服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 为什么我的新Ubuntu 12.04无法validationVerisign SSL证书?
Intereting Posts
Secure Domain.nl,SSLauthenticationDomain.com的别名不能与.com的SSL证书一起使用 1GBcaching内存 – 我需要更多的内存? Zabbix无法从代理商获得价值 无法login到SBS 2008 如何知道服务器在崩溃时正在做什么? 基本组策略编辑器的东西 iptable-restore设置INPUT允许所有 通过虚拟主机和应用程序分配Tomcat日志 即使使用绝对path也无法在后台使用autossh Suse 9支持FAT32文件系统吗? 使用附加的指定EBS卷启动新的EC2实例 活动目录:新用户注册失败 客户端没有从某个DHCP服务器获取地址 服务器内存不断使用率为91%,但网站仍在升级(cpu 0%) 双栈linux路由器,不能转发IPv6前缀

为什么我的新Ubuntu 12.04无法validationVerisign SSL证书?

简而言之:这个请求失败。 

$ curl 'https://secure.ogone.com/ncol/prod/orderstandard.asp' -vv * About to connect() to secure.ogone.com port 443 (#0) * Trying 213.254.248.101... connected * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * Unknown SSL protocol error in connection to secure.ogone.com:443 * Closing connection #0 curl: (35) Unknown SSL protocol error in connection to secure.ogone.com:443

我知道需要一些连接手动设置为sslv1或sslv3的sslv2安全风险。

然而,这项工作也没有: 

 $ curl 'https://secure.ogone.com/ncol/prod/orderstandard.asp' -3 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

如果我在networking浏览器中访问网站,证书会被检查出来。

我正在使用亚马逊aws ec2云(64位,从ec2向导的标准模板之一…)的裸ubuntu 12.04图像)

我真的不知道如何开始debugging,你能指出我的方向吗?

这里有一些可能有用的其他信息: 

 $ openssl s_client -connect secure.ogone.com:443 CONNECTED(00000003) 140292983105184:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 226 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---

和ssl3 

 $ openssl s_client -connect secure.ogone.com:443 -ssl3 CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=V1.0, Clause 5.(b)/serialNumber=0459.360.623/C=BE/ST=Bruxelles-Capitale/L=Bruxelles/O=ogone sa/OU=System and Security Department/OU=Terms of use at www.verisign.com/rpa (c)05/CN=secure.ogone.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGOjCCBSKgAwIBAgIQCwc32mrm6LjjQI1bqD859TANBgkqhkiG9w0BAQUFADCB vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew HhcNMTAwOTI3MDAwMDAwWhcNMTIxMTI1MjM1OTU5WjCCARMxEzARBgsrBgEEAYI3 PAIBAxMCQkUxGzAZBgNVBA8TElYxLjAsIENsYXVzZSA1LihiKTEVMBMGA1UEBRMM MDQ1OS4zNjAuNjIzMQswCQYDVQQGEwJCRTEbMBkGA1UECBQSQnJ1eGVsbGVzLUNh cGl0YWxlMRIwEAYDVQQHFAlCcnV4ZWxsZXMxETAPBgNVBAoUCG9nb25lIHNhMScw JQYDVQQLFB5TeXN0ZW0gYW5kIFNlY3VyaXR5IERlcGFydG1lbnQxMzAxBgNVBAsU KlRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEZMBcG A1UEAxQQc2VjdXJlLm9nb25lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBANRrC72j2Glzo6Z6NcMXGVEIyoZx3s74Q3ZQ1o0NSIyhS/0pHnZ0JUcd S3qEJ3e1As2cMD303gOGWrCM96uBENTUK/Zdyq117yIhdLmgJjPWJWUgRdMrfZNU LiOKYs2GkXmNGHzFiTTh5aFWdJKD8qcY0RIaGJX6h/p9YMfn/n8bTijgIaTJeZFv BLE6C10R54G2pX6cIN9cW86MCUCnAskVVf6To/IetH5LPSHj6HPXpSzUKWgdKGlO gQlQ2L+o/4fuemDRkZck2LEM6q0OXC2X19M/2pJYG8f/HJf52b+KHhGMnk0MTZ0Z Ki/MWRMCSbnB+4ZNAXkwcn9+7NxnCrcCAwEAAaOCAdowggHWMAkGA1UdEwQCMAAw CwYDVR0PBAQDAgWgMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwYwKjAoBggrBgEF BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczA+BgNVHR8ENzA1MDOg MaAvhi1odHRwOi8vRVZJbnRsLWNybC52ZXJpc2lnbi5jb20vRVZJbnRsMjAwNi5j cmwwNAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEGCisG AQQBgjcKAwMwHwYDVR0jBBgwFoAUTkPIHXbvN1N6T/JYb5TzOOLVvd8wbwYIKwYB BQUHAQEEYzBhMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20w OQYIKwYBBQUHMAKGLWh0dHA6Ly9FVkludGwtYWlhLnZlcmlzaWduLmNvbS9FVklu dGwyMDA2LmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYw ITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9n by52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAIwD Q6sJ7b/xtQmnZjcNL/2Xn3Fb6C28EDMZrTTU+Kz1HNSGH559MZ64O6eq7y6Opm8T WMHNxJzLaBJr8P+lfmLSl9yBgIGi7Yn/cXewZ/cdHfZ/0RJNZTeFcItnqTraVZ1m GOQ5371uH+ZM04WMbtx+m8oZOo0EVOgXEhlyTKfssY0Eh9aC/gR/icKmTVO1e7UG +rWnsZHgSPqQ8GNmmLdU4xeGtui35aUO5jkY77hyD0vEbzUVVu6I7QkKIca1bHXW vCSruz+f/RDCDWMhDnvHHdfQCh/Vz7k7tR+5l3fzb94xNg6p8tUZlcaJo6afSgf8 6K1m5u1J1UF78fQ7D+I= -----END CERTIFICATE----- subject=/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=V1.0, Clause 5.(b)/serialNumber=0459.360.623/C=BE/ST=Bruxelles-Capitale/L=Bruxelles/O=ogone sa/OU=System and Security Department/OU=Terms of use at www.verisign.com/rpa (c)05/CN=secure.ogone.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA --- No client certificate CA names sent --- SSL handshake has read 4647 bytes and written 483 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : RC4-MD5 Session-ID: 6855CEA279C3DFBDE13EB6548FA84232F24326CAC2871ECDF7958C7F3A439E43 Session-ID-ctx: Master-Key: 493A03042D257B55049D85D17A54E0CD006F5CF6A41596FD73B8444EA79849F419CD02747AA4C1AE16BF15D525E541ED Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1344874575 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) ---

(程序不退出并接受stdin)

运行update-ca-certificates --fresh 。 一些Ubuntu 12.04安装缺less/ etc / ssl / certs(/etc/ssl/certs/ee1365c0.0等)中的符号链接。没有符号链接,依赖它们的应用程序(如openssl,wget,curl)将会失败。

您可以通过运行得到更多关于正在发生的事情的信息: 

 openssl s_client -connect secure.ogone.com:443

我从Centos 5.8,6.3和Fedora 17中检查,他们都认为证书链是完全有效的。

连接似乎是SSLv3, SSL_RSA_WITH_RC4_128_MD5 ,这似乎是合理的。