我正在尝试使用SSL包装的Python套接字连接到基于SSL的主机。
当我尝试使用openssl客户端进行连接时,我成功地通过ssl连接并接收响应:
在终端上,
openssl s_client -tls1_1 -connect epptestv3.iis.se:700 -key privateKey.pem -cert certificate.pem -CAfile root_certificate.pem
但在Python中,
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(60) # regular timeout
sock = ssl.wrap_socket(sock, "privateKey.pem", "certificate.pem",
server_side=False,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs="root_certificate.pem",
ssl_version=ssl.PROTOCOL_TLSv1_2,
ciphers='AES256-SHA')
sock.connect(('epptestv3.iis.se', 700))
我收到以下错误:
sock.connect(('epptestv3.iis.se', 700))
File "/usr/lib/python2.7/ssl.py", line 866, in connect
self._real_connect(addr, False)
File "/usr/lib/python2.7/ssl.py", line 857, in _real_connect
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 830, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
我不知道为什么在两种情况下密钥和证书文件相同时都会抛出错误?请建议适当的解决方案
以下是openssl调试日志,这可能会有所帮助:
openssl s_client -tls1_1 -connect epptestv3.iis.se:700 -key privateKey.pem -cert certificate.pem -CAfile root_certificate.pem
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Issued through Stiftelsen f\C3\B6r Internetinfrastruktur E-PKI Manage, OU = COMODO SSL, CN = epptestv3.iis.se
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Issued through Stiftelsen f\xC3\xB6r Internetinfrastruktur E-PKI Manage/OU=COMODO SSL/CN=epptestv3.iis.se
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFoDCCBIigAwIBAgIQbChcoPxJBdsCfcui549W/DANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNTExMjMwMDAwMDBaFw0xNjEyMjkyMzU5NTlaMIGfMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxSjBIBgNVBAsMQUlzc3VlZCB0aHJvdWdo
IFN0aWZ0ZWxzZW4gZsO2ciBJbnRlcm5ldGluZnJhc3RydWt0dXIgRS1QS0kgTWFu
YWdlMRMwEQYDVQQLEwpDT01PRE8gU1NMMRkwFwYDVQQDExBlcHB0ZXN0djMuaWlz
LnNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7NM/dsKMr5PSLySm
TUBy5VHi4pECfZZNdvjpXB7WqUC029Ue/rn+TeqcRNLs3SM3liuSXPkhrpHgIWsF
5DsKxwGqh+psudkYJSK0jKq28DlXnn8dHX5m2c+c8PMorrdN/2ZgfNbWqpb00Dq7
0RhQqRbUtYfRRtndfk2hmDRZfbjhYuzakmnUlezLyoCjJ0euMl2n2cXWRYE+lokG
t81JFm9Cfj8jUXW5KaEWCmcshRC+3nQjQlC/HeD7d8rhebkTO0N3ilDNcHYJsqQP
MmwgexxrYYLd8DdUL9mTDfoKOuzgPU6BR78AT1uCALLBsNIawER2sI2rhncQZ0wV
FxBb7wIDAQABo4IB4zCCAd8wHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo
2ucwHQYDVR0OBBYEFBLoktspsuhAAykZCOCWaEgDxKoHMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBP
BgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8v
c2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BF
hkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0
aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUH
MAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlk
YXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmNvbW9kb2NhLmNvbTAxBgNVHREEKjAoghBlcHB0ZXN0djMuaWlzLnNlghR3d3cu
ZXBwdGVzdHYzLmlpcy5zZTANBgkqhkiG9w0BAQsFAAOCAQEAbCyk+7IhFZOLxFLn
Nqu46zq4DSZntyLQh53AO3I36845PxSoX4aBo1xPdz8Dy6wIKklTcD4jgYlYYUDD
K6uP7kpIYswH4OGoCbca4Jh5YWiINUlm6RT5CAYm5K/FB30jIpqjepQg2x7KwTjY
9evYf6urY17ShafKpAewrzVe0rK5d8il+AcovKk5QXnHcydicIcEdUHdzu4tPcfW
4MvtQpv2ZeaofxEKPH8K9aXUPp4c9l3e32PHbhqiaoirsB53WDs+G9fzNxaL6O99
HOCg7EMvdiScEaBs+7NlxLMQTg/P9G/+UAyaim3nCgf0ptCNLGkE3g5pWou5rIwp
KQTNVQ==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Issued through Stiftelsen f\xC3\xB6r Internetinfrastruktur E-PKI Manage/OU=COMODO SSL/CN=epptestv3.iis.se
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
---
SSL handshake has read 6425 bytes and written 5050 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : AES256-SHA
Session-ID: 066A733D13B86DFABC101E44DA2685AD95C8DF25C97D246B139593E1C3FD44E5
Session-ID-ctx:
Master-Key: 1723668A7339631D1667C2B3B3E736BB165FA1752D0BBE8A3FE4AA5D1C7007D6A7277443B4672BB1A5A120E8FF783B11
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e4 89 33 38 f7 3f 89 aa-ba a7 7a 6f 67 3c 89 09 ..38.?....zog<..
0010 - 96 e3 90 3d a7 63 e7 70-a9 c3 de 91 e0 f3 30 e5 ...=.c.p......0.
0020 - 62 99 78 2a 7d 37 5a fe-ff 31 65 de 34 7a 91 70 b.x*}7Z..1e.4z.p
0030 - ef 55 d3 07 96 d6 47 18-40 22 da 7a 4b 35 1b ee .U....G.@".zK5..
0040 - 6a eb 15 4a 07 f0 b3 5e-99 21 ad a9 b6 df 28 05 j..J...^.!....(.
0050 - 1b 1e 4b de 54 7c 5b 29-5d a8 a3 c2 3b e6 82 4e ..K.T|[)]...;..N
0060 - c8 d5 76 b5 7c 64 31 59-10 f0 61 1e 9a df 1c 42 ..v.|d1Y..a....B
0070 - 8b d3 f8 a7 73 da 06 fc-3f df 02 d6 01 05 fa a7 ....s...?.......
0080 - 3b 92 4b fd e5 03 41 24-26 b8 a7 12 c5 9a 9c 7c ;.K...A$&......|
0090 - dc 36 75 69 bd 61 c4 27-43 5b df bb 19 80 2a 9c .6ui.a.'C[....*.
00a0 - d3 bf 5f 8b f6 e2 3d 0e-2e d2 cc a7 d0 5e 52 48 .._...=......^RH
00b0 - ff e6 a1 fe 02 3f 8e 78-c2 15 ad cb 9a 11 e9 03 .....?.x........
00c0 - 0e 80 0e b8 10 2b 4a 85-82 bd ef d2 9d 3d 74 89 .....+J......=t.
00d0 - 65 2d 94 f6 2c b8 c1 a2-5c c5 34 72 13 3e b0 75 e-..,...\.4r.>.u
00e0 - fd 11 e2 9b 65 d5 48 b6-80 15 90 d6 df e2 05 21 ....e.H........!
00f0 - 01 1f 34 2b 6b 3a 7a 8c-07 53 f1 b0 fb b3 95 b2 ..4+k:z..S......
0100 - c3 07 d1 5b 7c 13 4b cb-78 5d 59 5b 66 94 d6 11 ...[|.K.x]Y[f...
0110 - 06 6c b0 9f b2 d1 78 a0-37 9a 9e bf 9d 90 54 ad .l....x.7.....T.
0120 - 83 51 70 b2 7f 7f 76 e9-47 eb 75 9f 70 7c 26 36 .Qp...v.G.u.p|&6
0130 - a6 42 f3 c1 08 05 8a 59-32 a2 c6 71 50 4a 48 ee .B.....Y2..qPJH.
