服务器 Gind.cn
  1. 服务器 Gind.cn
  3. openssl s_client报告证书确定,但其他客户报告问题
Intereting Posts
将整个网站从一台服务器迁移到另一台(都使用cPanel) haproxy 503没有可用的服务器来处理这个请求 是否可以将Google桌面searchconfiguration为在SharePoint安装上索引数据? Linux中的非login帐户可以连接scp吗? try_files如何工作? Sql Server 2008,Active Directory组和失败的login WSUS似乎正在运行,但在应用程序日志中报告错误(DSS身份validationWeb服务不起作用) 使用DHCP将第二个networking添加到terraform计划 服务器不发送ICMP回应答复 从Tru64 Unix中恢复数据 如何限制networking上的设备的路由器的带宽速度? Windows Server 2008 R2:在客户端计算机上的win-explorer中隐藏networking位置并显示映射的驱动器以访问networking资源 通过GKE负载均衡器到节点的stream量被拒绝 更好的Windows Server 2008 R2 x64 VPS防病毒 Google云默认networking未find错误

openssl s_client报告证书确定,但其他客户报告问题

我已经build立了一个SSL证书的服务器,添加了必要的链,并完成了Apache的设置。 我已经testing使用: 

openssl s_client -CAPath /etc/ssl/certs -connect www.example.org:443

并获得各种输出,包括: 

 Verify return code: 0 (ok)

firefox和chrome都对网站感到满意,但是有些客户(包括svn)报告证书被拒绝。 怎么了?

这里是openssl的完整输出: 

 $ openssl s_client -CApath /etc/ssl/certs -connect www.aptivate.org:443 CONNECTED(00000003) depth=3 L = ValiCert Validation Network, O = "ValiCert, Inc.", OU = ValiCert Class 2 Policy Validation Authority, CN = http://www.valicert.com/, emailAddress = [email protected] verify return:1 depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287 verify return:1 depth=0 O = *.aptivate.org, OU = Domain Control Validated, CN = *.aptivate.org verify return:1 --- Certificate chain 0 s:/O=*.aptivate.org/OU=Domain Control Validated/CN=*.aptivate.org i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/O=*.aptivate.org/OU=Domain Control Validated/CN=*.aptivate.org i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] 4 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIFVzCCBD+gAwIBAgIHJ+uaBU9wOjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5 IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky ODcwHhcNMTEwMTEyMTcwNjE4WhcNMTQwMTEyMTcwNjE4WjBVMRcwFQYDVQQKDA4q LmFwdGl2YXRlLm9yZzEhMB8GA1UECwwYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVk MRcwFQYDVQQDDA4qLmFwdGl2YXRlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBANogFQnLwi8hKKJ6rm117cJSxeIOmt9dZT+5MsxQO7YesHM/hOuy /Dk6WI6eaFPgms+w1EgEalbyaagMpnAoCnfQPfXFM221MzKXbD9w0+iXi3nwdCBw vnsgPsCtaz1uDBrEALN+NympRyb8jGVWCaGY2ypPxpqvO8olkNSvrVhsFy+EdfmA IPvCinuvBQXaUI6gcoEAM/yFE4u2a0NkXip/vmUgAH8u5Hz/ksx36J+oWpl59ofk 6K+VuudjRU8vpaoYY2HSL01p1w1b6QFHU2RvD/FrQg0spZXflfULULEbjcH69gEL slg9oqL3coVS8XVN0wwWM10SHUQN4s2rhTsCAwEAAaOCAbQwggGwMA8GA1UdEwEB /wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB /wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29t L2dkczEtMjguY3JsME0GA1UdIARGMEQwQgYLYIZIAYb9bQEHFwEwMzAxBggrBgEF BQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYI KwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNv bS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20v cmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKT bEXW4u6FX5q653aZaMznMCcGA1UdEQQgMB6CDiouYXB0aXZhdGUub3JnggxhcHRp dmF0ZS5vcmcwHQYDVR0OBBYEFIfBDt6TU0GGA1uyaEeC3yePHYgoMA0GCSqGSIb3 DQEBBQUAA4IBAQAjJ27yI6vf9QwFIWDiqyTx7jsWYJAGqPG0KsyNgMYBaXdSSY+b q0dKSRtBwX8sM4sR1ahSNLFlajIy+3dzm/qsk16vKgV+NPgz+Zl7pqm6NaObW+uV XWw9QHln7jvQXadhV9JXU4/mjF76/0eWs1egLhBn8vgtcqAS4ZckwxLXNmEGm729 IGIppZwe/yy66KJ2tahkCeWBcrNkdcnxsWsD60hfRR4fe8FrQMUxeeIca7c3LguG 0KhtI/fJN+iVORdfG8enJkjZzQW67z/W3gFM1AVIrnmu94DQ9Ro/vD7vp55YkBld 28o9agLg5Dl9cu5Xs7onqcTTJJpCp3AQHQE3 -----END CERTIFICATE----- subject=/O=*.aptivate.org/OU=Domain Control Validated/CN=*.aptivate.org issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 --- No client certificate CA names sent --- SSL handshake has read 5325 bytes and written 416 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 5098DC94E1FF98BBD0DBA424A973728346F974FF02700928ECA32E27E10992F5 Session-ID-ctx: Master-Key: DBE2733FE83E8B3105FD1F63D023AF4DFC5BBA028CC1DD35107FDC9F913A88E2F58C65FBC5839525BF4D529A7DBBA91E Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1352195224 Timeout : 300 (sec) Verify return code: 0 (ok) ---

原来在连锁店里有一个重复的证书。 openssl并不介意,但gnutls呢 – svn使用gnutls(如LDAP和mutt,如果他们是你的问题)。 这里是gnutls-cli命令(至lessUbuntu / Debian系统): 

 $ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 443 www.aptivate.org

尽pipe你可以用gnutls或openssl来看链条。 在从上面的openssl输出,你可以看到有一个重复的证书。 

 Certificate chain 0 s:/O=*.aptivate.org/OU=Domain Control Validated/CN=*.aptivate.org i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/O=*.aptivate.org/OU=Domain Control Validated/CN=*.aptivate.org i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] 4 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected]

为了validation这一点,链中每个项目的i:发行者) 必须与下一个项目的s:主题)相匹配。

在这种情况下,我已经把证书放在自己的文件中, 把它放在链接文件中。 所以0i不匹配1s 。 这足以使svn拒绝证书。

任何不好的顺序导致这个问题。 所以,如果你有2和3错误的方式,你会得到validation错误。