我有一个根 CA,它签署了 2 个中间 CA(客户端 CA 和服务器 CA)和 2 个证书(由客户端 CA 签名的客户端证书和由服务器 CA 签名的服务器证书)。现在服务器有根 CA 和组合服务器 CA(服务器证书和服务器 CA 的串联),客户端有根 CA 和组合客户端证书(客户端证书和客户端 CA 的串联)。
通过openssl s_client -connect <host:port> -cert combinedclientcert.pem -key clientkey.pem -CAfile rootca.pem -state -debug
,我看到以下内容(仅粘贴与 TLS 相关的日志):
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
CONNECTED(00000005)
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL3 alert read:fatal:unknown CA
SSL_connect:error in error
140052693504448:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3390 bytes and written 2027 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
Session-ID-ctx:
Master-Key: 16A63159B6A5BFB210A020396BB9E234185F70E737F9EE2F980A13AE0868C6CA223B65A841E5BCB359D8B53FC2072DE4
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1615273842
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
read from 0x556f4a6bb800 [0x556f4a6b0d80] (8192 bytes => 0 (0x0))
有人能帮助我理解为什么我们看到 /ssl/record/rec_layer_s3.c:1528:SSL 警报编号 48 吗?
答案1
错误日志中的关键行是
SSL3 alert read:fatal:unknown CA
您说服务器有根 CA 证书,但您必须将其作为受信任的根证书安装在那里。方法是将其复制到 /usr/local/share/ca-certificates,然后运行
update-ca-certificates
这会将其添加到 /etc/ssl/certs 中受信任的根证书数据库中,openssl 会在其中找到它。您也需要在客户端上执行此操作。请参阅man update-ca-certificates
。