0140 - 68 29 cf ec db 39 42 71-bd e0 97 7a 66 dd c3 8c h)...9Bq...zf...
0150 - f4 09 5c 2e a2 38 27 71-cd 9c f5 4f da 46 a4 0c ..\..8'q...O.F..
0160 - 0f b6 93 d5 97 bd e0 3b-3b 5f 2c 53 cd 0f ad b6 .......;;_,S....
0170 - a8 12 27 ba bb 5f 56 da-8e 14 f0 31 82 2f e0 90 ..'.._V....1./..
0180 - 72 41 65 77 96 b6 7b 35-5b 68 92 29 56 8d b9 3e rAew..{5[h.)V..>
0190 - 77 6c b5 44 12 fb da bd-c1 d9 62 bd af 4d 61 18 wl.D......b..Ma.
01a0 - 20 de 49 53 3b d6 4b 07-68 06 74 db 32 11 fc 26 .IS;.K.h.t.2..&
01b0 - f0 64 37 7f 68 9a c3 09-01 69 ec c1 1d bb 2d a8 .d7.h....i....-.
01c0 - 81 fd 0e bf 84 a8 71 25-bf d8 07 54 14 8c 18 60 ......q%...T...`
01d0 - 20 66 14 bb 18 e5 96 fd-14 40 2a a2 30 74 18 a5 f.......@*.0t..
01e0 - 1b 61 ea 9f 24 9f 25 b3-1f ca 25 c4 19 56 bc aa .a..$.%...%..V..
01f0 - 32 b6 a5 3b fe 09 3c de-24 3b c8 b9 89 a7 13 2e 2..;..<.$;......
0200 - a4 fc f4 df a8 3c 58 f3-d8 10 ae ff b1 77 4d 4c .....<X......wML
0210 - 7e 6a f4 a2 22 32 81 fa-cd 65 0a b3 d9 04 49 20 ~j.."2...e....I
0220 - 8c 39 91 f9 bd e7 24 4d-47 7e 13 0a 6e a2 96 0d .9....$MG~..n...
0230 - b5 cd 11 6f b1 7d c3 7b-59 4c 9f ec 8c a5 93 64 ...o.}.{YL.....d
0240 - ce 09 9c 64 55 58 41 ad-e1 b2 63 a4 c9 cb bb c0 ...dUXA...c.....
0250 - 04 70 e6 65 b5 18 85 b3-e1 fb 0c fe 81 42 81 c9 .p.e.........B..
0260 - dc 94 10 12 8f 19 9b a7-e1 92 9d ba b4 28 93 ad .............(..
0270 - 9f 5d 63 af b7 32 3f 07-53 15 c2 20 f5 fa e6 06 .]c..2?.S.. ....
0280 - 1b 77 ec 88 15 94 7b 7d-a3 2f 72 24 00 54 21 96 .w....{}./r$.T!.
0290 - 95 4b fb 6f d3 e5 9d 83-a7 c8 27 92 0c 62 a6 4b .K.o......'..b.K
02a0 - 1e b3 45 fe e2 74 25 0d-9e 59 bf 1a 84 fb 59 13 ..E..t%..Y....Y.
02b0 - 8b df 43 08 74 99 5e 83-8a a5 51 73 a1 33 29 ce ..C.t.^...Qs.3).
02c0 - a5 ce 13 d7 50 a4 87 2b-2e 13 f4 db 11 96 85 ad ....P..+........
02d0 - 40 3e 27 f8 05 bb 50 a5-2e 3c 6d a2 4e ad 5d e1 @>'...P..<m.N.].
02e0 - e5 9c da 3a 9d 31 85 b6-4a be 58 e5 4f e4 73 9b ...:.1..J.X.O.s.
