2 个证书问题

OpenSSL used with CRLs and for some CA in the certificate chain its CRL is not included in TLSCRLFile

OpenSSL 对等体的情况下,TLS 服务器日志中显示:

failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
           file s3_srvr.c line 3251: error:14089086: SSL routines:ssl3_get_client_certificate:certificate verify failed: \
           TLS write fatal alert "unknown CA"

GnuTLS 对等体的情况下,TLS 服务器日志中显示:

failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
           file rsa_pk1.c line 103: error:0407006A: rsa routines:RSA_padding_check_PKCS1_type_1:\
           block type is not 01 file rsa_eay.c line 705: error:04067072: rsa routines:RSA_EAY_PUBLIC_DECRYPT:paddin

CRL 已过期或将在服务器运行期间过期

OpenSSL,在服务器日志中:

  • 过期前:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
           SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
           SSL routines:ssl3_get_server_certificate:certificate verify failed:\
           TLS write fatal alert "certificate revoked"
  • after expiration:
{=html}
       <!-- -->
       
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
           SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
           SSL routines:ssl3_get_server_certificate:certificate verify failed:\
           TLS write fatal alert "certificate expired"

The point here is that with valid CRL a revoked certificate is reported as "certificate revoked". When CRL expires the error message changes to "certificate expired" which is quite misleading.

GnuTLS, in server log:

  • before and after expiration the same:
{=html}
       <!-- -->

无法连接到 proxy "proxy-openssl-1.0.1e":TCP 成功,无法通过 TLS 连接到 [[127.0.0.1]:20004]:
无效的对等证书:该证书不可信。证书链已被吊销。

自签名证书,未知 CA

OpenSSL的日志中出现:

error:'self signed certificate: SSL_connect() set result code to SSL_ERROR_SSL: file ../ssl/statem/statem_clnt.c\
             line 1924: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:\
             TLS write fatal alert "unknown CA"'

当服务器证书错误地具有相同的颁发者(Issuer)和主题(Subject)string时,会出现此问题,尽管该证书是由CA签名的。在根CA(Top-级)证书中,颁发者和主题可以相同,但在服务器证书中不允许相同。(此规则同样适用于proxy和agent证书。)

要检查证书是否包含相同的颁发者和主题条目,请运行以下命令:

openssl x509 -in <yourcertificate.crt> -noout -text

根证书(Top-级)的颁发者(Issuer)和主题(Subject)值相同是可以接受的。