Python SSL套接字证书验证失败错误

时间:2016-10-23 18:23:07

标签: python sockets ssl pyopenssl mutual-authentication

我正在尝试使用SSL包装的Python套接字连接到基于SSL的主机。

当我尝试使用openssl客户端进行连接时,我成功地通过ssl连接并接收响应:

在终端上,

openssl s_client -tls1_1 -connect epptestv3.iis.se:700 -key privateKey.pem -cert certificate.pem -CAfile root_certificate.pem 

但在Python中,

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(60)  # regular timeout

sock = ssl.wrap_socket(sock, "privateKey.pem", "certificate.pem",
                           server_side=False,
                           cert_reqs=ssl.CERT_REQUIRED,
                           ca_certs="root_certificate.pem",
                           ssl_version=ssl.PROTOCOL_TLSv1_2,
                           ciphers='AES256-SHA')

sock.connect(('epptestv3.iis.se', 700))

我收到以下错误:

sock.connect(('epptestv3.iis.se', 700))
    File "/usr/lib/python2.7/ssl.py", line 866, in connect
self._real_connect(addr, False)
    File "/usr/lib/python2.7/ssl.py", line 857, in _real_connect
self.do_handshake()
    File "/usr/lib/python2.7/ssl.py", line 830, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

我不知道为什么在两种情况下密钥和证书文件相同时都会抛出错误?请建议适当的解决方案

以下是openssl调试日志,这可能会有所帮助:

openssl s_client -tls1_1 -connect epptestv3.iis.se:700 -key privateKey.pem -cert certificate.pem -CAfile root_certificate.pem 
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Issued through Stiftelsen f\C3\B6r Internetinfrastruktur E-PKI Manage, OU = COMODO SSL, CN = epptestv3.iis.se
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Issued through Stiftelsen f\xC3\xB6r Internetinfrastruktur E-PKI Manage/OU=COMODO SSL/CN=epptestv3.iis.se
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFoDCCBIigAwIBAgIQbChcoPxJBdsCfcui549W/DANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNTExMjMwMDAwMDBaFw0xNjEyMjkyMzU5NTlaMIGfMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxSjBIBgNVBAsMQUlzc3VlZCB0aHJvdWdo
IFN0aWZ0ZWxzZW4gZsO2ciBJbnRlcm5ldGluZnJhc3RydWt0dXIgRS1QS0kgTWFu
YWdlMRMwEQYDVQQLEwpDT01PRE8gU1NMMRkwFwYDVQQDExBlcHB0ZXN0djMuaWlz
LnNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7NM/dsKMr5PSLySm
TUBy5VHi4pECfZZNdvjpXB7WqUC029Ue/rn+TeqcRNLs3SM3liuSXPkhrpHgIWsF
5DsKxwGqh+psudkYJSK0jKq28DlXnn8dHX5m2c+c8PMorrdN/2ZgfNbWqpb00Dq7
0RhQqRbUtYfRRtndfk2hmDRZfbjhYuzakmnUlezLyoCjJ0euMl2n2cXWRYE+lokG
t81JFm9Cfj8jUXW5KaEWCmcshRC+3nQjQlC/HeD7d8rhebkTO0N3ilDNcHYJsqQP
MmwgexxrYYLd8DdUL9mTDfoKOuzgPU6BR78AT1uCALLBsNIawER2sI2rhncQZ0wV
FxBb7wIDAQABo4IB4zCCAd8wHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo
2ucwHQYDVR0OBBYEFBLoktspsuhAAykZCOCWaEgDxKoHMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBP
BgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8v
c2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BF
hkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0
aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUH
MAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlk
YXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmNvbW9kb2NhLmNvbTAxBgNVHREEKjAoghBlcHB0ZXN0djMuaWlzLnNlghR3d3cu
ZXBwdGVzdHYzLmlpcy5zZTANBgkqhkiG9w0BAQsFAAOCAQEAbCyk+7IhFZOLxFLn
Nqu46zq4DSZntyLQh53AO3I36845PxSoX4aBo1xPdz8Dy6wIKklTcD4jgYlYYUDD
K6uP7kpIYswH4OGoCbca4Jh5YWiINUlm6RT5CAYm5K/FB30jIpqjepQg2x7KwTjY
9evYf6urY17ShafKpAewrzVe0rK5d8il+AcovKk5QXnHcydicIcEdUHdzu4tPcfW
4MvtQpv2ZeaofxEKPH8K9aXUPp4c9l3e32PHbhqiaoirsB53WDs+G9fzNxaL6O99
HOCg7EMvdiScEaBs+7NlxLMQTg/P9G/+UAyaim3nCgf0ptCNLGkE3g5pWou5rIwp
KQTNVQ==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Issued through Stiftelsen f\xC3\xB6r Internetinfrastruktur E-PKI Manage/OU=COMODO SSL/CN=epptestv3.iis.se
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
---
SSL handshake has read 6425 bytes and written 5050 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : AES256-SHA
    Session-ID: 066A733D13B86DFABC101E44DA2685AD95C8DF25C97D246B139593E1C3FD44E5
    Session-ID-ctx: 
    Master-Key: 1723668A7339631D1667C2B3B3E736BB165FA1752D0BBE8A3FE4AA5D1C7007D6A7277443B4672BB1A5A120E8FF783B11
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e4 89 33 38 f7 3f 89 aa-ba a7 7a 6f 67 3c 89 09   ..38.?....zog<..
    0010 - 96 e3 90 3d a7 63 e7 70-a9 c3 de 91 e0 f3 30 e5   ...=.c.p......0.
