问题: 如何强制 OpenSSL 使用 Chrome 浏览器和 SSL Labs 使用的相同证书验证算法?
细节:
“adswizz.com”发送的证书链包含来自 COMODO 的最近过期的证书(2020 年 5 月 30 日过期)。
这个 OpenSSL 命令使用一个简单的算法,遍历服务器提供的证书链,找到过期的证书,然后报告“验证返回代码:10(证书已过期)”。
openssl s_client -showcerts -connect adswizz.com:443 -servername adswizz.com < /dev/null
相比之下,访问此 SSL Labs URL 会显示更复杂算法的结果,该算法探索尝试验证服务器证书的几种不同路径。
https://www.ssllabs.com/ssltest/analyze.html?d=adswizz.com
这将找到 3 条可能的路径(见下图)。路径 #2 与 OpenSSL 使用的路径相同,因此由于证书过期而失败,... 但路径 #1 和 #3 都成功了。(路径 #3 甚至下载了额外的证书!)
我们想openssl从 Linux 命令行使用,并使用该glib-openssl库来支持与服务器的 TLS 通信。我们可以使用哪些命令行选项或库配置设置来强制 OpenSSL 验证证书并获得与 Chrome 浏览器相同的结果。
我们无法强迫运行的第三方adswizz.com更新其证书链,因为他们将使用 Chrome“检查”并告知其“看起来有效”,……但 OpenSSL 仍然会失败。
我们需要修复或解决方法。有什么想法吗?
任何帮助,将不胜感激。
# openssl s_client -showcerts -connect adswizz.com:443 -servername adswizz.com < /dev/null
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.adswizz.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGczCCBVugAwIBAgIRAJmRcvO1sqghu6YYUOklMpQwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xOTA4MDYwMDAwMDBaFw0yMTA4MDUyMzU5NTlaMFoxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2ls
ZGNhcmQxFjAUBgNVBAMMDSouYWRzd2l6ei5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDWNphn1Sfmttt94/RUhRkuWphecWBC9ASFNP6dd2pYSnX6
uVbzC+srXibVO9awDQww9Lj/to3wnvwQCw+IA6qH1HBpCKqCuGVCLLGciet7B2nz
Mg39VtBmVVW0Fe76rR+xl2ljCXWReh8h26yvpZYOH9aVUXsjFydRWP54ewyBnwuv
S2Zni0EkEVPYwI7FvYTnL78Ahg4XqKkSi0T9o0d94ckT+/hUun38BykWD5zwhdHS
En3nroJHkdeC9xqlZ6JeSC7gw4p44p6kC+PoSTiVp0eA9DPE3SO/Y5v2mtF7wnS0
3npIEaYZcmoHwI3bU7nmOv7NWau2AnkQCxnMnpo5AgMBAAGjggL8MIIC+DAfBgNV
HSMEGDAWgBSNjF7EVK2K4Xfpm/mbBeG4AY1h4TAdBgNVHQ4EFgQUx+9Empd4lm7l
ndR6tRfTloPsLf0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQEC
AgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EM
AQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuc2Vj
dGlnby5jb20vU2VjdGlnb1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJD
QS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMCUGA1Ud
EQQeMByCDSouYWRzd2l6ei5jb22CC2Fkc3dpenouY29tMIIBfgYKKwYBBAHWeQIE
AgSCAW4EggFqAWgAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAA
AWxm2QUzAAAEAwBHMEUCIG2FdFKVcP6FgVA5gkUNP6ls31EboxWMNik2/Tru3C43
AiEAsAz8L6f+gjVseGTVuvspo/tOk4VxgaKTHXK11v/6HtUAdgBElGUusO7Or8RA
B9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWxm2QVWAAAEAwBHMEUCIFAvLKuzf5Uy
aNmVZdwOCFuYecyR4Kwctz/2AQRgZmDGAiEA1t07AXCqPvalErjRmwOo59OAVHbb
