服务器 Gind.cn
  1. 服务器 Gind.cn
  3. OCSP响应者不在场?
Intereting Posts
将静态IP分配给实例而不是DHCP有好处吗? GPBA与SAMBA作为DC 如何隔离连接到单个活动目录的其他机器的服务器? Cassandra快照恢复:随机丢失的数据 在Ubuntu 10.04上升级CouchDB的默认安装 如何在MAMP上设置多个网站/虚拟主机? HP P410 RAID CARD问题 – 操作系统未检测到未分配的驱动器 在Microsoft Azure子文件夹上使用WordPress 无法推送到git远程存储库 千兆交换机是否可以通过PoE供电? 如何创build超过256个/ dev /循环? 傀儡评估variables只有一次 UNCpath由IP“没有networking提供商接受给定的networkingpath”失败,但使用主机名工作 支持票务系统 NSlogging在bind9区域文件中

OCSP响应者不在场?

我试图设置OCSPvalidation例程,所以首先要对环境感到舒适。 在例如OpenSSL中find优秀的教程:根据OCSP手动validation证书 。

出现多个问题,请耐心等待。

自从那个教程以来有了一些变化,但我认为主要是:

1)抓住你想validation的证书,例如 

openssl s_client -connect wikipedia.org:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > wikipedia.pem

2)build立证书链,例如 

 openssl s_client -connect wikipedia.org:443 -showcerts 2>&1 < /dev/null > chain.pem

然后进行适当的编辑。 我发现上面没有提供自签名的CA证书GlobalSignRootCA,所以join了。

3)确定ocsp URI,例如 

 openssl x509 -noout -ocsp_uri -in wikipedia.pem

哪个返回 

 http://ocsp2.globalsign.com/gsorganizationvalsha2g2

4)调用openssl ocsp客户端,例如 

 openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2

哪个返回 

 [woody@oc2042275410 testCerts]$ openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http ://ocsp2.globalsign.com/gsorganizationvalsha2g2 Error querying OCSP responsder 140062843348808:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden

(responsder?)

我读到,这是由于虚拟化问题,所以 

 openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com"

这产生了 

 Response Verify Failure 140400906352456:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate wikipedia.pem: good This Update: Apr 28 23:10:10 2015 GMT Next Update: Apr 29 11:10:10 2015 GMT

所以我得到OCSP返回证书是好的,但这导致了问题1: 为什么错误“无法获得本地发行人证书”?

好的,再次尝试与谷歌。 相同的例程,捕获证书,检查OCSP URI: 

 openssl x509 -noout -ocsp_uri -in google.pem

产量 

 http://clients1.google.com/ocsp.

很公平: 

 openssl ocsp -issuer gchain.pem -cert google.pem -url http://clients1.google.com/ocsp Error querying OCSP responsder 140433209165640:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=404,Reason=Not Found

未find? 这似乎令人惊讶。 用wireshark检查: 

 > POST /ocsp HTTP/1.0 > Content-Type: application/ocsp-request > Content-Length: 112 > 0n0l0E0C0A0...+..........j.....pI#z...(~d...U.. [.5...J:.......l..9.....{6.#0!0...+.....0......].O.9..}d`.L... < ~HTTP/1.0 404 Not Found < Content-Type: text/html; charset=UTF-8 < X-Content-Type-Options: nosniff < Date: Tue, 28 Apr 2015 22:42:40 GMT < Server: sffe < Content-Length: 1429 < X-XSS-Protection: 1; mode=block < Alternate-Protocol: 80:quic,p=1 < < <!DOCTYPE html> < <html lang=en> < <meta charset=utf-8> < <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> < <title>Error 404 (Not Found)!!1</title> < <style> < *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/errors/logo_sm_2.png) no-repeat}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/errors/logo_sm_2_hr.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/errors/logo_sm_2_hr.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:55px;width:150px} < </style> < <a href=//www.google.com/><span id=logo aria-label=Google></span></a> < <p><b>404.</b> <ins>That...s an error.</ins> < <p>The requested URL <code>/ocsp</code> was not found on this server. <ins>That...s all we know.</ins>

这就是问题2: 这是否正确,OCSP是否被移动,并且不存在于OCSP URI? 服务器是否可以统一迁移到OCSP装订,而不再考虑OCSP服务器?