    0020 - 62 99 78 2a 7d 37 5a fe-ff 31 65 de 34 7a 91 70   b.x*}7Z..1e.4z.p
    0030 - ef 55 d3 07 96 d6 47 18-40 22 da 7a 4b 35 1b ee   .U....G.@".zK5..
    0040 - 6a eb 15 4a 07 f0 b3 5e-99 21 ad a9 b6 df 28 05   j..J...^.!....(.
    0050 - 1b 1e 4b de 54 7c 5b 29-5d a8 a3 c2 3b e6 82 4e   ..K.T|[)]...;..N
    0060 - c8 d5 76 b5 7c 64 31 59-10 f0 61 1e 9a df 1c 42   ..v.|d1Y..a....B
    0070 - 8b d3 f8 a7 73 da 06 fc-3f df 02 d6 01 05 fa a7   ....s...?.......
    0080 - 3b 92 4b fd e5 03 41 24-26 b8 a7 12 c5 9a 9c 7c   ;.K...A$&......|
    0090 - dc 36 75 69 bd 61 c4 27-43 5b df bb 19 80 2a 9c   .6ui.a.'C[....*.
    00a0 - d3 bf 5f 8b f6 e2 3d 0e-2e d2 cc a7 d0 5e 52 48   .._...=......^RH
    00b0 - ff e6 a1 fe 02 3f 8e 78-c2 15 ad cb 9a 11 e9 03   .....?.x........
    00c0 - 0e 80 0e b8 10 2b 4a 85-82 bd ef d2 9d 3d 74 89   .....+J......=t.
    00d0 - 65 2d 94 f6 2c b8 c1 a2-5c c5 34 72 13 3e b0 75   e-..,...\.4r.>.u
    00e0 - fd 11 e2 9b 65 d5 48 b6-80 15 90 d6 df e2 05 21   ....e.H........!
    00f0 - 01 1f 34 2b 6b 3a 7a 8c-07 53 f1 b0 fb b3 95 b2   ..4+k:z..S......
    0100 - c3 07 d1 5b 7c 13 4b cb-78 5d 59 5b 66 94 d6 11   ...[|.K.x]Y[f...
    0110 - 06 6c b0 9f b2 d1 78 a0-37 9a 9e bf 9d 90 54 ad   .l....x.7.....T.
    0120 - 83 51 70 b2 7f 7f 76 e9-47 eb 75 9f 70 7c 26 36   .Qp...v.G.u.p|&6
    0130 - a6 42 f3 c1 08 05 8a 59-32 a2 c6 71 50 4a 48 ee   .B.....Y2..qPJH.
    0140 - 68 29 cf ec db 39 42 71-bd e0 97 7a 66 dd c3 8c   h)...9Bq...zf...
    0150 - f4 09 5c 2e a2 38 27 71-cd 9c f5 4f da 46 a4 0c   ..\..8'q...O.F..
    0160 - 0f b6 93 d5 97 bd e0 3b-3b 5f 2c 53 cd 0f ad b6   .......;;_,S....
    0170 - a8 12 27 ba bb 5f 56 da-8e 14 f0 31 82 2f e0 90   ..'.._V....1./..
    0180 - 72 41 65 77 96 b6 7b 35-5b 68 92 29 56 8d b9 3e   rAew..{5[h.)V..>
    0190 - 77 6c b5 44 12 fb da bd-c1 d9 62 bd af 4d 61 18   wl.D......b..Ma.
    01a0 - 20 de 49 53 3b d6 4b 07-68 06 74 db 32 11 fc 26    .IS;.K.h.t.2..&
    01b0 - f0 64 37 7f 68 9a c3 09-01 69 ec c1 1d bb 2d a8   .d7.h....i....-.
    01c0 - 81 fd 0e bf 84 a8 71 25-bf d8 07 54 14 8c 18 60   ......q%...T...`
    01d0 - 20 66 14 bb 18 e5 96 fd-14 40 2a a2 30 74 18 a5    f.......@*.0t..
    01e0 - 1b 61 ea 9f 24 9f 25 b3-1f ca 25 c4 19 56 bc aa   .a..$.%...%..V..
    01f0 - 32 b6 a5 3b fe 09 3c de-24 3b c8 b9 89 a7 13 2e   2..;..<.$;......
    0200 - a4 fc f4 df a8 3c 58 f3-d8 10 ae ff b1 77 4d 4c   .....<X......wML
    0210 - 7e 6a f4 a2 22 32 81 fa-cd 65 0a b3 d9 04 49 20   ~j.."2...e....I 
    0220 - 8c 39 91 f9 bd e7 24 4d-47 7e 13 0a 6e a2 96 0d   .9....$MG~..n...
    0230 - b5 cd 11 6f b1 7d c3 7b-59 4c 9f ec 8c a5 93 64   ...o.}.{YL.....d
    0240 - ce 09 9c 64 55 58 41 ad-e1 b2 63 a4 c9 cb bb c0   ...dUXA...c.....
    0250 - 04 70 e6 65 b5 18 85 b3-e1 fb 0c fe 81 42 81 c9   .p.e.........B..
    0260 - dc 94 10 12 8f 19 9b a7-e1 92 9d ba b4 28 93 ad   .............(..
