当我从Debian VM运行命令openssl -connect www.google.com:443 ,输出内容如下:
validation返回码:20(无法获得本地签发人证书)
这里发生了什么? 我从来没有与Google的证书问题,所以它必须是与Debian或它的OpenSSL库。 当像这样的工具不能validation我知道工作的系统时,debugging其他SSL系统是困难的!
在我使用的另一个Linux发行版中,naked- -connect动词实际上并不导入安装在系统上的根CA软件包。 为此,您需要添加-CApath /etc/ssl/wherever/ where -CApath /etc/ssl/wherever/ ,其中path是根CA证书包的位置。
没有CAPath:
CONNECTED(00000003) depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority ---
CAPath:
CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify return:1 depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mail.google.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority ---