在Windows上构build我自己的eventmachine / thin与SSL支持( 在Windows 7 x86上安装OpenSSL与Ruby for eventmachine )我有SSL证书的另一个问题:当我使用内置的自签名瘦工作正常,但它不响应在使用公司证书的任何请求
这是我获得证书的path:
openssl req -out ssl.csr -key ssl-private.key -new
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs> cert.crt
这里可能会出现什么问题?
我检查了什么:
openssl rsa -in ssl-private.key -check
说“RSA密钥确定”
openssl x509 -in cert.crt -text -noout
说
Certificate: Data: Version: 3 (0x2) Serial Number: *** Signature Algorithm: sha1WithRSAEncryption Issuer: *** Validity Not Before: Feb 16 08:47:25 2004 GMT Not After : Feb 16 08:55:36 2024 GMT Subject: *** Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: *** Exponent: 3 (0x3) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: *** 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha1WithRSAEncryption ***
同时对自签名证书进行同样的检查,创build使用
openssl genrsa -des3 -out server.orig.key 2048 openssl rsa -in server.orig.key -out server.key openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
说
Certificate: Data: Version: 1 (0x0) Serial Number: *** Signature Algorithm: sha256WithRSAEncryption Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org Validity Not Before: Jun 24 14:42:07 2015 GMT Not After : Jun 23 14:42:07 2016 GMT Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: *** Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption ***
确定一些变化:我已经改变了证书顺序在crt文件,以便最后的证书不是最后,但首先,结果是不同的:铬降低NET :: ERR_CERT_INVALID错误,IE类似,都不会进一步导航
openssl s_client输出(看起来不错,***根CA 1在Windows中是可信的):
Loading 'screen' into random state - done CONNECTED(000001E8) depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/C=***/ST=***/O=***/CN=***.com i:/DC=com/DC=***/CN=*** Enterprise CA 1 1 s:/DC=com/DC=***/CN=*** Enterprise CA 1 i:/DC=com/DC=***/CN=*** Root CA 1 --- Server certificate -----BEGIN CERTIFICATE----- *** -----END CERTIFICATE----- subject=/C=***/ST=***/O=***/CN=***.com issuer=/DC=com/DC=***/CN=*** Enterprise CA 1 --- No client certificate CA names sent --- SSL handshake has read 3404 bytes and written 665 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: *** Session-ID-ctx: Master-Key: *** Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: *** Start Time: 1435319943 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- read:errno=0
我做了一个简单的https服务器(lib / emtestssl):
require 'rubygems' require 'bundler/setup' Bundler.require class ServerHandler < EM::Connection def post_init puts "post_init" start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false end def receive_data(data) puts "Received data in server: #{data}" send_data("HTTP/1.1 200 OK\n\nHello world!") close_connection_after_writing end end EventMachine.run do puts 'Starting server...' EventMachine.start_server('145.245.202.233', 443, ServerHandler) end
它工作正常,没有tls,用tls浏览器不会允许连接:(
按照http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify私钥和证书做匹配
它看起来像(修补)eventmachine是完全正常的:我从现有的服务器采取钥匙/证书对和(从浏览器的URL不匹配警告之后)它工作正常
比较证书看起来像我的CA已经失败,并带给我一个错误的属性证书:工作一被描述为服务器身份验证(1.3.6.1.5.5.7.3.1),而失败一个是客户端身份验证(1.3.6.1.5.5 .7.3.2)
我会发出另一个csr并收取失去的一天…:/
也许一个重要的发现是证书文件中的证书顺序:必须从最终证书到最后的根端