我使用Net::Jabber::Client通过XMPP发送消息。
我要连接的服务器使用自签名证书:
DEBUG: .../IO/Socket/SSL.pm:2853: new ctx 45728400
DEBUG: .../IO/Socket/SSL.pm:1540: start handshake
DEBUG: .../IO/Socket/SSL.pm:717: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:750: using SNI with hostname my.host.name
DEBUG: .../IO/Socket/SSL.pm:785: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:806: set socket to non-blocking to enforce timeout=10
DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:832: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:842: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:862: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:819: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2754: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2707: ok=0 [0] /CN=my.host.name/CN=my.host.name
DEBUG: .../IO/Socket/SSL.pm:822: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:825: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:825: local error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:828: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1963: downgrading SSL only, not closing socket
DEBUG: .../IO/Socket/SSL.pm:2875: free ctx 45728400 open=
DEBUG: .../IO/Socket/SSL.pm:2879: free ctx 45728400 callback
DEBUG: .../IO/Socket/SSL.pm:2886: OK free ctx 45728400
我发现我可以通过SSL_fingerprint和/或SSL_verifycn_name来通过对自签名证书的验证。
为了使其正常工作,我入侵了this
my %ssl_params = (
SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},
SSL_hostname => 'my.host.name',
SSL_verifycn_name => 'my.host.name',
);
没有成功=(
我尝试使用->get_fingerprint获取指纹并将其传递给SSL_fingerprint参数,但是:
IO::Socket::SSL->start_SSL(
$self->{SIDS}->{$sid}->{sock},
$self->{SIDS}->{$sid}->{ssl_params}
) or die "$IO::Socket::SSL::SSL_ERROR";
失败,并显示错误:
SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at
哪个选项可以传递给IO::Socket::SSL来验证自签名证书?
答案 0 :(得分:2)
使用指纹可能是验证由您自己控制的自签名证书的最简单方法。使用SSL_fingerprint时,它将不再关心任何其他类型的验证,即不再检查名称,吊销,到期等-因此,如果您也想对此进行检查,则不应使用SSL_fingerprint。
获取站点的指纹可以通过以下方式完成:未经验证就连接到该站点一次(因为您尚不信任证书),然后获取指纹或直接从证书获取指纹。
要询问服务器以获取指纹,并假设未拦截连接,以便获得正确的指纹:
use IO::Socket::SSL;
print IO::Socket::SSL->new(
PeerHost => 'example.com:443',
# switch off validation since the certificate is not trusted yet
SSL_verify_mode => SSL_VERIFY_NONE,
)->get_fingerprint,"\n";
当前提供sha256$642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040,可以直接用作SSL_fingerprint的参数。
如果您已经拥有该站点的证书,则可以直接在其上计算指纹:
# get the certificate
$ openssl s_client -connect example.com:443 -servername example.com
...
-----BEGIN CERTIFICATE-----
MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw
...
-----END CERTIFICATE-----
# take this PEM certificate and get fingerprint
$ openssl x509 -fingerprint -sha256 -noout -in cert.pem
SHA256 Fingerprint=64:2D:E5:4D:84:C3:04:94:15:7F:53:F6:57:BF:9F:89:B4:EA:6C:8B:16:35:1F:D7:EC:25:8D:55:6F:82:10:40
显示的指纹实际上与以前相同,只是以不同的方式书写。通过删除所有的':'(仅用于可读性),得到642DE5....1040,并在其前面加上使用的哈希算法sha256,从而使人们可以在SSL_fingerprint中使用某些东西:{{ 1}}。
要使用指纹然后连接到该站点:
sha256$642DE5...1040答案 1 :(得分:1)
IO::Socket::SSL只有在信任您用于self sign the certificate的证书颁发机构文件时,才能验证自签名证书。
我认为您需要将正确的SSL_ca_file或SSL_ca_path传递给IO::Socket::SSL,以便可以访问证书颁发机构文件。这是IO::Socket::SSL文档的common usage errors部分中提到的第一件事。
答案 2 :(得分:0)
通常,这是通过本地主机加密时发生的,本地证书本身几乎不起作用。
涉及IO :: Socket :: SSL的模块可以与附加参数一起使用,以防止因“证书验证失败”而崩溃。
要长期解决该问题,请在顶部添加以下行:
use IO::Socket::SSL qw(SSL_VERIFY_NONE);
$smtp = Net::SMTPS->new('localhost',
doSSL => 'starttls',
Port => 587,
SSL_verify_mode => SSL_VERIFY_NONE
);