    0270 - 9f 5d 63 af b7 32 3f 07-53 15 c2 20 f5 fa e6 06   .]c..2?.S.. ....
    0280 - 1b 77 ec 88 15 94 7b 7d-a3 2f 72 24 00 54 21 96   .w....{}./r$.T!.
    0290 - 95 4b fb 6f d3 e5 9d 83-a7 c8 27 92 0c 62 a6 4b   .K.o......'..b.K
    02a0 - 1e b3 45 fe e2 74 25 0d-9e 59 bf 1a 84 fb 59 13   ..E..t%..Y....Y.
    02b0 - 8b df 43 08 74 99 5e 83-8a a5 51 73 a1 33 29 ce   ..C.t.^...Qs.3).
    02c0 - a5 ce 13 d7 50 a4 87 2b-2e 13 f4 db 11 96 85 ad   ....P..+........
    02d0 - 40 3e 27 f8 05 bb 50 a5-2e 3c 6d a2 4e ad 5d e1   @>'...P..<m.N.].
    02e0 - e5 9c da 3a 9d 31 85 b6-4a be 58 e5 4f e4 73 9b   ...:.1..J.X.O.s.
    02f0 - 04 d7 28 b3 5a b7 a1 79-86 50 b3 7d 76 0c b7 28   ..(.Z..y.P.}v..(
    0300 - 2f ab 39 cd b2 df 79 59-77 ec 4a f6 b3 d3 a0 be   /.9...yYw.J.....
    0310 - 58 e1 7a f0 69 3a 3f 73-72 e2 8d de c6 d5 0d 16   X.z.i:?sr.......
    0320 - e8 2d f9 03 39 11 78 07-5b 3c b0 9b 53 bd ed a3   .-..9.x.[<..S...
    0330 - 08 42 75 9d 20 fa 0b 70-4e eb 31 c5 0a 4e 5a 83   .Bu. ..pN.1..NZ.
    0340 - 22 06 1b 39 c6 e2 fb c5-78 96 fd 20 e6 5f a4 e6   "..9....x.. ._..
    0350 - b1 ea c6 f9 6c 4b 3f 9d-2d a7 7c c8 00 b2 87 8a   ....lK?.-.|.....
    0360 - 88 b1 5c 8b 88 86 b4 f4-70 a3 a8 16 9e 07 e3 4f   ..\.....p......O
    0370 - 70 5f 77 05 79 34 44 a9-c9 0f fa 03 b4 27 a2 e6   p_w.y4D......'..
    0380 - 66 3e 78 8b ed ec a0 c2-ad b6 e8 94 69 84 18 83   f>x.........i...
    0390 - 46 5c f8 e9 99 f7 8f 9c-b3 e2 56 28 7f 8c f8 b0   F\........V(....
    03a0 - 6d e9 f0 75 d2 4e ec e1-2b ea d5 e1 da ad 7f b7   m..u.N..+.......
    03b0 - e9 84 a9 fd 39 29 29 4a-10 dc c2 61 f6 e8 d9 ac   ....9))J...a....
    03c0 - 2b 18 1c d4 e1 2b d1 1d-3d 4b ae 20 c7 b7 5f 2b   +....+..=K. .._+
    03d0 - 7d 77 b8 eb 8e 4e e5 db-4e 70 92 5f 20 6c 73 87   }w...N..Np._ ls.
    03e0 - 69 4a aa 40 55 dc 23 d5-20 ef 2f 4e 15 3c f6 4d   iJ.@U.#. ./N.<.M
    03f0 - 6f 57 50 e2 9d 48 b4 d6-8e c5 78 ee 2b a1 47 bc   oWP..H....x.+.G.
    0400 - 0b a8 5d 5b 17 67 29 1f-12 fd 05 4a f7 86 df ed   ..][.g)....J....
    0410 - 9a ac 1d d4 22 26 11 4f-9f 1f b6 00 38 86 9f 0a   ...."&.O....8...
    0420 - 3b 5b 5b 8c a8 07 7c 1d-03 91 c9 91 84 63 a1 69   ;[[...|......c.i
    0430 - db 01 30 dd 51 b3 2b 12-27 c9 2c c0 55 6c ba 0c   ..0.Q.+.'.,.Ul..
    0440 - 93 99 f5 f9 4e 32 cb 1a-03 78 80 99 df a9 c3 9c   ....N2...x......
    0450 - b9 a3 ca d7 00 8c f3 bc-f3 e9 4d 16 d0 e5 f6 54   ..........M....T
    0460 - a8 31 97 b2 1b c9 80 49-ed cc 06 a1 c4 d9 92 8c   .1.....I........
    0470 - 5d fe 0f 3a 81 b7 12 3a-d6 a4 fc 5e e0 49 be e0   ]..:...:...^.I..
    0480 - 17 81 ac f9 44 80 11 35-48 f7 4f c0 23 42 69 0f   ....D..5H.O.#Bi.
    0490 - 3d c1 87 86 d1 4b 36 0f-e6 dd 2f d0 b7 3d 9d 14   =....K6.../..=..
    04a0 - a7 51 92 69 ba fe e0 04-14 9e 36 49 57 a6 c0 c4   .Q.i......6IW...
    04b0 - 27 bc bb 0e b2 fb 29 2a-17 a2 8d de ac da 52 08   '.....)*......R.
    04c0 - d1 e0 03 fb ad d6 d0 4b-2a 5d bb 0b 63 9f 3f a4   .......K*]..c.?.
