当我尝试创建一个新的Sekken客户端时,它会抛出一个OpenSSL错误,表明链中有一个自签名证书。
require 'sekken'
url = "https://bridgerinsighteu.lexisnexis.com/webservicesapi/9.0/xgservices.svc?wsdl"
client = Sekken.new(url)
我可以从OpenSSL复制错误,我可以通过传递SSL证书库的位置来修复它。
openssl s_client -showcerts -connect bridgerinsighteu.lexisnexis.com:443
错误返回码19(证书链中的自签名证书)但
openssl s_client -showcerts -CApath /etc/ssl/certs -connect bridgerinsighteu.lexisnexis.com:443
返回代码0(ok)
所以我不确定如何或者我需要做什么才能将该证书路径传递给Sekken用于openssl检查。 Sekken确实提供了一个HTTPClient gem对象传递给构造函数,所以也许那里有什么东西?但我无法理解这一点。或者可能是环境变量?有没有人对如何让Sekken构造函数使用特定的证书路径或证书有任何想法?
机器是Ubuntu 14.04 x64,ruby通过rvm是ruby 2.1.1p76,sekken是通过github的Gemfile安装的。
答案 0 :(得分:0)
openssl s_client -showcerts -CApath / etc / ssl / certs -connect bridgerinsighteu.lexisnexis.com:443
忽略这一点。服务器配置错误,并且发送CA Root。服务器应该只发送服务器的证书和构建根路径所需的所有中间体。由客户来信任根。
以下是您的命令应该是什么样的(避免/etc/ssl/certs中的CA Zoo,并且只信任所需的内容):
openssl s_client -connect bridgerinsighteu.lexisnexis.com:443 -CAfile <Trustwave Root CA>
您可以从Trustwave SSL - Support - Root Download获取<Trustwave Root CA>。以PEM格式获取名为 Trustwave扩展验证CA 的那个。
以下是使用 Trustwave扩展验证CA (evca.crt)时的样子。注意输出尾部的Verify return code: 0 (ok)。
$ openssl s_client -connect bridgerinsighteu.lexisnexis.com:443 -CAfile evca.crt
CONNECTED(00000003)
depth=2 C = US, O = SecureTrust Corporation, CN = SecureTrust CA
verify return:1
depth=1 C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = "Trustwave Organization Validation CA, Level 2", emailAddress = ca@trustwave.com
verify return:1
depth=0 CN = *.lexisnexis.com, O = LexisNexis, L = Miamisburg, ST = Ohio, C = US
verify return:1
---
Certificate chain
0 s:/CN=*.lexisnexis.com/O=LexisNexis/L=Miamisburg/ST=Ohio/C=US
i:/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca@trustwave.com
1 s:/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca@trustwave.com
i:/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
2 s:/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
i:/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgITBiMcj33v1H9svkXvkWOYn2JyTTANBgkqhkiG9w0BAQUF
ADCBrjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdD
aGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIEluYy4xNjA0BgNV
BAMTLVRydXN0d2F2ZSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBDQSwgTGV2ZWwg
MjEfMB0GCSqGSIb3DQEJARYQY2FAdHJ1c3R3YXZlLmNvbTAeFw0xMzA1MTUwOTE5
NThaFw0xNjA3MDcxNTE5NThaMGExGTAXBgNVBAMMECoubGV4aXNuZXhpcy5jb20x
EzARBgNVBAoMCkxleGlzTmV4aXMxEzARBgNVBAcMCk1pYW1pc2J1cmcxDTALBgNV
BAgMBE9oaW8xCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAvsygjRx3DKUm/gmceKny65HMUmRzm8FP0Te9eXsQ76OLa3co4hWrF5ZS
bXlDzB6dgCTFnQOwRcsLpVyXlazDugdibjfnqdyStcjI75+J2emRYzHVJ7P9p+Bw
pL1k01POV/pes87abX1ffodK+OwnWDkfABqLaaJlsluv/NJd5cdGTn8C1+7mw3MR
KxUTGuGdsTgV/H5aEQFAP6BIklpywhk+QJb1BN28bR2UMTi0QB6qBNP+oe5aWG6Q
rq/ghb31FF0jmL9pCGVJfY5eewIXjBiEwFSdkxv8rxPmkmjDV9E5/OGKXuALtJIE
SFfM9WwTKHV3rs79QV38yD6Cbf3yVQIDAQABo4IBiDCCAYQwDAYDVR0TAQH/BAIw
ADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0G
