openssl证书验证 - 构建和目标系统上的不同行为(在ARM上无法正常工作)

时间:2012-09-07 17:08:17

标签: openssl arm

这个故事的背景是我正在使用gSOAP和openssl进行一些SOAP / WSDL应用程序开发。最终的应用程序必须针对嵌入式ARM设备进行交叉编译。

我的构建系统(Fedora 17 x64)上的一切正常,但是当我在目标设备(ARM / Montavista 5)上运行交叉编译版本时,我收到以下错误:

  

错误:14090086:SSL例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败

我开始关注OpenSSL,看看我是否可以缩小范围 - 我的构建系统与我的嵌入式系统之间肯定存在不同的行为,导致验证失败。

我在两者上都运行了以下命令(IP地址是google.com):

  

openssl s_client -showcerts -connect 173.194.67.104:443 -verify 9

下面列出了不同机器上的输出。我在两种情况下都运行openssl 1.0.1c。特别是目标(ARM)系统似乎接收/解释不同的证书链。

我不知道为什么输出不同。有人可以解释一下我是如何能够以与构建机器相同的方式使我的目标设备正确验证证书吗?

从构建输出(Fedora)机器:

verify depth is 9
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
-----BEGIN CERTIFICATE-----
[REMOVED FOR BREVITY]
-----END CERTIFICATE-----
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
[REMOVED FOR BREVITY]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 1907 bytes and written 299 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: C05953342AC01E9AB63CF0BABBE942B4E29061AA4904C3F1393EBBB1548B0254
    Session-ID-ctx: 
    Master-Key: 38B97C0CC2795AD1D3EEACAE244E33F1E5A0988AE9182AC85DFFF5B6BFAE6585E6BCF763E1E0EB300CD38B87CC0F2501
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
[REMOVED FOR BREVITY]
    Start Time: 1347036912
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

从目标(ARM)机器输出

verify depth is 9
CONNECTED(00000003)
depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
-----BEGIN CERTIFICATE-----
[REMOVED FOR BREVITY]
-----END CERTIFICATE-----
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
[REMOVED FOR BREVITY]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 2130 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-RC4-SHA
    Session-ID: AA9E7D7AD223F18241A210D224B8BEF4A441572C1A9719BF3504FB03297D85DE
    Session-ID-ctx:
    Master-Key: 7A15F2071D50C076C0524AAD45857C5683212370582AD7D9F882B64104F0A0A8C2948B8B85C1EC19015C
51CAC30D4A05
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
[REMOVED FOR BREVITY]

    Start Time: 1347036508
    Timeout   : 300 (sec)
    Verify return code: 27 (certificate not trusted)

1 个答案:

答案 0 :(得分:0)

错误消息非常清楚:openssl无法使用ARM框上的CA存储验证是否信任签署服务器证书的CA.
要验证您是否可以从curl的网站http://curl.haxx.se/ca/cacert.pem下载受信任的CA捆绑包,请使用-CAfile参数来使用它:openssl s_client -showcerts -connect 173.194.67.104:443 -verify 9 -CAfile <full_path_to_cacert.pem>

要以编程方式执行此操作,请参阅SSL_CTX_load_verify_locations功能 另请参阅openssl命令行工具的源代码以获取更多详细信息:http://cvs.openssl.org/fileview?f=openssl/apps/s_client.c&v=1.169(搜索CAfile&amp; SSL_CTX_load_verify_locations)。

相关问题
最新问题