    04d0 - ff 1a ec 4c a1 41 56 06-1b f0 38 8f b4 89 7d 21   ...L.AV...8...}!
    04e0 - c2 20 da 77 1d 78 0c bf-92 93 a0 54 07 d7 79 ac   . .w.x.....T..y.
    04f0 - e9 72 e9 9d 4a 05 4a e1-9e 8a 64 86 39 3b c0 95   .r..J.J...d.9;..
    0500 - 9c 50 01 56 87 b8 3b 29-45 18 cf bf 08 bd dd 8d   .P.V..;)E.......
    0510 - c8 00 96 e3 4b e9 8c ac-11 3c 6c 52 b7 c0 af 1a   ....K....<lR....
    0520 - fe 6d 10 9d bc a5 41 f9-ce 11 13 3a 87 80 fe 1f   .m....A....:....
    0530 - a4 55 5b 76 6c 29 7b 6e-01 4d 9d 40 aa 72 2e 39   .U[vl){n.M.@.r.9
    0540 - d7 37 52 8f 80 2f ae 96-77 93 af af 7c 2c 31 3f   .7R../..w...|,1?
    0550 - af bd 59 47 c8 87 9b c3-3d 54 8f 1e f0 e3 bd 86   ..YG....=T......
    0560 - 39 63 b3 71 87 ed 73 f6-1e 23 1e d7 17 0f da 75   9c.q..s..#.....u
    0570 - 5f 33 b0 91 f3 fe 48 f6-58 bc b0 09 90 db 04 b0   _3....H.X.......
    0580 - de 18 91 f5 25 61 c4 72-5e 79 54 b3 7e b9 87 72   ....%a.r^yT.~..r
    0590 - 79 7b 22 d7 39 93 ed 68-47 66 3c 17 51 86 2b 2d   y{".9..hGf<.Q.+-
    05a0 - f4 e4 91 66 e1 6e e0 ad-a4 7c 77 af 3c 8c 47 dc   ...f.n...|w.<.G.
    05b0 - 6d 46 37 58 26 5a e8 35-ed d8 c3 c9 29 72 f0 f3   mF7X&Z.5....)r..
    05c0 - b2 06 51 53 85 9b c7 e0-0e 25 0c 7d c6 12 00 b2   ..QS.....%.}....
    05d0 - 89 70 2f 51 6b b2 5f 6c-86 da ff 9a 24 8e 50 67   .p/Qk._l....$.Pg
    05e0 - 19 11 89 54 18 92 69 e9-b0 22 0b 9f 06 dc b4 cb   ...T..i.."......
    05f0 - df d4 c5 14 ed 81 9d b9-a0 be 50 88 c2 0e fb 75   ..........P....u
    0600 - d4 81 97 db 2a 87 05 47-dc a4 5a 7e e8 62 8b 9b   ....*..G..Z~.b..
    0610 - 16 a5 92 13 7c 97 a5 d4-d6 d2 77 88 ad 1c 51 53   ....|.....w...QS
    0620 - 10 dd 33 19 64 7c 4f 7c-1f a8 0d de 9e 10 4c 57   ..3.d|O|......LW
    0630 - 98 19 9e 4c d4 2f d2 71-2e ef 2c a1 65 07 b2 dc   ...L./.q..,.e...
    0640 - 77 ef 5c 5b 3d 56 c1 1b-78 67 97 87 07 b5 0c 45   w.\[=V..xg.....E
    0650 - 80 69 a4 b1 15 d7 8c 1b-88 8d 7c 29 b6 db 17 fc   .i........|)....
    0660 - 23 67 5f 1e 7c 3d c1 de-c2 0b 00 51 24 f6 9c f0   #g_.|=.....Q$...
    0670 - 96 e7 41 3d b4 2f b4 7e-27 38 20 a1 4b 7d 02 c3   ..A=./.~'8 .K}..
    0680 - 84 f6 20 fa c7 a6 1c eb-b3 22 eb 18 8e a4 60 18   .. ......"....`.
    0690 - b1 88 20 6e 76 9a 77 a3-a5 9d 62 10 24 b3 c8 b6   .. nv.w...b.$...
    06a0 - 0f 80 5e 26 58 a4 e2 e8-9b b2 e1 a4 77 a6 58 bd   ..^&X.......w.X.
    06b0 - 03 1f 50 8d e4 26 8f ef-fd 5d 21 fb 19 8b 1a d2   ..P..&...]!.....
    06c0 - b6 ee 8c f4 26 48 2f 76-7f b2 da 42 28 cb 58 27   ....&H/v...B(.X'
    06d0 - 65 cb c5 ec 04 ee 95 2b-c3 59 46 ed f3 6f 46 2a   e......+.YF..oF*
    06e0 - da 49 86 9b e1 f1 cb e5-4f cd 72 d8 4c 31 61 a0   .I......O.r.L1a.
    06f0 - 46 99 55 69 17 c7 98 d0-9d e2 02 f1 b7 19 23 fc   F.Ui..........#.
    0700 - 69 18 ec 99 50 b8 c7 d6-ef dd eb 45 a2 d2 ee 8d   i...P......E....
    0710 - 4b ef e2 3a 2e 5d 66 f2-a5 7e f2 26 a2 d6 7b ba   K..:.]f..~.&..{.
    0720 - b5 db e6 d3 29 82 90 4e-76 cb 37 71 97 a9 a8 a0   ....)..Nv.7q....

