在我们的nginx错误日志中,我们发现在过去几天里有一些类似这个错误:
/var/log/nginx/error.log.2.gz:2017/01/30 16:11:46 [crit] 13114#13114: *139338 SSL_do_handshake() failed (SSL: error:14094459:SSL routines:SSL3_READ_BYTES:tlsv1 bad certificate status response:SSL alert number 113) while SSL handshaking, client: XXXX, server: 0.0.0.0:443 我们使用让我们encryption这个证书。 我们不能自己再现这个问题,到目前为止,我们还没有能够从客户端得到任何可能导致这个问题的信息。
RFC 6066说这与OSCP有关:
在“CertificateStatus”消息中请求OCSP响应并接收到OCSP响应的客户端必须检查OCSP响应,并在响应不满足bad_certificate_status_response(113)警报的情况下中止握手。 这个警报总是致命的。
我们在我们的nginxconfiguration中有这个:
# OCSP Stapling # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on;
域名从SSL实验室获得A +,我们不能自己复制这个。 什么可能导致这个错误?
编辑 :对于在过去几天发生的3次,只有一个在访问日志中留下了IP地址的条目:
/var/log/nginx/access.log:XXXX - - [01/Feb/2017:12:12:51 -0500] "GET /images/foo/bar.png HTTP/1.1" 200 6174 "-" "Mozilla/5.0 (BB10; Kbd) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.2.2639 Mobile Safari/537.35+"
编辑2 :这是openssl s_client -connect <address>:<port> -showcerts -status的输出openssl s_client -connect <address>:<port> -showcerts -status :
$ openssl s_client -connect foo.bar.com:443 -showcerts -status CONNECTED(00000003) depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 verify error:num=20:unable to get local issuer certificate verify return:0 OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Feb 2 02:49:00 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 0320C25EEBD8FE0BBC3678CC437E182E6D82 Cert Status: good This Update: Feb 2 02:00:00 2017 GMT Next Update: Feb 9 02:00:00 2017 GMT Signature Algorithm: sha256WithRSAEncryption 6b:10:31:84:c6:ec:32:2f:60:b2:5e:a9:a9:af:96:09:0d:53: 7d:1d:9d:25:4e:2a:c2:46:72:51:57:ae:62:d0:6f:b8:ae:0c: 50:d1:6f:f1:84:1f:8b:c8:fb:ed:08:8b:2f:8f:9d:d4:39:31: dc:6c:f5:99:27:d1:39:cb:f6:e8:c0:db:5e:99:e8:df:74:96: 79:5a:19:ae:b7:84:bc:e2:ff:66:da:1d:dc:ad:d5:90:af:d7: 30:83:28:65:fa:12:0e:46:5d:b4:4d:e0:a2:b8:75:3c:f9:15: 9e:b3:12:28:34:01:0c:53:05:ee:2a:26:d4:81:fb:9c:62:9b: d6:43:15:ab:a1:cb:f7:ca:e5:6b:4b:7d:79:dd:72:39:93:1e: 3f:e7:74:70:c5:de:79:27:db:79:bf:16:c8:ea:c4:a0:c7:d8: f1:5c:91:61:dd:4f:67:65:2f:4d:eb:76:8e:9d:ff:99:32:3d: 41:7d:35:e9:25:5b:c1:c6:b3:30:c4:8c:9f:56:8b:86:65:4f: 16:5f:b2:84:d3:f5:24:d9:9e:4f:b2:57:2a:e0:ee:67:01:e8: 72:1b:ad:fd:c8:fd:a9:d5:7c:a4:bb:aa:be:96:22:83:c7:d5: 36:82:51:27:f0:9f:00:9b:51:63:6c:39:02:29:dd:cc:7b:a9: 62:7a:03:ee ====================================== --- Certificate chain 0 s:/CN=foo.bar.