02f0 - 04 d7 28 b3 5a b7 a1 79-86 50 b3 7d 76 0c b7 28 ..(.Z..y.P.}v..(
0300 - 2f ab 39 cd b2 df 79 59-77 ec 4a f6 b3 d3 a0 be /.9...yYw.J.....
0310 - 58 e1 7a f0 69 3a 3f 73-72 e2 8d de c6 d5 0d 16 X.z.i:?sr.......
0320 - e8 2d f9 03 39 11 78 07-5b 3c b0 9b 53 bd ed a3 .-..9.x.[<..S...
0330 - 08 42 75 9d 20 fa 0b 70-4e eb 31 c5 0a 4e 5a 83 .Bu. ..pN.1..NZ.
0340 - 22 06 1b 39 c6 e2 fb c5-78 96 fd 20 e6 5f a4 e6 "..9....x.. ._..
0350 - b1 ea c6 f9 6c 4b 3f 9d-2d a7 7c c8 00 b2 87 8a ....lK?.-.|.....
0360 - 88 b1 5c 8b 88 86 b4 f4-70 a3 a8 16 9e 07 e3 4f ..\.....p......O
0370 - 70 5f 77 05 79 34 44 a9-c9 0f fa 03 b4 27 a2 e6 p_w.y4D......'..
0380 - 66 3e 78 8b ed ec a0 c2-ad b6 e8 94 69 84 18 83 f>x.........i...
0390 - 46 5c f8 e9 99 f7 8f 9c-b3 e2 56 28 7f 8c f8 b0 F\........V(....
03a0 - 6d e9 f0 75 d2 4e ec e1-2b ea d5 e1 da ad 7f b7 m..u.N..+.......
03b0 - e9 84 a9 fd 39 29 29 4a-10 dc c2 61 f6 e8 d9 ac ....9))J...a....
03c0 - 2b 18 1c d4 e1 2b d1 1d-3d 4b ae 20 c7 b7 5f 2b +....+..=K. .._+
03d0 - 7d 77 b8 eb 8e 4e e5 db-4e 70 92 5f 20 6c 73 87 }w...N..Np._ ls.
03e0 - 69 4a aa 40 55 dc 23 d5-20 ef 2f 4e 15 3c f6 4d iJ.@U.#. ./N.<.M
03f0 - 6f 57 50 e2 9d 48 b4 d6-8e c5 78 ee 2b a1 47 bc oWP..H....x.+.G.
0400 - 0b a8 5d 5b 17 67 29 1f-12 fd 05 4a f7 86 df ed ..][.g)....J....
0410 - 9a ac 1d d4 22 26 11 4f-9f 1f b6 00 38 86 9f 0a ...."&.O....8...
0420 - 3b 5b 5b 8c a8 07 7c 1d-03 91 c9 91 84 63 a1 69 ;[[...|......c.i
0430 - db 01 30 dd 51 b3 2b 12-27 c9 2c c0 55 6c ba 0c ..0.Q.+.'.,.Ul..
0440 - 93 99 f5 f9 4e 32 cb 1a-03 78 80 99 df a9 c3 9c ....N2...x......
0450 - b9 a3 ca d7 00 8c f3 bc-f3 e9 4d 16 d0 e5 f6 54 ..........M....T
0460 - a8 31 97 b2 1b c9 80 49-ed cc 06 a1 c4 d9 92 8c .1.....I........
0470 - 5d fe 0f 3a 81 b7 12 3a-d6 a4 fc 5e e0 49 be e0 ]..:...:...^.I..
0480 - 17 81 ac f9 44 80 11 35-48 f7 4f c0 23 42 69 0f ....D..5H.O.#Bi.
0490 - 3d c1 87 86 d1 4b 36 0f-e6 dd 2f d0 b7 3d 9d 14 =....K6.../..=..
04a0 - a7 51 92 69 ba fe e0 04-14 9e 36 49 57 a6 c0 c4 .Q.i......6IW...
04b0 - 27 bc bb 0e b2 fb 29 2a-17 a2 8d de ac da 52 08 '.....)*......R.
04c0 - d1 e0 03 fb ad d6 d0 4b-2a 5d bb 0b 63 9f 3f a4 .......K*]..c.?.
04d0 - ff 1a ec 4c a1 41 56 06-1b f0 38 8f b4 89 7d 21 ...L.AV...8...}!
04e0 - c2 20 da 77 1d 78 0c bf-92 93 a0 54 07 d7 79 ac . .w.x.....T..y.
04f0 - e9 72 e9 9d 4a 05 4a e1-9e 8a 64 86 39 3b c0 95 .r..J.J...d.9;..
0500 - 9c 50 01 56 87 b8 3b 29-45 18 cf bf 08 bd dd 8d .P.V..;)E.......
0510 - c8 00 96 e3 4b e9 8c ac-11 3c 6c 52 b7 c0 af 1a ....K....<lR....
0520 - fe 6d 10 9d bc a5 41 f9-ce 11 13 3a 87 80 fe 1f .m....A....:....
0530 - a4 55 5b 76 6c 29 7b 6e-01 4d 9d 40 aa 72 2e 39 .U[vl){n.M.@.r.9
0540 - d7 37 52 8f 80 2f ae 96-77 93 af af 7c 2c 31 3f .7R../..w...|,1?
0550 - af bd 59 47 c8 87 9b c3-3d 54 8f 1e f0 e3 bd 86 ..YG....=T......
0560 - 39 63 b3 71 87 ed 73 f6-1e 23 1e d7 17 0f da 75 9c.q..s..#.....u
0570 - 5f 33 b0 91 f3 fe 48 f6-58 bc b0 09 90 db 04 b0 _3....H.X.......
0580 - de 18 91 f5 25 61 c4 72-5e 79 54 b3 7e b9 87 72 ....%a.r^yT.~..r
0590 - 79 7b 22 d7 39 93 ed 68-47 66 3c 17 51 86 2b 2d y{".9..hGf<.Q.+-
05a0 - f4 e4 91 66 e1 6e e0 ad-a4 7c 77 af 3c 8c 47 dc ...f.n...|w.<.G.
05b0 - 6d 46 37 58 26 5a e8 35-ed d8 c3 c9 29 72 f0 f3 mF7X&Z.5....)r..
05c0 - b2 06 51 53 85 9b c7 e0-0e 25 0c 7d c6 12 00 b2 ..QS.....%.}....
05d0 - 89 70 2f 51 6b b2 5f 6c-86 da ff 9a 24 8e 50 67 .p/Qk._l....$.Pg
05e0 - 19 11 89 54 18 92 69 e9-b0 22 0b 9f 06 dc b4 cb ...T..i.."......
05f0 - df d4 c5 14 ed 81 9d b9-a0 be 50 88 c2 0e fb 75 ..........P....u
0600 - d4 81 97 db 2a 87 05 47-dc a4 5a 7e e8 62 8b 9b ....*..G..Z~.b..
0610 - 16 a5 92 13 7c 97 a5 d4-d6 d2 77 88 ad 1c 51 53 ....|.....w...QS
0620 - 10 dd 33 19 64 7c 4f 7c-1f a8 0d de 9e 10 4c 57 ..3.d|O|......LW
0630 - 98 19 9e 4c d4 2f d2 71-2e ef 2c a1 65 07 b2 dc ...L./.q..,.e...
0640 - 77 ef 5c 5b 3d 56 c1 1b-78 67 97 87 07 b5 0c 45 w.\[=V..xg.....E
0650 - 80 69 a4 b1 15 d7 8c 1b-88 8d 7c 29 b6 db 17 fc .i........|)....
0660 - 23 67 5f 1e 7c 3d c1 de-c2 0b 00 51 24 f6 9c f0 #g_.|=.....Q$...
