我正在尝试构build一个openssl证书链,它将与标准的CentOS 4安装作为客户端一起工作。 (我知道这是非常古老的,但这是我们的客户正在使用,所以我们需要支持它)。
第一个问题是CentOS 4 openssl CA bundle并不包含所有的现代证书,特别是GoDaddy根证书
/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 所以我挖了一遍,find了上述证书的Valicert证书,并把它放在了链条中。 在CentOS 5(openssl 0.9.8e)上运行openssl s_client ,这个链可以validation,但是在CentOS 4(openssl 0.9.7a)上不validation。
CentOS 5输出:
$ openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect svn.example.org:443 CONNECTED(00000003) depth=4 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] verify return:1 depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority verify return:1 depth=2 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 verify return:1 depth=1 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 verify return:1 depth=0 /OU=Domain Control Validated/CN=*.example.org verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.example.org i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] --- Server certificate -----BEGIN CERTIFICATE----- [ SNIP ] -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=*.example.org issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 --- No client certificate CA names sent --- SSL handshake has read 5697 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: [ SNIP ] Session-ID-ctx: Master-Key: [ SNIP ] Key-Arg : None Krb5 Principal: None Start Time: 1394712184 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE
而在CentOS 4上:
$ openssl s_client -CAfile /usr/share/ssl/certs/ca-bundle.crt -connect svn.example.org:443 CONNECTED(00000003) depth=4 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] verify return:1 depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority verify return:1 depth=2 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 verify error:num=7:certificate signature failure verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.example.org i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] --- Server certificate -----BEGIN CERTIFICATE----- [ SNIP ] -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=*.example.org issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 --- No client certificate CA names sent --- SSL handshake has read 5697 bytes and written 343 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: [ SNIP ] Session-ID-ctx: Master-Key: [ SNIP ] Key-Arg : None Krb5 Principal: None Start Time: 1394712595 Timeout : 300 (sec) Verify return code: 7 (certificate signature failure) --- DONE
在这一点flummoxed,任何想法赞赏。
假设您链中的证书#3是https://certs.godaddy.com/anonymous/repository.pki gdroot-g2_cross.crt具有SHA1指纹gdroot-g2_cross.crt证书#1 1 1 gdroot-g2_cross.crt 84 1D 4A 9F C9 D3 B2 F0 CA 5F AB 95 52 5A B2 06 6A CF 83 22 , 使用SHA256WithRSA进行签名 。 那么, Go Daddy Root Certification Authority - G2的实际根目录Go Daddy Root Certification Authority - G2是gdroot-g2.crt 47 BE AB C9 22 EA E8 0E 78 78 34 62 A7 9F 45 C2 54 FD E6 8B ,不是您认定的那个Go Daddy Secure Certificate Authority - G2显然是中间的,显然gdig2.crt 27 AC 93 69 FA F2 52 07 BB 26 27 CE FA CC BE 4E F9 C3 19 B8 。
(一)OpenSSL 0.9.7我仍然在我的系统之一,0.9.7d, 不支持SHA-2 。 它的date是2004年,基数0.9.7显然是2002年12月,FIPS 180-2是2002年8月发布的。
我build议你检查你的实体证书; 它也可以用SHA256签名。 你的#1显然是gdig2.crt ,这是肯定的。 如果是这样,这些将不会在0.9.7工作; 你没有看到一个错误,因为它已经失败了上游链。
我不确定你能否在2014年初NIST截止date之后find一个商业的CA来颁发SHA1签名的证书(和连锁)。 如果是这样,它可能不会很长时间有效,然后你会再次面对同样的问题。 如果客户愿意更改他们的信任仓库(无论是系统的,还是不更改代码的)或任何客户端应用程序所使用的用户存储区,都可以为您的服务器创build一个自签名的SHA1证书密钥使用openssl并让客户端(s?)相信。 根据您的服务器,如果您可以将来自不良客户端的请求分区到不同的端口或地址,则可能只能使用自制的SHA1证书,而对其他人使用您的商用SHA256证书。