SSL 警报编号 113

SSL 警报编号 113

过去几天,我们在 nginx 错误日志中看到一些类似的错误:

/var/log/nginx/error.log.2.gz:2017/01/30 16:11:46 [crit] 13114#13114: *139338 SSL_do_handshake() failed (SSL: error:14094459:SSL routines:SSL3_READ_BYTES:tlsv1 bad certificate status response:SSL alert number 113) while SSL handshaking, client: X.X.X.X, server: 0.0.0.0:443

我们正在使用 Let's Encrypt 来获取此证书。我们自己无法重现此问题,到目前为止,我们无法从客户端获得有关可能导致此问题的任何信息。

RFC 6066说这与OSCP有关:

请求 OCSP 响应并在“CertificateStatus”消息中收到 OCSP 响应的客户端必须检查 OCSP 响应,如果响应不令人满意并出现 bad_certificate_status_response(113) 警报,则必须中止握手。此警报始终是致命的。

我们的 nginx 配置中有这个:

# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

该域名获得了 SSL Labs 的 A+ 评级,我们自己无法重现此问题。什么原因导致了此错误?

编辑:最近几天内,这种情况发生了 3 次,只有一次在访问日志中留下了其 IP 地址的条目:

/var/log/nginx/access.log:X.X.X.X - - [01/Feb/2017:12:12:51 -0500] "GET /images/foo/bar.png HTTP/1.1" 200 6174 "-" "Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2639 Mobile Safari/537.35+"

编辑2:这是输出openssl s_client -connect <address>:<port> -showcerts -status

$ openssl s_client -connect foo.bar.com:443 -showcerts -status
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Feb  2 02:49:00 2017 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 0320C25EEBD8FE0BBC3678CC437E182E6D82
    Cert Status: good
    This Update: Feb  2 02:00:00 2017 GMT
    Next Update: Feb  9 02:00:00 2017 GMT