HOepcehNTZ2IA8AAdgBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAA
AWxm2QUrAAAEAwBHMEUCIGh/Js6dAEY3HeZc9e44yqsJH3csigoMO2MssiwyiP5o
AiEAtDtdZqnRoa8fFIT+JGOBHpWQ9Z8K2OSjTyPuEIFIcW0wDQYJKoZIhvcNAQEL
BQADggEBAEetlFBbQLc6UrYowsuEux308+gDuuz+RuA15NsLBRaMpbz9ymXqad/y
i2xP5oCR/D393bLg4OCjje0ukUF9J4JaF7GKwp8smqP5oqDoIy4F+7E23AHU5RWL
tS5br0lKMYBS/eZddDjYYHD6AIFKzRlpEJdCebIXglg1MT7E+93f2dFMZwoWybXl
aNuOUzan8n8FPA0OrH8OOwgoJkS1SxKrpdXI9FdgogPrILa5nvyLecUT/b4Otxwz
Jm4vkHILWCn8XkhmmXbDg12yGMdRIWQdihlGuNDt97/k0+8HR9MyZ39SiJYvJQRg
TYOEC267rxGKU4TxkQJjIFScICbXZrU=
-----END CERTIFICATE-----
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.adswizz.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5334 bytes and written 454 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: B56072247A34ED804A1B84933F673D5029E02352C1EC96109F38991BCE1DA450
Session-ID-ctx:
Master-Key: 79A358537CE41E0CA4D3463848A9837397BB06B068547F702336723D42BB7DB0A788390E76F4264534D2B47EE2B1B48C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 60 bb 34 9c c4 9e 1e d5-25 30 51 e8 c0 66 ad f9 `.4.....%0Q..f..
0010 - 96 ff 5a 60 3b 9b 50 07-55 08 2b 11 5e 72 9e fb ..Z`;.P.U.+.^r..
0020 - b6 47 85 f1 42 27 28 ae-ce fc e0 63 c3 00 60 01 .G..B'(....c..`.
0030 - 78 d0 6b c6 d9 40 8e 5d-96 14 a0 24 f2 4e 35 25 x.k..@.]...$.N5%
0040 - 3e e4 94 21 c6 11 0b db-00 6b c7 16 87 c1 92 a2 >..!.....k......
0050 - 9a c3 dc 51 95 5d 44 6f-e0 f0 20 2c 44 9e 07 e3 ...Q.]Do.. ,D...
0060 - cb 0a 83 f2 8f 06 d8 9d-53 b8 85 a1 62 27 09 dd ........S...b'..
0070 - a2 74 35 31 07 71 5b 92-87 8e 84 34 c4 10 9f 01 .t51.q[....4....
0080 - 0a 86 30 32 e4 b2 3e ed-3c c4 81 49 42 60 19 9b ..02..>.<..IB`..
0090 - ff 90 0b 0a a7 4b 58 ed-bd b9 6a 8a 09 3e 54 0e .....KX...j..>T.
00a0 - 39 ce 19 14 fb 5d b3 b6-11 a3 11 da 53 11 ff 06 9....]......S...
00b0 - 0e 9c 1b 7f 14 ef 69 cb-35 5a 79 29 dd ed 9c 39 ......i.5Zy)...9
00c0 - 19 e2 6a 9e d7 06 5e e7-3b 86 c1 0e cb 80 7e 6a ..j...^.;.....~j
Start Time: 1591065727
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
DONE
答案1
这个 OpenSSL 命令使用一个简单的算法,遍历服务器提供的证书链,找到过期的证书,然后报告“验证返回代码:10(证书已过期)”。
虽然这对于 OpenSSL 1.0.2 来说是正确的,但对于 OpenSSL 1.1.1 来说不再正确 - 即该版本查找并使用有效路径。
路径#3 甚至下载了额外的证书!
虽然 Chrome 会这样做,但 Firefox、OpenSSL 或许多其他库都不会自行下载丢失的证书。
我们无法强迫运行 adswizz.com 的第三方更新其证书链,因为他们会使用 Chrome“检查”并告知其“看起来有效”,……但 OpenSSL 仍然会失败。
虽然这个论点有一定道理,但它仍然是错误的。服务器和客户端都应该具有正确且最新的配置。这意味着在这种特定情况下,您的 OpenSSL 应该更新,并且服务器也应该修复。如果公司只使用一个浏览器进行测试,而忽略了其他所有问题,那么就有可能失去客户。