我们在天青网站上托pipe一个网站。 我们托pipe的服务有6个实例。 在该服务上,我们添加了一个覆盖该站点的证书,并具有如下所示的身份validation链:
our certificate Comodo RDAOrganisation Validation Secure Server CA (2014 - 2029) Comodo RSA certification Authority (2000 - 2020) USERTrust (2000 - 2020) 我们可以在浏览器中看到我们所做的任何请求,这个链似乎正确存在,SSL握手可以完成。
我们有一位客户报告说他们有一些问题远程连接到我们。 他们一直在使用openssl来validation这个来源。
如果我的知识在解释这个输出的时候出现,我想知道是否可以帮助我们找出差异,或者确定下一步 – 无论是为我们还是我们的客户。
运行的命令是
$ openssl s_client -CApath /etc/ssl/certs/ -connect <our service uri>
成功案例的输出结果如下:
CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA verify return:1 depth=0 C = DK, <certificate information pertianing to our company > --- Certificate chain 0 s:/C=DK/<certificate information pertianing to our company > i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- Key is the same between both requests -----END CERTIFICATE----- subject=/C=DK/<certificate information pertianing to our company > issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 5052 bytes and written 509 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: <session id hidden> Session-ID-ctx: Master-Key: <key hidden> Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1436543517 Timeout : 300 (sec) Verify return code: 0 (ok) ---
而在一个不成功的情况下:
CONNECTED(00000003) depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=DK/<certificate information pertianing to our company > i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- Key is the same between both requests -----END CERTIFICATE----- subject=/C=DK/<certificate information pertianing to our company > issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 3649 bytes and written 509 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: <session id hidden> Session-ID-ctx: Master-Key: <key hidden> Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1436543605 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
我可以看到,这些是不同的,我可以看到,深度字段是不同的,(我不确定这是什么意思,但假设这是一个迹象表明authentication链打开了多less)。 我也可以看到,连锁本身在成功的情况下似乎有所不同,而不是不成功的情况下,增加了
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
我的问题是什么可能导致这种情况发生,这是一个服务器还是用户问题(特别是要记住,对于大多数用户的大多数请求,这似乎工作得很好),我们是否需要采取任何下一步找出一个问题?
谢谢你的时间 :)