Question

我想在与IO::Socket::SSL客户端连接时使用服务器证书。

我所做的是先提取证书，

openssl s_client -showcerts -connect 127.0.0.1:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >/tmp/localhost.crt

然后使用示例文件夹中的ssl_client.pl进行连接，

ssl_client.pl -d10 --ca /tmp/localhost.crt localhost:443
DEBUG: .../IO/Socket/SSL.pm:2757: new ctx 17132992
DEBUG: .../IO/Socket/SSL.pm:643: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:645: socket connected
DEBUG: .../IO/Socket/SSL.pm:667: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:700: using SNI with hostname localhost
DEBUG: .../IO/Socket/SSL.pm:735: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:769: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2658: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2611: ok=0 [0] /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=bigger2/emailAddress=root@bigger2/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=bigger2/emailAddress=root@bigger2
DEBUG: .../IO/Socket/SSL.pm:772: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:775: SSL connect attempt failed

DEBUG: .../IO/Socket/SSL.pm:775: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:778: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: ...inux/IO/Socket.pm:49: ignoring less severe local error 'IO::Socket::INET configuration failed', keep 'SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
DEBUG: .../IO/Socket/SSL.pm:2779: free ctx 17132992 open=17132992
DEBUG: .../IO/Socket/SSL.pm:2784: free ctx 17132992 callback
DEBUG: .../IO/Socket/SSL.pm:2791: OK free ctx 17132992
failed to connect to localhost:443: ,SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ssl_client.pl line 52.

这不能按预期工作，因此请建议如何使用本地存储的证书正确验证服务器。

Answer 1

虽然您的证书是自签名的（即由其自己签名），但它不是CA：

    X509v3 extensions:
        X509v3 Basic Constraints: 
            CA:FALSE

因为它不是CA，所以不允许将其用作证书的颁发者，因此理论上甚至不能用于签署自己。

这至少是OpenSSL中实现的逻辑（因此Net :: SSLeay，IO :: Socket :: SSL）。像NSS这样的其他实现似乎可以使用这些证书，可能是因为它们检查服务器证书本身是否被明确信任。这样的检查不同于仅检查它是否由受信任的CA签名，这是通过使用IO :: Socket :: SSL中的SSL_ca *选项（或-CAfile，-CApath openssl s_client参数来完成的。 1}}）。

明确信任特定证书，无论它是自签名，过期，撤销还是可以使用SSL_fingerprint选项在IO :: Socket :: SSL中完成的任何操作。

请注意，在这种情况下调试IO :: Socket :: SSL并没有多大帮助，因为本案例中的逻辑是在OpenSSL中实现的。有一些小指标出错了：

DEBUG: ... ok=0 [0] .../CN=bigger2/emailAddress=root@bigger2 .../CN=bigger2/emailAddress=root@bigger2

从验证回调中调用此调试语句。 ok=0 [0]表示在级别证书级别0使用ok=0调用此回调，即OpenSSL的内置验证不认为此证书有效。

IO :: Socket :: SSL客户端检查服务器证书

1 个答案: