我正在尝试使用 连接到 smtp.googlemail.com openssl
,从 Ubuntu 16.04 我可以登录并发送电子邮件而不会出现任何问题,但从 Centos5 我得到了这个:
/usr/local/ssl/bin/openssl s_client -starttls smtp -connect smtp.googlemail.com:587 -crlf -ign_eof
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIIZhHz2JffUYMwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMjE1MTM0NjI0WhcNMTcwMzA5MTMzNDAw
WjBtMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEcMBoGA1UEAwwTc210
cC5nb29nbGVtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKNjXgKkh+MP+GoDISKosZkL/UG6pdt7a/pHf4DPVMMrx/OAEWmLBQmKaV3QAJC2
qUlHhOsLcy7qtirFsUK9Y5jy6R0Ucxd7LW/REtvhwY2X8QfHm0IEnOE1CDuYrfUk
Kk7PtQxTqGxG8aei+LXLxLNFNTjbfQiObvQXREw7qXfEWQb5+0T2FOxpB+UhYx20
bNpOimB0dco/Up/v+RekBKlvS2SrOCMSeTYYReZkycriSt0pMsI0IIvkaeE1Isnx
wA23B0dz6mVUn5blHPAIiEqi7Ic/W5tBrVkUwC40aL0ZuFQUjaJ/JUXCLon8uOnD
P7VDUk0mqlDoXMvHA1XkFO0CAwEAAaOCAVAwggFMMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAeBgNVHREEFzAVghNzbXRwLmdvb2dsZW1haWwuY29tMGgG
CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
b20vb2NzcDAdBgNVHQ4EFgQU73XPHhFAOaKff/yiXSyANI3w4lIwDAYDVR0TAQH/
BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY
MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6
Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAHLC
75s5iG0hrGns1J1qTEMKi/AxjP4xmjWzAm1S0wc/8a2qDemxd1+MCqZrNpmXYVog
luJ+JDtZlEsHaAqB5ATc3bnMLhrvh7TJLRUvyk+l3OJ+8oJR8HUyghqUQ9uB5qNX
8xXJbmTfY1nCXOuG2A9nWTlMubt//kasnbDCrcpG9TZO+dQ0H4SEuC10xtIFM04A
vWsDrdjThn8viHI7vmpEbeTR6E60jhEKYZfqhWFDH4e7k8TsAKIJCv6v5xo4yLp4
TtTJJk3eWrEHxt5cjWZlqx22/ru0Whk+6ZLvUzm329KwQ6kNm9quFngUpIFh241F
tFPvcslCp56bJ3xzdqs=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4001 bytes and written 508 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 917A4A945C1AD702E8F0588217413B3311AA226D7E78BDD87B8596965AA0D620
Session-ID-ctx:
Master-Key: 43A388B6FF51CFC304F63D3EEC61912670C38CF7ECB347F521C48CD094C333BBBE4532FBCB5D41203543B8F0D081C2BA
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - bf cf bb fc 16 de 25 7a-cd bc 70 64 54 37 f0 60 ......%z..pdT7.`
0010 - 65 97 fe f6 65 24 c0 c6-5e 9f a8 e2 8f 5e 20 76 e...e$..^....^ v
0020 - 89 d7 f7 29 2c 43 fe f5-b9 95 c9 f3 ca 66 e6 cf ...),C.......f..
0030 - 53 20 86 84 1e 53 08 23-cf 14 56 23 d4 2f 45 1e S ...S.#..V#./E.
0040 - f1 68 0a d8 6a e1 06 e9-d5 d0 59 fc 86 df 0b f8 .h..j.....Y.....
0050 - 1b be d0 a3 40 83 3d 3c-d0 ce ba 07 a9 46 d7 6d ....@.=<.....F.m
0060 - 73 35 cd 72 04 3a 5b 90-a2 db 1a e2 7b 78 6e 90 s5.r.:[.....{xn.
0070 - 74 91 52 1e 10 68 15 58-5f b7 4d 0f ba 9e 2f 32 t.R..h.X_.M.../2
0080 - ac 78 92 37 47 d3 3c 3e-fd b0 ec 61 83 78 6e 48 .x.7G.<>...a.xnH
0090 - 61 27 ea 01 d7 74 3e 97-ab 72 05 00 78 3a 6d 9d a'...t>..r..x:m.
00a0 - b4 a0 57 e9 ..W.
Start Time: 1483556858
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
看起来 OpenSSL 找不到所需的根证书,对吗?好吧,那么我该如何解决这个问题呢?
