在我属于客户的一台服务器上,我“突然”无法验证任何公共 TLS 证书。所有对“公共”的请求都因证书无效而失败。但是,我可以验证由客户的 CA 签名的证书。
martin@svuburhate12:~$ curl https://google.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
我在客户的数据中心有几台虚拟机,我只有 ssh 访问权限,无法控制周围的网络。客户的其他服务器都正常。
当我检查实际发回的证书时,发现了一些非常奇怪的事情。显然,Google 发回了其通配符证书,该证书的颁发者是客户的中间 CA。验证这个链条显然会失败。
$ openssl s_client -showcerts -verify 99 -connect google.com:443 -servername google.com
verify depth is 99
CONNECTED(00000003)
depth=2 C = local, O = Customer, CN = Redacted Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = local, O = Customer, CN = Redacted Root CA
verify return:1
depth=1 C = FI, O = Customer, CN = Redacted Online CA1
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
0 s:CN = *.google.com
i:C = FI, O = Customer, CN = Redacted Online CA1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 s:C = FI, O = Customer, CN = Redacted Online CA1
i:C = local, O = Customer, CN = Redacted Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2 s:C = local, O = Customer, CN = Redacted Root CA
i:C = local, O = Customer, CN = Redacted Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.google.com
issuer=C = FI, O = Customer, CN = Redacted Online CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5654 bytes and written 428 bytes
Verification error: self signed certificate in certificate chain
我的理解openssl s_client是,我看到的实际上是通过网络传入的内容。对吗?
这是什么意思?“服务器周围”的网络中是否存在某些东西,将无效证书注入响应中不知何故?