已撤销的证书在 Google Chrome 和 Microsoft Edge 中仍然有效

已撤销的证书在 Google Chrome 和 Microsoft Edge 中仍然有效

我已经生成了自签名证书,Root-CARoot-CA

然后,Intermediate-CARoot-CAServer签字人签字Intermediate-CA

证书如下:

Root-CA  ->  Intermediate-CA  ->  Server

Root-CA:
rootca.key
rootca.crt
rootca.crl

Intermediate-CA:
intermediateca.key
intermediateca.crt
intermediateca.crl

Server:
server.key
server.crt

Nginx 配置:

server {
        listen 443 ssl;
        listen [::]:443 SSL;
        server_name www.example.com;

        ssl_certificate  /home/user/confs/server+intermediateca.crt;
        ssl_certificate_key /home/user/confs/server.key;

        ssl_ocsp on;
        ssl_crl /home/user/confs/intermediateca+rootca.crl;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /home/user/confs/intermediateca+rootca.crt;
}

使用此配置,如果我撤销server.crtOCSP 响应,则显示证书已被撤销,并且 Firefox 浏览器显示证书已撤销的错误,但在 Google Chrome 和 Microsoft Edge 浏览器中没有警告,我可以使用已撤销的证书进行访问,为什么?出了什么问题?Google Chrome 使用CRLsets,我该如何正确配置?有人可以帮我吗?

Is there any proper way to config that will show error revoked certificate in Google Chrome and Microsoft Edge? How to add revoked certificat in CRLsets?

使用以下命令,我收到错误:

openssl verify -extended_crl -crl_check_all -crl_download -CAfile intermediateca+rootca.pem -verbose server.crt

输出:

Unable to load CRL via CDP
40971A29A97F0000:error:1E80006E:HTTP routines:OSSL_HTTP_REQ_CTX_nbio:missing asn1 encoding:../crypto/http/http_client.c:755:
40971A29A97F0000:error:1E800067:HTTP routines:OSSL_HTTP_REQ_CTX_exchange:error receiving:../crypto/http/http_client.c:874:server=http://www.example.com:80
C = BD, ST = Dhaka, O = Example, CN = www.example.com
error 3 at 0 depth lookup: unable to get certificate CRL
error server.crt: verification failed

What is the above error I am getting? How can I fix that error?

感谢您的时间。

答案1

Firefox 检查 CRL,而 Chrome/Chromium/Edge 则不检查。后者使用证书颁发机构列表反而。

底部有一张好桌子本文。然而这篇文章已经问世 18 个月了,而且浏览器安全是一个不断变化的目标,当你读到它的时候,情况可能已经发生了变化 :-)

OpenSSL 确实会检查 CRL,这就是撤销检查在那里为您工作的原因。

相关内容