Sidebar

Zabbix Summit 2022
Register for Zabbix Summit 2022

2 证书问题

OpenSSL与CRL一起使用,对于证书链中的某些CA,其CRL不在“TLSCRLFile”中

mbed TLS (PolarSSL)OpenSSL 对等(peers)情形TLS服务器日志:

failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
           file s3_srvr.c line 3251: error:14089086: SSL routines:ssl3_get_client_certificate:certificate verify failed: \
           TLS write fatal alert "unknown CA"

GnuTLS 对等(peer)情形TLS服务器日志:

failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
           file rsa_pk1.c line 103: error:0407006A: rsa routines:RSA_padding_check_PKCS1_type_1:\
           block type is not 01 file rsa_eay.c line 705: error:04067072: rsa routines:RSA_EAY_PUBLIC_DECRYPT:paddin

服务器运行期间CRL过期或到期

OpenSSL 在服务器端日志:

  • 过期前:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
           SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
           SSL routines:ssl3_get_server_certificate:certificate verify failed:\
           TLS write fatal alert "certificate revoked"
  • 过期后:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
           SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
           SSL routines:ssl3_get_server_certificate:certificate verify failed:\
           TLS write fatal alert "certificate expired"

需要指出的是,有效的CRL撤销证书时,被告知为“证书撤销”。 当CRL到期时,错误消息将更改为“证书已过期”,这是非常容易误导的。

GnuTLS 在服务器日志:

  • 过期前或过期后:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
             invalid peer certificate: The certificate is NOT trusted. The certificate chain is revoked.

mbed TLS (PolarSSL), in server log:

  • 过期前:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
           invalid peer certificate: revoked
  • 过期后:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
             invalid peer certificate: revoked, CRL expired

Self-signed certificate, unknown CA

OpenSSL, in log:

error:'self signed certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/statem/statem_clnt.c\
             line 1924: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:\
             TLS write fatal alert "unknown CA"'

This was observed when server certificate by mistake had the same Issuer and Subject string, although it was signed by CA. Issuer and Subject are equal in top-level CA certificate, but they cannot be equal in server certificate. (The same applies to proxy and agent certificates.)