4
我試圖運行下面的命令:OpenSSL的客戶端基於證書的驗證失敗
[[email protected] certs]# openssl s_client -connect localhost:7043 -cert /opt/openssl-1.0.0a/ssl/certwork_client/client.crt -key /opt/openssl-1.0.0a/ssl/certwork_client/client.key -CAfile /opt/openssl-1.0.0a/ssl/certwork/ca.crt -showcerts -state -verify 2
verify depth is 2
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = US, ST = Florida, L = Orlando, O = Company XYZ, OU = MyApp, CN = MyApp CA
verify return:1
depth=0 C = US, ST = Florida, L = Orlando, O = Company XYZ, OU = MyApp, CN = MyApp Manager Server
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
15238796:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1193:SSL alert number 48
15238796:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
Certificate chain
0 s:/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp Manager Server
i:/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp CA
-----BEGIN CERTIFICATE-----
MIIFWDCCA0ACAQEwDQYJKoZIhvcNAQEFBQAwajELMAkGA1UEBhMCVVMxEDAOBgNV
BAgMB0Zsb3JpZGExEDAOBgNVBAcMB09ybGFuZG8xGDAWBgNVBAoMD0xvY2toZWVk
IE1hcnRpbjEMMAoGA1UECwwDTkNSMQ8wDQYDVQQDDAZOQ1IgQ0EwHhcNMTEwMzA4
MTc0MzQ3WhcNMjEwMzA1MTc0MzQ3WjB6MQswCQYDVQQGEwJVUzEQMA4GA1UECAwH
RmxvcmlkYTEQMA4GA1UEBwwHT3JsYW5kbzEYMBYGA1UECgwPTG9ja2hlZWQgTWFy
dGluMQwwCgYDVQQLDANOQ1IxHzAdBgNVBAMMFk5DUiBTQU4gTWFuYWdlciBTZXJ2
ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDYCut4DlfOcEXXyN1F
jNwyhEqLcdfQEDNWZDoQ/R3PfN3uTJGhYGuAgAIJZccYHF4BTTjZ5BA2u9ASYMJV
dUcCFU+mvCf3K6SzTG1/v46jBZz+C9OsQVZqc6UA/EmQKYzlDecvtukpQ6cquHBa
02JxBD3W2oZzdNWYZW6dn82YfzQGcySQhpFJMyyjf0baPV9wFKNqot7ZNiyusQTJ
g/GL8c29UJXHBYw15UMHm0dlDl2FREWEdNfbGbZCU+QTpyS059itkgmNQRKgNdBh
JpmRBJLp+iIk29JoKFJTyADR/QtIFnv/gl3P7FFvy1AZ+dGLQTHcf/MIFsbpf+s8
J7FtT+i/dCnLVDsz5e29jaSP32D0wAs66+I7ik4hOA0Eicaykwau19zkXpt1qScI
cb9ynjiGmoKzN+0ESm+S0Mr8+CgzTpfrNqDkJEgW8CQQqv8gzIYXgued+86omFvy
Qiq5ISeY13XrzbwX8NmFsByvAzWQ+emfkTF7A2HbGSpaeXWVUUqnT+BKeLk1uuGV
L8oWIGYJdjQiUGapjcU0uMxef8PKtJp3O40bqDSb5d7wONtwgEURr8583fo9415N
EMCkPiddgRet0TRATmNGgBpMpkOR5lf1WI4lgBRvHUFObbbwI7ByPyxifYtMwSFG
HVEz2MWol2cgQGWGG77nBaxPYQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQALpEtS
b2j1eKXPzdjqB9cN0TDc87j49+dPJiinQqHvCqLN3sPpXIXeh/mPGWL71s/4pQmS
rMZwe/0vmOI5tCvUCM84xtbCW07UvtiBcOpvFjdoW9KfCvPiPiIiPs0FNUcaYcdZ
y+bxgCHDLnk3FnNW4ECqHHIpio6bvKOJKEBB1DE0kBxzv4ayqHVeRTIBahVeIun2
5XftPiScRQE+b4//qozyU9v3gzbQ1UuEFvYgWAlmllneiRw2oLpazIOrLi3YJbie
wnPnbT1wM4b/JpVUSw41NAlVY5W2OujCcQWHNAWu3UW8GE0pLTFPj/DSAV+rkb0f
l1anvsmKly5oTcxEhi4lV6VhWabsJYag5uXZMViBoUK4hZRTXIgylVrvSZWpFTgO
vgeheOT2IJ1pXJRzuuB7/8pwvqliGDIeIccwvBzlIuY9mTehyX+uAfKKQwQ0IGDG
exPIVySi4HZi6rPNbO6Q17Tz6HYdlr1NMri82lLiOgjzNH8yPHXMSYjqtT3bG9a2
YWjYeNWjFtcyVOb60UXQRf+ghc2TDBii8pZ4u9dbsVoenzevFHc+k/8Ku6RAeMjo
+BqB7wzS39jAL+AmOa3XM0GI7h3Wrj0sZs2D32VejECzn6xat+NGKE+oZH0d2RKs
eVA5Vo+zKcEFskiWWBdPhG3Flqn8pfvMLpqoDA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp Manager Server
issuer=/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp CA
---
Acceptable client certificate CA names
/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp Client CA
---
SSL handshake has read 1615 bytes and written 3975 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 10AB798BBA57D06F61D0E970EF8919619942EC2A22131260C3718CA23ED75FD1
Session-ID-ctx:
Master-Key: D9EC43146764BAEE7E32A591C5A933914B57DA2EC479A6419EE3E822B3022E80E093798D1E17947159B7080F8AA80C85
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1299706827
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
在服務器中,我有以下代碼:
certificateFile = /opt/openssl-1.0.0a/ssl/certwork/server.crt
privatKeyFile = /opt/openssl-1.0.0a/ssl/certwork/server.key
ctx = Ctx::client_server(certificateFile, privateKeyFile);
ctx->context()->verify_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE;
ctx->context()->client_CA = SSL_load_client_CA_file("/opt/openssl-1.0.0a/ssl/certwork_client/ca.crt");
的context()調用方法OpenSSL的ssl.h.
我創建的服務器CA(認證授權)和服務器證書用下面的命令:我創建的客戶端CA和客戶端證書與以下命令
cd /opt/openssl-1.0.0a/ssl
mkdir certwork
chmod 600 certwork
cd certwork
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
:
cd /opt/openssl-1.0.0a/ssl
mkdir certwork_client
chmod 600 certwork_client
cd certwork_client
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
我可以獲得服務器端身份驗證通過證書工作,但是當我使用證書添加客戶端身份驗證時,出現tlsv1 alert unknown ca:s3_pkt.c:1193:SSL alert number 48錯誤。
我設置客戶端使用服務器的CA(/opt/openssl-1.0.0a/ssl/certwork/ca.crt),我設置服務器使用客戶端的CA文件(/opt/openssl-1.0.0a/ssl/certwork_client/ca.crt)。
我錯過了什麼?