[comment]: # translation:outdated [comment]: # ({64bb0393-64bb0393}) # 2 证书问题 [comment]: # ({/64bb0393-64bb0393}) [comment]: # ({123d3f4b-123d3f4b}) #### OpenSSL 与 CRLs 一起使用,对于证书链中的某些 CA,其 CRL 不包括在 "TLSCRLFile" 中 在 *OpenSSL* 对端的情况下,在 TLS 服务器日志中,会有如下显示: failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \ file s3_srvr.c line 3251: error:14089086: SSL routines:ssl3_get_client_certificate:certificate verify failed: \ TLS write fatal alert "unknown CA" 在 *GnuTLS* 对端的情况下,在 TLS 服务器日志中,会有如下显示: failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \ file rsa_pk1.c line 103: error:0407006A: rsa routines:RSA_padding_check_PKCS1_type_1:\ block type is not 01 file rsa_eay.c line 705: error:04067072: rsa routines:RSA_EAY_PUBLIC_DECRYPT:paddin [comment]: # ({/123d3f4b-123d3f4b}) [comment]: # ({7be8a029-7be8a029}) #### CRL 已过期或者在服务器操作期间过期 [*OpenSSL*]{.underline}, 在服务器日志中会议如下显示: - 到期前: ```{=html} ``` cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\ SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\ SSL routines:ssl3_get_server_certificate:certificate verify failed:\ TLS write fatal alert "certificate revoked" - 到期后: ```{=html} ``` cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\ SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\ SSL routines:ssl3_get_server_certificate:certificate verify failed:\ TLS write fatal alert "certificate expired" 这里需要注意的是,使用有效的 CRL,吊销的证书将报告为"证书已吊销"。当 CRL 过期时,错误消息将更改为"证书已过期",这非常具有误导性。 [*GnuTLS*]{.underline}, 在服务器日志中会议如下显示: - 到期前后显示相同: ```{=html} ``` cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\ invalid peer certificate: The certificate is NOT trusted. The certificate chain is revoked. [comment]: # ({/7be8a029-7be8a029}) [comment]: # ({d0a3efb1-e3030ed0}) #### 自签证书,未知CA [*OpenSSL*]{.underline}, 在日志中显示: error:'self signed certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/statem/statem_clnt.c\ line 1924: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:\ TLS write fatal alert "unknown CA"' 当服务器证书错误地具有相同的颁发者和主题字符串时,尽管该字符串是由 CA 签名的,但颁发者和主题在顶级 CA 证书中相同,但在服务器证书中不能相同时,就会看到这种情况。(这同样适用于proxy和agent证书。) #### 自签证书,未知CA [*OpenSSL*]{.underline}, 在日志中: error:'self signed certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/statem/statem_clnt.c\ line 1924: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:\ TLS write fatal alert "unknown CA"' 这是在server证书错误地具有相同的Issuer和Subject字符串时观察到的,尽管它是由CA签名的。Issuer和Subject在顶级CA证书中是相等的,但在server证书中不能相等。(proxy证书和agent证书也是如此。) 要检查证书是否包含相同的Issuer和Subject条目,请运行: ``` openssl x509 -in -noout -text ``` 根(顶级)证书的Issuer和Subject值相同是可以接受的。 [comment]: # ({/d0a3efb1-e3030ed0})