CN=otessl.verisign-grs.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
---
Acceptable client certificate CA names
*snipped - will post if needed*
---
SSL handshake has read 10228 bytes and written 4199 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 544D9C743C278DCE0AA4715E68CA7C7A3443F3596495EA3A27448B9F3E0AC575
Session-ID-ctx:
Master-Key: 77E6E234FE7313C50C04B7C8F32B0D6C9B6520A114DA4253A97FF1C200544EBB21DBC2C7ECA45DF0546A27EFB466EF4F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1414372468
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
答案1
您收到来自服务器的错误certificate unknown
,因此它指的是服务器端对客户端证书的验证,而不是客户端对服务器证书的(成功)验证。这意味着服务器不喜欢您的客户端证书。
请根据可接受 CA 列表检查您的客户端证书,确保它未被吊销,并可能执行 tcpdump/wireshark 来验证它是否确实发送到服务器。如果这没有帮助,您可以检查服务器端的日志文件以查找出错的迹象。
答案2
就我而言
错误:14094416:SSL 例程:SSL3_READ_BYTES:sslv3 警报证书未知:s3_pkt.c:1260:SSL 警报编号 46
通过添加解决了
ssl_verify_client_cert = yes
在/etc/dovecot/dovecot.conf。
答案3
我刚刚经历了类似的事情。
您可能忘记安装 CA 证书。
如果你使用的是 ubuntu 或 debian:apt-get 安装 ca 证书
答案4
就我的情况而言,客户端并不喜欢被迫执行 TLS,但是当我们在 https 服务器中添加“SSLProtocol +SSLv3”时,他们就感到很温暖和舒服 :|