关于1)

OCSP有一个“响应签名密钥/证书对”,用于authentication响应。 该证书在下列回复中给出: 

 $ openssl ocsp -issuer chain.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" -resp_text -----BEGIN CERTIFICATE----- [...] UMiqxBNugzQ= -----END CERTIFICATE-----

所以让我们把它保存到signcert.pem中,看看结果如何: 

 $ openssl ocsp -issuer chain_wikipedia.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" -resp_text | sed -n '/-----BEGIN/,/-----END/p' > signcert.pem $ openssl verify signcert.pem signcert.pem: C = BE, O = GlobalSign nv-sa, CN = GlobalSign OV CA - SHA256 - G2 OCSP responder - 2, serialNumber = 20150914163800 error 20 at 0 depth lookup:unable to get local issuer certificate

好的…猜猜我们错过了中间人? 

 $ openssl x509 -noout -text -in signcert.pem | grep -e 'Issuer:' -e '.crt' Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2

好吧,没有颁发者URI字段…这只是肮脏的。 让我们从CA中获取并形成一个链: 

 $ curl https://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt | openssl x509 -inform der -outform pem >> signcert.pem

好的,这应该是…: 

 $ openssl ocsp -VAfile signcert.pem -issuer chain_wikipedia.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" -resp_text [...] -----BEGIN CERTIFICATE----- [...] /TiSgNCpgNg= -----END CERTIFICATE----- Response Verify Failure

跆拳道? 哦,不同的签署证书? 

 $ cat >> signcert.pem -----BEGIN CERTIFICATE----- MIID9DCCAtygAwIBAgISESEjxqkycL2lZt0CfS9OgUN2MA0GCSqGSIb3DQEBCwUA MGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYD VQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hB MjU2IC0gRzIwHhcNMTUwODIwMTgxOTQxWhcNMTUxMTIwMTgxOTQxWjB9MQswCQYD VQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTE6MDgGA1UEAxMxR2xv YmFsU2lnbiBPViBDQSAtIFNIQTI1NiAtIEcyIE9DU1AgcmVzcG9uZGVyIC0gMTEX MBUGA1UEBRMOMjAxNTA4MjAyMDE4MDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQC+8xxGkIda/04pKK3AXuLz8S8EH4qouLbP/lrd+DFY1oI8fU4kosO+ WjvBPMeK1ZvvR6YjcNhIRsoYsDWdvhMv8/qvu1GQBrs1oC2910lg3fGIR48LR6TR +XYC1jFv0IHaF5vp+e2nu3diJi7FKHMbP5jVdd1e6cuEcrq+pEW7WkPDQnhzh6U/ GGdhxbH8uk4KPH42Os0Rf6la99EyXzJZ8zccy0ySGnIOF5Km1efXg0qwx3PEk3MQ fbFG3n4zE7lwBsrEgACI+V9K50tWfJIAm8Ll/xpGhvqF+6swCr0WExMcqaNpdVsf hiHFD18k8v4R6t7ht+cWx1YvSSA+/hz3AgMBAAGjgYQwgYEwCQYDVR0TBAIwADAO BgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYJKwYBBQUHMAEF BAIFADAdBgNVHQ4EFgQU8haQnheoUW3t3+j0OaxZMUgEjIkwHwYDVR0jBBgwFoAU lt5h8b0cFilTHMDMfTuDAEDmGnwwDQYJKoZIhvcNAQELBQADggEBAH0MXy5hmHXc G88ntZ2YcM3C6AAVqpfZ2+KYwL06cjmAFvNx6nWUN2w5MD59fiQC3DENCvlEGe29 d9+zsPM4hwEVRGKBIDueXycI0BNRAViacaks4OqRcc8gi1SBE5j94yt1kfp6VBhc yQBU4Cg5UBy4OA3SsnYdt/Ur1Xm+BDlpi5WWROM1O5UECquLU3/P1prxF78EkTdv OSGtP1VLMS47hk5v+sUC3hnfwUyKnr2oiVV6CvxxLOipdeDGl68dVisauNf7Dp9H YvO8OLkN9es+R2AV5iFIzLWHjsQxLOrY18bi6N0zMP7tuZIRSVpil+b49KJ8T/e1 /TiSgNCpgNg= -----END CERTIFICATE----- ^D

手指交叉… 

 $ openssl ocsp -VAfile signcert.pem -issuer chain_wikipedia.pem -cert wikipedia.pem -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header "HOST" "ocsp2.globalsign.com" Response verify OK wikipedia.pem: good This Update: Sep 15 17:01:20 2015 GMT Next Update: Sep 16 05:01:20 2015 GMT

地狱呀!