我正在解决错误,build立到EPP服务器的安全连接。 我发出下面的命令,看到所有的服务器证书都已经过validation,但仍然出现错误(以粗体突出显示)。 validation服务器的证书是否还存在问题? 如果是这样,那会是什么?
编辑:我削减了“可接受的客户端证书CA名称”,因为垃圾邮件检测器不喜欢他们。
$ openssl s_client -connect otessl.verisign-grs.com:700 -key /home/ubuntu/foo.key -cert /home/ubuntu/foo.crt -CAfile /home/ubuntu/foo-cert-chain.pem -CApath /etc/ssl/certs CONNECTED(00000003) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA verify return:1 depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 2497886, C = US, postalCode = 20190, ST = Virginia, L = Reston, street = 12061 Bluemont Way, O = "Verisign, Inc", OU = Production Operations, CN = otessl.verisign-grs.com verify return:1 <b> 140403406833312:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1260:SSL alert number 46 140403406833312:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: </b> --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2497886/C=US/postalCode=20190/ST=Virginia/L=Reston/street=12061 Bluemont Way/O=Verisign, Inc/OU=Production Operations/CN=otessl.verisign-grs.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- *snipped* -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2497886/C=US/postalCode=20190/ST=Virginia/L=Reston/street=12061 Bluemont Way/O=Verisign, Inc/OU=Production Operations/CN=otessl.verisign-grs.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA --- Acceptable client certificate CA names *snipped - will post if needed* --- SSL handshake has read 10228 bytes and written 4199 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 544D9C743C278DCE0AA4715E68CA7C7A3443F3596495EA3A27448B9F3E0AC575 Session-ID-ctx: Master-Key: 77E6E234FE7313C50C04B7C8F32B0D6C9B6520A114DA4253A97FF1C200544EBB21DBC2C7ECA45DF0546A27EFB466EF4F Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1414372468 Timeout : 300 (sec) Verify return code: 0 (ok) --- 您从服务器获取有关certificate unknown的错误,因此它指的是在服务器端validation您的客户端证书,而不是在客户端validation服务器证书(成功)。 这意味着服务器不喜欢你的客户端证书。
请检查您的客户证书对可接受的CA列表,确保它没有被撤销,也许做一个tcpdump / wiresharkvalidation,它实际上被发送到服务器。 如果这没有帮助,你可能会检查服务器端的日志文件,看是否有问题。
在我的情况下,客户不喜欢被迫做TLS,但当我们在https服务器中添加“SSLProtocol + SSLv3”时,客户感到温暖和模糊:
我刚刚经历了类似的事情。
您可能忘记安装CA证书。
如果你在Ubuntu或Debian上: apt-get install ca-certificates