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFAjCCA+qgAwIBAgISAyDCXuvY/gu8NnjMQ34YLm2CMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAyMDIwMTUwMDBaFw0x NzA1MDMwMTUwMDBaMBoxGDAWBgNVBAMTD2FwcC5nZXRtYXBsZS5jYTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALc4sKh6QmYPj78RZHBv07OCH0dPLNAj PGRUoIMfKInZnKw3ue88PHTIVxxLeUF7c+yWrEtR2LF9BesO7XWpz9jdGXmOmHyj KV/ThDtOvglO7c2foucATuziWcm/L/12ydPhJ3rHjHagXGrghEVxJSQwpLmgboAx LzQup9A7HVrh/fafmnCkEZVXm+HQxIFfsLBS0Cg4VRecstyeSduK/P19XxS/DJDx Rn3Ci09WRxfw2/gerDp8N4sAV1R7k7aI+j+mOWBpfOiGxyXKDErm9ZpULeahGo2Q AbwkZQTlnPlVzd2DeNLwPvL9PVzZpr+Xdn+mmyZZERQZv8A5zIRqfhMCAwEAAaOC AhAwggIMMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUUN66DA00cIF4jJJ6nfpLy8Gg lvYwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEE ZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu b3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0 Lm9yZy8wGgYDVR0RBBMwEYIPYXBwLmdldG1hcGxlLmNhMIH+BgNVHSAEgfYwgfMw CAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDov L2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0 aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRp ZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQ b2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9y eS8wDQYJKoZIhvcNAQELBQADggEBAAZB906DvRm88EojJtMPR4j8JaqS9tMjIrR7 lJz0o+y2CS8IVW3hGStlOc6lnxar0w9K6TO5OJXPVF1oaqZhtQuOTgxFPL/KObcd SIVpKwGNK83NwHSHhu/KrOQBUuTFCkEpH2rEgCDzvKLYwruWD1I3yXstdvmrZY0z LgrUWSq9Oy/1OK/r/W+t3Igr6uv+PXQPNPz7/Wf6h52h60JnbmnwJjQYhkoGbFKI ZLjsDnwKMvsZqw6ya9NscebsQAwo07/DTlKuY4Gvo+vBmhVxliBjvs5TkXMpWGr+ E1qIzL+vYDborgOFwPBiDW1cpqrNCf6RdPYCbcmiq5YpHd6qD/0= -----END CERTIFICATE----- 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- --- Server certificate subject=/CN=foo.bar.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent --- SSL handshake has read 4125 bytes and written 435 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 4F251FC1206A7455B45ABB58137F8EBFE0E23980C8C5FA2185F849AC92E99E39 Session-ID-ctx: Master-Key: 0C7B5BA714DAFA5791BA956DBC4BD642B6CABA21CB6622172B65AC3BACB063D910F38DA1D63E5A90B2C209FE442B5294 Key-Arg : None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 6e fe 98 71 de f9 22 6f-c6 6c b2 75 fb 94 96 3b n..q.."olu..; 0010 - 8e 35 66 14 6c c5 01 29-29 b8 fc 19 f7 dd 5a d8 .5f.l..)).....Z. 0020 - 6f 5b 5d f9 0c 55 f5 61-af 7e a3 fa 71 f1 7e a8 o[]..Ua~..q.~. 0030 - 61 26 ac ab fc a8 6a b0-43 da 47 fe 73 88 85 5e a&....jCGs.^ 0040 - 05 c5 15 30 3a 24 35 dc-60 30 eb 08 1a 1a 96 73 ...0:$5.`0.....s 0050 - 08 98 83 56 86 cf b4 c5-17 42 8c fd a3 f9 02 89 ...V.....B...... 0060 - 2d d3 75 1d 54 10 91 04-37 65 41 a2 02 7a 6d 4d -.uT..7eA..zmM 0070 - db 52 b2 46 67 cb ab 32-39 5f e8 e2 3f 98 5f 1b .R.Fg..29_..?._. 0080 - 69 e7 91 9a cd 76 03 85-09 79 cb c0 85 96 b1 f1 i....v...y...... 0090 - c4 bc 18 31 a5 0a 46 d5-4f 22 fd 70 7e 5d 68 08 ...1..FO".p~]h. 00a0 - 38 5b 36 66 8c ad e9 3a-e5 51 1a aa db 77 08 7d 8[6f...:.Q...w.} Start Time: 1486065610 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed
西蒙,看起来像你在这篇文章中描述的情况。 configuration没有问题,看起来像是nginx的行为。 而且, 让我们encryptionOCSP也可能会出现问题 。