0670 - 96 e7 41 3d b4 2f b4 7e-27 38 20 a1 4b 7d 02 c3 ..A=./.~'8 .K}..
0680 - 84 f6 20 fa c7 a6 1c eb-b3 22 eb 18 8e a4 60 18 .. ......"....`.
0690 - b1 88 20 6e 76 9a 77 a3-a5 9d 62 10 24 b3 c8 b6 .. nv.w...b.$...
06a0 - 0f 80 5e 26 58 a4 e2 e8-9b b2 e1 a4 77 a6 58 bd ..^&X.......w.X.
06b0 - 03 1f 50 8d e4 26 8f ef-fd 5d 21 fb 19 8b 1a d2 ..P..&...]!.....
06c0 - b6 ee 8c f4 26 48 2f 76-7f b2 da 42 28 cb 58 27 ....&H/v...B(.X'
06d0 - 65 cb c5 ec 04 ee 95 2b-c3 59 46 ed f3 6f 46 2a e......+.YF..oF*
06e0 - da 49 86 9b e1 f1 cb e5-4f cd 72 d8 4c 31 61 a0 .I......O.r.L1a.
06f0 - 46 99 55 69 17 c7 98 d0-9d e2 02 f1 b7 19 23 fc F.Ui..........#.
0700 - 69 18 ec 99 50 b8 c7 d6-ef dd eb 45 a2 d2 ee 8d i...P......E....
0710 - 4b ef e2 3a 2e 5d 66 f2-a5 7e f2 26 a2 d6 7b ba K..:.]f..~.&..{.
0720 - b5 db e6 d3 29 82 90 4e-76 cb 37 71 97 a9 a8 a0 ....)..Nv.7q....
Start Time: 1477246014
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd" xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<greeting>
<svID>epp.iis.se</svID>
<svDate>2016-10-23T18:06:55.0Z</svDate>
<svcMenu>
<version>1.0</version>
<lang>en</lang>
<objURI>urn:ietf:params:xml:ns:domain-1.0</objURI>
<objURI>urn:ietf:params:xml:ns:contact-1.0</objURI>
<objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
<svcExtension>
<extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
<extURI>urn:ietf:params:xml:ns:secDNS-1.0</extURI>
<extURI>urn:se:iis:xml:epp:iis-1.2</extURI>
</svcExtension>
</svcMenu>
<dcp>
<access>
<all />
</access>
<statement>
<purpose>
<prov />
</purpose>
<recipient>
<ours />
<public />
</recipient>
<retention>
<stated />
</retention>
</statement>
</dcp>
</greeting>
</epp>
答案 0 :(得分:1)
root_certificate.pem中的证书是:
Issuer: ... CN=thawte Primary Root CA
Subject: ... CN=thawte DV SSL CA - G2
--
Issuer: ... CN=thawte Primary Root CA
Subject: ... CN=thawte Primary Root CA
根据openssl s_client
输出中显示的证书链,这些证书中没有一个与服务器提供的证书链有任何关系。相反,你需要一个证书:
Issuer: ... CN=AddTrust External CA Root
Subject: ... CN=AddTrust External CA Root
可以找到此证书here。如果你使用python代码也可以。
因此,问题仍然是为什么openssl s_client
使用了错误的CA,而python没有工作。原因是s_client
的意外和未记录的行为:它不使用默认CA存储的CAfile
而不是(即Linux上通常是/ etc / ssl / certs)但是的另外即可。并且由于有问题的根CA安装在系统上openssl s_client
可以成功验证服务器证书,无论root_certificate.pem
的内容是什么。
有关此行为的详细信息,请参阅issue#2387。看起来已经完成了对此的修复&#34;将在1.0.2之后发布&#34;虽然我在OpenSSL源代码中找不到相关的提交。相反,看起来OpenSSL 1.1.0获得了-no-CAfile
和-no-CApath
选项来关闭默认位置的验证。