A1UdDgQWBBQUma9eMJEc5IUlSe4n6X7eViCS9zAfBgNVHSMEGDAWgBRd2ZaaQMcn
yyybouzPGavIr8yGSDBIBgNVHSAEQTA/MD0GDysGAQQBge0YAwMDAwQEAzAqMCgG
CCsGAQUFBwIBFhxodHRwczovL3NzbC50cnVzdHdhdmUuY29tL0NBME8GA1UdEQRI
MEaCECoubGV4aXNuZXhpcy5jb22CDmxleGlzbmV4aXMuY29tghEqLmxleGlzLW5l
eGlzLmNvbYIPbGV4aXMtbmV4aXMuY29tMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6
Ly9jcmwudHJ1c3R3YXZlLmNvbS9PVkNBX0wyLmNybDA2BggrBgEFBQcBAQQqMCgw
JgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnRydXN0d2F2ZS5jb20vMA0GCSqGSIb3
DQEBBQUAA4IBAQAXvdGvtggb6dfa46IFX81rGr69ank7rON6VQaqUrUeExqmSyhw
r+n8wh0YFo69GKVx1LFa1+eWIz48ROtOhveSr/Gib4ujBLtq5urITOcmH4IYj3sw
2VFuaCZ0+TNgqmt6HPTPfBwWjcCRLbtDYPeFFo52HMu+ObeNeVR1Ll58Iijl4sOo
CwaDNFYiveLwcPXgGQhvYn6NFXW0D2cRpeTJzjXOjcLebPY9h//Fl6loZh/APwGT
gKz43mIChdcTQz/caeDjj0VkiSpJ4XDXYRDabSkpzvwJ5AXDC4f4jZy8jxnx9sSP
NnGvKxaJwr2ArewSfYX7W/JtVUAF+wIEVPux
-----END CERTIFICATE-----
subject=/CN=*.lexisnexis.com/O=LexisNexis/L=Miamisburg/ST=Ohio/C=US
issuer=/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca@trustwave.com
---
No client certificate CA names sent
---
SSL handshake has read 3569 bytes and written 831 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 684051C7B37B4A255AE51BFC67CFC4BF...
Session-ID-ctx:
Master-Key: 53C559C9F85A6CB1788BFC20E1A1997C...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1399081838
Timeout : 300 (sec)
Verify return code: 0 (ok)
所以我不确定如何或者我需要做什么来将该证书路径传递给Sekken以用于openssl检查。
您需要做的就是指定 Trustwave扩展验证CA (evca.crt)作为在构建验证路径时在Sekken中使用的根。我不是Sekken的人,但我知道如何在其他语言和库中使用.Net,Java,OpenSSL,PERL,Python等。
由于您指定了Ruby标记,这里是我用于Ruby的一些PKI测试的测试脚本:
#!/usr/bin/ruby
require 'net/http'
uri = URI('https://bridgerinsighteu.lexisnexis.com:443')
http = Net::HTTP.new(uri.host, uri.port)
# Enable SSL/TLS ?
if uri.scheme == "https"
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = File.join(File.dirname(__FILE__), "evca.crt")
end
req = Net::HTTP::Get.new('/')
http.request(req)
这只是自行车脱落......您在/etc/ssl/certs中拥有 Trustwave扩展验证CA 。如果证书丢失,则s_client使用CApath时会失败。
Trustwave已被证明是非常不值得信任的。过去,它通过在想要证书的人的控制下为域而不是颁发证书来促进拦截所有SSL / TLS流量。
“信任”定义很棘手。我看到的一个更好的定义是“X期望Y做Z”。也就是说,X期望或信任Y做Z,因为(1)Y表示它做Z并且(2)X接受或赞同Z.
如果你插入PKI:“用户希望CA遵循他们的CP和CPS”。 CP是“认证实践”及其政策;和CPS是Certification Practice Statement及其程序。因此,CP和CPS通过定义策略(CP)以及实施或实施策略(CPS)的过程来指定CA的运行方式。
如果Trustwave遵循他们自己发布的策略和程序,那么Trustwave将不颁发证书来拦截SSL / TLS流量。 Trustwave确实不遵循他们自己的政策和程序,因此他们证明自己是不值得信任的。 Quod erat demonstrandum。
答案 1 :(得分:0)
好吧,看起来你可以将一个HTTPClient实例传递给Sekken构造函数。但是构造函数中存在一个错误,使其无法使用传递的客户端。我乱砍了它,但希望主人会更好地解决它? https://github.com/savonrb/sekken/issues/10
一旦修复,这就是我解决问题的方法。我创建了一个HTTPClient实例,然后将Trustwave根CA证书添加到实例证书存储区并将其传递给Sekken构造函数。
require 'sekken'
require 'httpclient'
url = "https://bridgerinsighteu.lexisnexis.com/webservicesapi/9.0/xgservices.svc?wsdl"
# this is the secure trust CA
cert = "/etc/ssl/certs/stca.pem"
http = HTTPClient.new
http.ssl_config.cert_store.add_file cert
client = Sekken.new(url, http)