在Windows(Install OpenSSL with Ruby for eventmachine on Windows 7 x86)上使用SSL支持构建我自己的eventmachine / thin后,我遇到了SSL证书的另一个问题:当我使用内置自签名时,一个瘦机工作正常,但它没有响应任何使用公司证书时请求
以下是获取证书的途径:
openssl req -out ssl.csr -key ssl-private.key -new
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs> cert.crt
这里可能出现什么问题?
我检查了什么:
openssl rsa -in ssl-private.key -check
说“RSA key ok”
openssl x509 -in cert.crt -text -noout
说
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
***
Signature Algorithm: sha1WithRSAEncryption
Issuer: ***
Validity
Not Before: Feb 16 08:47:25 2004 GMT
Not After : Feb 16 08:55:36 2024 GMT
Subject: ***
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
***
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
***
在使用
创建的自签名证书上进行相同的检查openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
说
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
***
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Validity
Not Before: Jun 24 14:42:07 2015 GMT
Not After : Jun 23 14:42:07 2016 GMT
Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
***
确定一些更改:我已经更改了crt文件中的certs顺序,因此最终证书不是最后一个但是第一个结果是不同的:chrome删除了NET :: ERR_CERT_INVALID的错误,IE类似,并且两者都没有进一步导航
openssl s_client输出(看起来不错,***根CA 1在Windows中受信任):
Loading 'screen' into random state - done
CONNECTED(000001E8)
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=***/ST=***/O=***/CN=***.com
i:/DC=com/DC=***/CN=*** Enterprise CA 1
1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
i:/DC=com/DC=***/CN=*** Root CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=***/ST=***/O=***/CN=***.com
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 665 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket: ***
Start Time: 1435319943
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
我制作了一个简单的https服务器(lib / emtestssl):
require 'rubygems'
require 'bundler/setup'
Bundler.require
class ServerHandler < EM::Connection
def post_init
puts "post_init"
start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false
end
def receive_data(data)
puts "Received data in server: #{data}"
send_data("HTTP/1.1 200 OK\n\nHello world!")
close_connection_after_writing
end
end
EventMachine.run do
puts 'Starting server...'
EventMachine.start_server('145.245.202.233', 443, ServerHandler)
end
没有tls它工作正常,tls浏览器不允许连接:(
根据http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify私钥和证书匹配
答案 0 :(得分:0)
看起来像(补丁)eventmachine是完全没问题的:我从现有服务器获取了密钥/证书对,并且(在浏览器发出网址不匹配警告之后)它工作正常
在比较证书之后,我的CA看起来已经失败,并为我带来了一个错误属性的证书:工作一个被称为服务器身份验证(1.3.6.1.5.5.7.3.1),而失败就是客户端身份验证(1.3。 6.1.5.5.7.3.2)
我会发出另一个csr并为他们输掉一天...:/
也许一个重要的发现是证书文件中的证书顺序:一个必须从最终证书到链的末尾的根