我在Ubuntu上安装了Apache,安装了GNUTLS模块,一切正常。
root@ilnwad15:~# apache2 -v Server version: Apache/2.2.22 (Ubuntu) Server built: Jul 12 2013 13:37:15 现在,我想要在端口1443上,如果客户端证书的CA不是我的服务器上的CA,那么它将被阻止。
这就是我在/etc/apache2/apache2.confconfiguration它的方式
Listen *:443 Listen *:1443 <VirtualHost *:443> GnuTLSEnable on GnuTLSKeyFile /etc/apache2/certs/ilnwad15.tlv.sap.corp.key GnuTLSCertificateFile /etc/apache2/certs/ilnwad15.tlv.sap.corp.crt DocumentRoot /disk2/var/www/html GnuTLSPriorities EXPORT ServerName ilnwad15 </VirtualHost> <VirtualHost *:1443> GnuTLSEnable on GnuTLSKeyFile /etc/apache2/certs/ilnwad15.tlv.sap.corp.key GnuTLSCertificateFile /etc/apache2/certs/ilnwad15.tlv.sap.corp.crt GnuTLSPriorities EXPORT GnuTLSClientCAFile /etc/apache2/certs/ca.pem GNUTLSClientVerify require DocumentRoot /disk2/var/www/html ServerName ilnwad15 </VirtualHost>
它现在所做的是在发送没有证书的请求时,得到内部错误。
[root@ilnwadv56 ~]# wget --save-headers --no-check-certificate HTTPs://ilnwad15.tlv.sap.corp:1443 --2013-12-18 17:23:01-- https://ilnwad15.tlv.sap.corp:1443/ Resolving ilnwadv62... 172.16.162.21 Connecting to ilnwadv62|172.16.162.21|:18080... connected. WARNING: cannot verify ilnwad15.tlv.sap.corp's certificate, issued by `/C=IL/L=Raanana/O=SAP/OU=AccAD/CN=Dummy device': Unable to locally verify the issuer's authority. WARNING: certificate common name `dummy.service.com' doesn't match requested host name `ilnwad15.tlv.sap.corp'. Proxy request sent, awaiting response... 500 Server Error 2013-12-18 17:23:01 ERROR 500: Server Error.
但是,如果请求具有CA与服务器CA不匹配的证书,则从Internet Explorer获得200 OK,并且没有403 Forbidden。 从wget这样做,我得到failed: Service Unavailable to establish SSL connection.
[root@ilnwadv56 ~]# wget --save-headers --no-check-certificate --certificate=/sapmnt/accad/other/client.crt --private-key=/sapmnt/accad/other/client.key HTTPs://ilnwad15.tlv.sap.corp:443 --2013-12-18 17:46:17-- https://ilnwad15.tlv.sap.corp/ Resolving ilnwadv62... 172.16.162.21 Connecting to ilnwadv62|172.16.162.21|:18080... connected. Proxy tunneling failed: Service UnavailableUnable to establish SSL connection.
有没有人有一个想法,我的错误在哪里? 提前致谢。
好的,首先,感谢所有帮助过我的人(尤其是@MadHatter)。 问题是我使用了一个代理,所以我不得不unset https_proxy ,问题就解决了。
现在,它正常工作。 发送虚拟证书时(不通过wget提供任何证书)
wget --save-headers --no-check-certificate HTTPS://ilnwad15.tlv.sap.corp:1443 --2013-12-22 10:37:02-- https://ilnwad15.tlv.sap.corp:1443/ Resolving ilnwad15.tlv.sap.corp... 172.16.60.21 Connecting to ilnwad15.tlv.sap.corp|172.16.60.21|:1443... connected. OpenSSL: error:1409442F:SSL routines:SSL3_READ_BYTES:tlsv1 alert insufficient security Unable to establish SSL connection.
当给出正确的证书。
wget --save-headers --certificate=/sapmnt/accad/other/ilnwad15.tlv.sap.corp.crt --private-key=/sapmnt/accad/other/ilnwad15.tlv.sap.corp.key --no-check-certificate HTTPS://ilnwad15.tlv.sap.corp:1443 --2013-12-22 10:33:59-- https://ilnwad15.tlv.sap.corp:1443/ Resolving ilnwad15.tlv.sap.corp... 172.16.60.21 Connecting to ilnwad15.tlv.sap.corp|172.16.60.21|:1443... connected. WARNING: cannot verify ilnwad15.tlv.sap.corp's certificate, issued by /C=IL/ST=Central District/L=Raanana/O=SAP AG/OU=AccAD/CN=AccAD CA/[email protected]: Unable to locally verify the issuer's authority. HTTP request sent, awaiting response... 200 OK Length: 4598 (4.5K) [text/html] Saving to: `index.html' 100%[======================================>] 4,598 --.-K/s in 0s 2013-12-22 10:33:59 (38.5 MB/s) - `index.html' saved [4598/4598]
谢谢! :d