    Signature Algorithm: sha256WithRSAEncryption
        6b:10:31:84:c6:ec:32:2f:60:b2:5e:a9:a9:af:96:09:0d:53:
        7d:1d:9d:25:4e:2a:c2:46:72:51:57:ae:62:d0:6f:b8:ae:0c:
        50:d1:6f:f1:84:1f:8b:c8:fb:ed:08:8b:2f:8f:9d:d4:39:31:
        dc:6c:f5:99:27:d1:39:cb:f6:e8:c0:db:5e:99:e8:df:74:96:
        79:5a:19:ae:b7:84:bc:e2:ff:66:da:1d:dc:ad:d5:90:af:d7:
        30:83:28:65:fa:12:0e:46:5d:b4:4d:e0:a2:b8:75:3c:f9:15:
        9e:b3:12:28:34:01:0c:53:05:ee:2a:26:d4:81:fb:9c:62:9b:
        d6:43:15:ab:a1:cb:f7:ca:e5:6b:4b:7d:79:dd:72:39:93:1e:
        3f:e7:74:70:c5:de:79:27:db:79:bf:16:c8:ea:c4:a0:c7:d8:
        f1:5c:91:61:dd:4f:67:65:2f:4d:eb:76:8e:9d:ff:99:32:3d:
        41:7d:35:e9:25:5b:c1:c6:b3:30:c4:8c:9f:56:8b:86:65:4f:
        16:5f:b2:84:d3:f5:24:d9:9e:4f:b2:57:2a:e0:ee:67:01:e8:
        72:1b:ad:fd:c8:fd:a9:d5:7c:a4:bb:aa:be:96:22:83:c7:d5:
        36:82:51:27:f0:9f:00:9b:51:63:6c:39:02:29:dd:cc:7b:a9:
        62:7a:03:ee
======================================
---
Certificate chain
 0 s:/CN=foo.bar.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFAjCCA+qgAwIBAgISAyDCXuvY/gu8NnjMQ34YLm2CMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAyMDIwMTUwMDBaFw0x
NzA1MDMwMTUwMDBaMBoxGDAWBgNVBAMTD2FwcC5nZXRtYXBsZS5jYTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALc4sKh6QmYPj78RZHBv07OCH0dPLNAj
PGRUoIMfKInZnKw3ue88PHTIVxxLeUF7c+yWrEtR2LF9BesO7XWpz9jdGXmOmHyj
KV/ThDtOvglO7c2foucATuziWcm/L/12ydPhJ3rHjHagXGrghEVxJSQwpLmgboAx
LzQup9A7HVrh/fafmnCkEZVXm+HQxIFfsLBS0Cg4VRecstyeSduK/P19XxS/DJDx
Rn3Ci09WRxfw2/gerDp8N4sAV1R7k7aI+j+mOWBpfOiGxyXKDErm9ZpULeahGo2Q
AbwkZQTlnPlVzd2DeNLwPvL9PVzZpr+Xdn+mmyZZERQZv8A5zIRqfhMCAwEAAaOC
AhAwggIMMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUUN66DA00cIF4jJJ6nfpLy8Gg
lvYwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEE
ZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wGgYDVR0RBBMwEYIPYXBwLmdldG1hcGxlLmNhMIH+BgNVHSAEgfYwgfMw
CAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0
aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRp
ZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQ
b2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9y
eS8wDQYJKoZIhvcNAQELBQADggEBAAZB906DvRm88EojJtMPR4j8JaqS9tMjIrR7
lJz0o+y2CS8IVW3hGStlOc6lnxar0w9K6TO5OJXPVF1oaqZhtQuOTgxFPL/KObcd
SIVpKwGNK83NwHSHhu/KrOQBUuTFCkEpH2rEgCDzvKLYwruWD1I3yXstdvmrZY0z
LgrUWSq9Oy/1OK/r/W+t3Igr6uv+PXQPNPz7/Wf6h52h60JnbmnwJjQYhkoGbFKI
ZLjsDnwKMvsZqw6ya9NscebsQAwo07/DTlKuY4Gvo+vBmhVxliBjvs5TkXMpWGr+
E1qIzL+vYDborgOFwPBiDW1cpqrNCf6RdPYCbcmiq5YpHd6qD/0=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.bar.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 4125 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 4F251FC1206A7455B45ABB58137F8EBFE0E23980C8C5FA2185F849AC92E99E39
    Session-ID-ctx: 
    Master-Key: 0C7B5BA714DAFA5791BA956DBC4BD642B6CABA21CB6622172B65AC3BACB063D910F38DA1D63E5A90B2C209FE442B5294
    Key-Arg   : None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6e fe 98 71 de f9 22 6f-c6 6c b2 75 fb 94 96 3b   n..q.."o.l.u...;
    0010 - 8e 35 66 14 6c c5 01 29-29 b8 fc 19 f7 dd 5a d8   .5f.l..)).....Z.
    0020 - 6f 5b 5d f9 0c 55 f5 61-af 7e a3 fa 71 f1 7e a8   o[]..U.a.~..q.~.
    0030 - 61 26 ac ab fc a8 6a b0-43 da 47 fe 73 88 85 5e   a&....j.C.G.s..^
    0040 - 05 c5 15 30 3a 24 35 dc-60 30 eb 08 1a 1a 96 73   ...0:$5.`0.....s
    0050 - 08 98 83 56 86 cf b4 c5-17 42 8c fd a3 f9 02 89   ...V.....B......
    0060 - 2d d3 75 1d 54 10 91 04-37 65 41 a2 02 7a 6d 4d   -.u.T...7eA..zmM
    0070 - db 52 b2 46 67 cb ab 32-39 5f e8 e2 3f 98 5f 1b   .R.Fg..29_..?._.
    0080 - 69 e7 91 9a cd 76 03 85-09 79 cb c0 85 96 b1 f1   i....v...y......
    0090 - c4 bc 18 31 a5 0a 46 d5-4f 22 fd 70 7e 5d 68 08   ...1..F.O".p~]h.
    00a0 - 38 5b 36 66 8c ad e9 3a-e5 51 1a aa db 77 08 7d   8[6f...:.Q...w.}

    Start Time: 1486065610
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

答案1

西蒙,看起来你遇到了这个帖子。配置没有问题,看起来是 nginx 的行为。另外,可能还有Let's Encrypt OCSP 的问题

相关内容