    Start Time: 1477246014
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<epp xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd" xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <greeting>
        <svID>epp.iis.se</svID>
        <svDate>2016-10-23T18:06:55.0Z</svDate>
        <svcMenu>
            <version>1.0</version>
            <lang>en</lang>
            <objURI>urn:ietf:params:xml:ns:domain-1.0</objURI>
            <objURI>urn:ietf:params:xml:ns:contact-1.0</objURI>
            <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
            <svcExtension>
                <extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
                <extURI>urn:ietf:params:xml:ns:secDNS-1.0</extURI>
                <extURI>urn:se:iis:xml:epp:iis-1.2</extURI>
            </svcExtension>
        </svcMenu>
        <dcp>
            <access>
                <all />
            </access>
            <statement>
                <purpose>
                    <prov />
                </purpose>
                <recipient>
                    <ours />
                    <public />
                </recipient>
                <retention>
                    <stated />
                </retention>
            </statement>
        </dcp>
    </greeting>
</epp>

1 个答案:

答案 0 :(得分:1)

root_certificate.pem中的证书是:

Issuer:  ... CN=thawte Primary Root CA
Subject: ... CN=thawte DV SSL CA - G2
--
Issuer:  ... CN=thawte Primary Root CA
Subject: ... CN=thawte Primary Root CA

根据openssl s_client输出中显示的证书链,这些证书中没有一个与服务器提供的证书链有任何关系。相反,你需要一个证书:

Issuer:  ... CN=AddTrust External CA Root
Subject: ... CN=AddTrust External CA Root

可以找到此证书here。如果你使用python代码也可以。

因此,问题仍然是为什么openssl s_client使用了错误的CA,而python没有工作。原因是s_client的意外和未记录的行为:它不使用默认CA存储的CAfile 而不是(即Linux上通常是/ etc / ssl / certs)但是的另外即可。并且由于有问题的根CA安装在系统上openssl s_client可以成功验证服务器证书,无论root_certificate.pem的内容是什么。

有关此行为的详细信息,请参阅issue#2387。看起来已经完成了对此的修复&#34;将在1.0.2之后发布&#34;虽然我在OpenSSL源代码中找不到相关的提交。相反,看起来OpenSSL 1.1.0获得了-no-CAfile-no-CApath选项来关闭默认位置的验证。