我正在尝试配置 Apache httpd v2.4 以进行 AD 的 LDAP 身份验证。LDAPS 证书由内部 CA 颁发。无论出于什么原因(我不属于 AD 团队),我们的生产环境和非生产环境都不会发布完整链。
非生产环境发送服务器和中间证书,但不发送根证书。我能够通过 Apache 成功连接:
LDAPVerifyServerCert On
LDAPTrustedGlobalCert CA_BASE64 chain.crt
# $cat intermediate.pem root.pem > chain.crt
不幸的是,prod 仅发送服务器证书。没有中间人(发行人)也没有根。提供包含发行人和根的相同链不起作用。我尝试了所有我能想到的方法:仅服务器证书、仅 int、服务器 + int、服务器 + int + 根,但无论是在 Apache 中还是在测试中,这些都不起作用openssl s_client -connect $x -CAfile $y。
显然,最好的选择是让 AD 团队发布完整的链,但是还有其他方法可以验证连接吗(除了禁用验证)?
编辑:
以下是输出openssl s_client -connect devldap.company.com:636 -CAfile int+root.pem:
CONNECTED(00000003)
depth=2 CN = Company Root CA
verify return:1
depth=1 DC = com, DC = company CN = Company Intermediate CA
verify return:1
depth=0 C = US, ST = State, O = Company, OU = OTS, CN = devldap.company.com
verify return:1
---
Certificate chain
0 s:C = US, ST = State, O = Company, OU = OTS, CN = devldap.company.com
i:DC = com, DC = company CN = Company Intermediate CA
1 s:DC = com, DC = company CN = Company Intermediate CA
i:CN = Company Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIH8TCCBtmgAwIBAgITTQACdEm5xkCMTnqGDQAAAAJ0STANBgkqhkiG9w0BAQsF
...
jce8VpEUyZKDClUrcyRBSxd0rq2I
-----END CERTIFICATE-----
subject=C = US, ST = State, O = Company, OU = OTS, CN = devldap.company.com
issuer=DC = com, DC = company CN = Company Intermediate CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4639 bytes and written 486 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: F90...411
Session-ID-ctx:
Master-Key: 985...D1E
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1651420792
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
DONE
对于产品,openssl s_client -connect ldap.company.com:636 -CAfile int+root.pem:
CONNECTED(00000003)
depth=0 C = US, ST = State, O = Company, CN = ldap.company.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = State, O = Company, CN = ldap.company.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = US, ST = State, O = Company, CN = ldap.company.com
verify return:1
---
Certificate chain
0 s:C = US, ST = State, O = Company, CN = ldap.company.com
i:DC = com, DC = company CN = Company Intermediate CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHXzCCBkegAwIBAgITTQADO1BEj8rlaKH+eQAAAAM7UDANBgkqhkiG9w0BAQsF
...
FGBKggzc3AK2pcHT9E3f46Oy+A==
-----END CERTIFICATE-----
subject=C = US, ST = State, O = Company, CN = ldap.company.com
issuer=DC = com, DC = company CN = Company Intermediate CA
---
No client certificate CA names sent
---
SSL handshake has read 2059 bytes and written 655 bytes
Verification error: unable to verify the first certificate
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA
Session-ID: 33B...377
Session-ID-ctx:
Master-Key: A5D...ACE
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1651420815
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE
编辑:事实证明,名为“int.pem”的文件实际上是来自另一个项目的服务器证书。太棒了。希望我在浪费这么多时间之前能检查一下。使用包含实际中间 CA 证书和根证书的链,它验证成功。