我在生产环境中运行Solaris 10,并且我使用ssl与第三方Web服务集成,并为其提供了证书。它工作正常,直到几周后他们更新了他们的证书和网络,并为我们提供了新的证书。我将这些证书添加到Java信任库cacerts和jssecerts但是应用程序总是在握手时失败,因此我决定使用Open SSL对其进行调试。
当我尝试使用OpenSSL时,我不断收到错误'验证返回代码:20(无法获得本地颁发者证书)'。我在互联网上搜索并找到了几个解决方案,比如将证书复制到目录并为其提供CApath选项或将所有证书合并到一个文件中,或者只提供带有CAfile的根证书。
我甚至通过复制其中的证书来尝试不同的路径,例如etc / certs,etc / ssl / certs,etc / sfw / openssl / certs,我几乎尝试了从.cert到。的所有证书。 pfx到.p7b但我总是得到同样的错误。
下面分享了一个例子:
/usr/sfw/bin/openssl s_client -CApath /etc/sfw/openssl/certs -connect example.hostipaddress:443 -debug
CONNECTED(00000004)
-- Long List of string removed to conserver space --
02ef - <SPACES/NULS>
depth=1 /DC=local/DC=mgc/CN=MBTC-ENTCA1
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
0 s:/C=PH/ST=Metro Manila/L=Makati City/O=Metropolitan Bank and Trust Company/OU=CID-ITSAD/CN=IOSG-XRSWEB
i:/DC=local/DC=mgc/CN=MBTC-ENTCA1
1 s:/DC=local/DC=mgc/CN=MBTC-ENTCA1
i:/DC=local/DC=mgc/CN=MGCROOTCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGmjCCBYKgAwIBAgITXgAAByoWADJYm5tc5AAEAAAHKjANBgkqhkiG9w0BAQsF
ADBCMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNtZ2Mx
FDASBgNVBAMTC01CVEMtRU5UQ0ExMB4XDTE2MDEyMzE2MTg0M1oXDTE4MDEyMjE2
MTg0M1owgZIxCzAJBgNVBAYTAlBIMRUwEwYDVQQIEwxNZXRybyBNYW5pbGExFDAS
BgNVBAcTC01ha2F0aSBDaXR5MSwwKgYDVQQKEyNNZXRyb3BvbGl0YW4gQmFuayBh
bmQgVHJ1c3QgQ29tcGFueTESMBAGA1UECxMJQ0lELUlUU0FEMRQwEgYDVQQDEwtJ
T1NHLVhSU1dFQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM3QYlQu
01dc/h1CekLCfzwx2LfDHZJgb/A6DwbMLlIN8mA/EH03DV6SAP/n+McBZ9Kg97a2
zWsV3Thq9TxHx2GIrU0l3Jp0CyIC2uAWK5SzcBaLkOCks4zA/uwqNpYdVZ/wX6Yh
iCN8OnEfKdlUCfyIT6T1P5bIWgRSH+FooYfqV4+YJyAUjF2cticoemQcOPWYNBki
wgO938Lnyr7YfaQM2z8n4GjqPBuSJmtISb6LW0tzmBPRA5hBi0NpWN1IPjyTU8h8
soWnu6LtfGZq/fmDQ2fvlvj2wbi4U2B6E9QhjnEDOI5vWo7f0Lxq+DXABORU+Eef
Rk5pyoWxLfTfgq0CAwEAAaOCAzYwggMyMAsGA1UdDwQEAwIHgDBEBgkqhkiG9w0B
CQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcw
CgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFCAm6czc
-----END CERTIFICATE-----
subject=/C=PH/ST=Metro Manila/L=Makati City/O=Metropolitan Bank and Trust Company/OU=CID-ITSAD/CN=IOSG-XRSWEB
issuer=/DC=local/DC=mgc/CN=MBTC-ENTCA1
---
No client certificate CA names sent
---
SSL handshake has read 3570 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 79070000B3B0F581DDC6F732F5BAD3F384CAE1D67ADBA4AF551393A6A208C897
Session-ID-ctx:
Master-Key: D04EFCA3E85CCB6E1F80F2B74C6CF24248B693F5CDABB0355F.....
Key-Arg : None
Start Time: 1457082099
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
请建议我如何解决或解决此问题。
答案 0 :(得分:0)
如果连接需要客户端证书,则需要使用-cert参数告知OpenSSL,如果您有单独的私钥(文件),则需要-key。 -CApath仅用于服务器证书。
答案 1 :(得分:0)
您错过了公共名称 MGCROOTCA 的发卡行CA:
/usr/sfw/bin/openssl s_client -CApath /etc/sfw/openssl/certs -connect example.hostipaddress:443 -debug
CONNECTED(00000004)
...
depth=1 /DC=local/DC=mgc/CN=MBTC-ENTCA1
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
0 s:/C=PH/ST=Metro Manila/L=Makati City/O=Metropolitan Bank and Trust Company/OU=CID-ITSAD/CN=IOSG-XRSWEB
i:/DC=local/DC=mgc/CN=MBTC-ENTCA1
1 s:/DC=local/DC=mgc/CN=MBTC-ENTCA1
i:/DC=local/DC=mgc/CN=MGCROOTCA
...
我无法在线查找,因此您可能需要联系银行。一旦掌握了它,请确保它采用PEM格式,然后:
$ openssl s_client -connect www.example.com:443 -tls1 \
-servername www.example.com -CAfile MGCROOTCA.pem