我一直在使用POCO C ++库创建的Web服务器。我需要实现相互身份验证,因此在服务器中,我已将验证模式配置为STRICT(SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT)。
如果我将其配置为RELAXED(SSL_VERIFY_PEER),我可以通过HTTPS卷曲服务器而不会出现问题,但是当我尝试使用严格验证模式时,服务器和客户端完成握手,然后服务器没有问题。响应,给我一个"来自服务器"空的回复;消息。
我使用以下卷曲:
curl -u user:pass --cert client.cert.pem:password --key client.key.pem --cacert ca-chain.cert.pem --capath /home/ca/ 'https://V.X.Y.Z:PORT' -H 'Accept: application/json' -H 'Connection: keep-alive' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: es-US,es;q=0.8,es-419;q=0.6,en;q=0.4' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36' --compressed --insecure
我得到了这个结果:
* Trying V.X.Y.Z...
* TCP_NODELAY set
* Connected to V.X.Y.Z (V.X.Y.Z) port PORT (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: ca-chain.cert.pem
CApath: /home/ca/
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [62 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1560 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ [42 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} [4514 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
} [264 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=MX; ST=Sonora; L=Cajeme; O=Gustavo Inc; OU=Gustavo Systems; CN=CNName; emailAddress=gustavoinc@gmail.com
* start date: Apr 11 18:07:27 2017 GMT
* expire date: Apr 21 18:07:27 2018 GMT
* issuer: C=MX; ST=Sonora; O=Gustavo Inc; OU=Gustavo Systems; CN=Gustavo Inter; emailAddress=gustavoinc@gmail.com
* SSL certificate verify ok.
* Server auth using Basic with user 'user'
} [5 bytes data]
> GET / HTTP/1.1
> Host: V.X.Y.Z:PORT
> Authorization: Basic dXNlcjpwYXNz
> Accept: application/json
> Connection: keep-alive
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: es-US,es;q=0.8,es-419;q=0.6,en;q=0.4
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
{ [5 bytes data]
* TLSv1.2 (IN), TLS alert, Client hello (1):
{ [2 bytes data]
* Empty reply from server
* Connection #0 to host V.X.Y.Z left intact
它返回状态代码000。
据我所见,握手正在执行而没有问题。我们执行问候消息,密钥发布,我们发送证书以表明我们自己,我们同意协议和密码套件,我们可以看到" SSL证书确定"消息,表明我们已正确认证。 在那之后,我们发送我们的凭据用于基本授权目的,然后BAM,我们得到来自服务器的#34;空回复"信息。此外,我们没有收到"无效的凭据消息",所以看起来它甚至没有到达服务器来检查凭据,例如客户端和服务器是否同意密码套件,但之后失去了沟通。
你知道为什么会发生这种情况吗?或者我错过了什么?我也试过使用网络浏览器,但是我仍然得到了响应超时,所以它看起来不像卷曲的问题。
编辑:在使用以下OpenSSL命令后,我还添加了完整的OpenSSL输出:
openssl s_client -connect url:port -cert client.cert.pem -key client.key.pem -pass pass:password -CAfile ca.cert.pem -msg -state -debug