答案1
使用以下方法获取整个证书链-showcerts
:
$ openssl s_client -starttls smtp -connect smtp.googlemail.com:587 -showcerts [77/209]
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.googlemail.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIIZhHz2JffUYMwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYxMjE1MTM0NjI0WhcNMTcwMzA5MTMzNDAw
WjBtMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEcMBoGA1UEAwwTc210
cC5nb29nbGVtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKNjXgKkh+MP+GoDISKosZkL/UG6pdt7a/pHf4DPVMMrx/OAEWmLBQmKaV3QAJC2
qUlHhOsLcy7qtirFsUK9Y5jy6R0Ucxd7LW/REtvhwY2X8QfHm0IEnOE1CDuYrfUk
Kk7PtQxTqGxG8aei+LXLxLNFNTjbfQiObvQXREw7qXfEWQb5+0T2FOxpB+UhYx20
bNpOimB0dco/Up/v+RekBKlvS2SrOCMSeTYYReZkycriSt0pMsI0IIvkaeE1Isnx
wA23B0dz6mVUn5blHPAIiEqi7Ic/W5tBrVkUwC40aL0ZuFQUjaJ/JUXCLon8uOnD
P7VDUk0mqlDoXMvHA1XkFO0CAwEAAaOCAVAwggFMMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAeBgNVHREEFzAVghNzbXRwLmdvb2dsZW1haWwuY29tMGgG
CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t
L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j
b20vb2NzcDAdBgNVHQ4EFgQU73XPHhFAOaKff/yiXSyANI3w4lIwDAYDVR0TAQH/
BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY
MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6
Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAHLC
75s5iG0hrGns1J1qTEMKi/AxjP4xmjWzAm1S0wc/8a2qDemxd1+MCqZrNpmXYVog
luJ+JDtZlEsHaAqB5ATc3bnMLhrvh7TJLRUvyk+l3OJ+8oJR8HUyghqUQ9uB5qNX
8xXJbmTfY1nCXOuG2A9nWTlMubt//kasnbDCrcpG9TZO+dQ0H4SEuC10xtIFM04A
vWsDrdjThn8viHI7vmpEbeTR6E60jhEKYZfqhWFDH4e7k8TsAKIJCv6v5xo4yLp4
TtTJJk3eWrEHxt5cjWZlqx22/ru0Whk+6ZLvUzm329KwQ6kNm9quFngUpIFh241F
tFPvcslCp56bJ3xzdqs=
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIDAjqSMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTUwNDAxMDAwMDAwWhcNMTcxMjMxMjM1OTU5WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wDgYD
VR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDov
L2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQsFAAOCAQEACE4Ep4B/EBZDXgKt
10KA9LCO0q6z6xF9kIQYfeeQFftJf6iZBZG7esnWPDcYCZq2x5IgBzUzCeQoY3IN
tOAynIeYxBt2iWfBUFiwE6oTGhsypb7qEZVMSGNJ6ZldIDfM/ippURaVS6neSYLA
EHD0LPPsvCQk0E6spdleHm2SwaesSDWB+eXknGVpzYekQVA/LlelkVESWA6MCaGs
eqQSpSfzmhCXfVUDBvdmWF9fZOGrXW2lOUh1mEwpWjqN0yvKnFUEv/TmFNWArCbt
F4mmk2xcpMy48GaOZON9muIAs0nH5Aqq3VuDx3CQRk6+0NtZlmwu9RY23nHMAcIS
wSHGFg==
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.googlemail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4000 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: FBA71D2C2413474BDCE44C6951BFBC41C7FB4795CADCE6150BB93205526E632A
Session-ID-ctx:
Master-Key: F86BF8C5998693FE8FB77B396644D2D58365228C0352CF35886582EBB109845554AF632CC72A947C304CD93C6AC76618
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - bf cf bb fc 16 de 25 7a-cd bc 70 64 54 37 f0 60 ......%z..pdT7.`
0010 - a8 09 14 b0 63 60 cb 19-c2 01 a8 d4 b9 fa 66 02 ....c`........f.
0020 - c2 d8 4b c8 a4 46 b9 6d-d5 5c a3 5e b9 7e 95 27 ..K..F.m.\.^.~.'
0030 - 5e 35 e5 87 fd 2b ba 79-66 24 14 84 7e 16 14 c2 ^5...+.yf$..~...
0040 - fa a2 b1 da 12 df c2 4a-ac b5 a9 ea b1 9c 22 7a .......J......"z
0050 - 83 22 47 6b fe 89 9a 06-18 c3 28 e5 1d 1a 76 1e ."Gk......(...v.
0060 - 70 c8 53 39 41 55 95 54-0d ce 27 84 26 96 c4 2b p.S9AU.T..'.&..+
0070 - c2 9f 0f 35 fe b2 fd c5-d7 38 0d 4b 85 74 6a da ...5.....8.K.tj.
0080 - 43 76 ba 81 fb 96 2f 4d-56 96 1c 2d e7 c7 b4 00 Cv..../MV..-....
0090 - 51 5b 8e 6b eb cc ab 96-bc 98 3a 85 8f 5e bd 2d Q[.k......:..^.-
00a0 - f1 7a 3f f1 .z?.
Start Time: 1483557603
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 SMTPUTF8
然后在您的请求中包含缺少的证书,或者更好的是,更新系统包以包含它们。
如果信任链中仍缺少证书,您可以从供应商处获取它们。
您可以通过以下方式验证信任链是否完整:verify
的子命令openssl
。