OpenSSL 客户端基于证书的身份验证失败

Posted

技术标签:

【中文标题】OpenSSL 客户端基于证书的身份验证失败【英文标题】:OpenSSL Client-side Certificate-based Authentication Fails 【发布时间】:2011-03-10 19:16:35 【问题描述】:

我正在尝试运行以下命令:

[root@localhost certs]# openssl s_client -connect localhost:7043 -cert /opt/openssl-1.0.0a/ssl/certwork_client/client.crt -key /opt/openssl-1.0.0a/ssl/certwork_client/client.key -CAfile /opt/openssl-1.0.0a/ssl/certwork/ca.crt -showcerts -state -verify 2
verify depth is 2
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = US, ST = Florida, L = Orlando, O = Company XYZ, OU = MyApp, CN = MyApp CA
verify return:1
depth=0 C = US, ST = Florida, L = Orlando, O = Company XYZ, OU = MyApp, CN = MyApp Manager Server
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
15238796:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1193:SSL alert number 48
15238796:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
Certificate chain
0 s:/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp Manager Server
   i:/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp CA
-----BEGIN CERTIFICATE-----
MIIFWDCCA0ACAQEwDQYJKoZIhvcNAQEFBQAwajELMAkGA1UEBhMCVVMxEDAOBgNV
BAgMB0Zsb3JpZGExEDAOBgNVBAcMB09ybGFuZG8xGDAWBgNVBAoMD0xvY2toZWVk
IE1hcnRpbjEMMAoGA1UECwwDTkNSMQ8wDQYDVQQDDAZOQ1IgQ0EwHhcNMTEwMzA4
MTc0MzQ3WhcNMjEwMzA1MTc0MzQ3WjB6MQswCQYDVQQGEwJVUzEQMA4GA1UECAwH
RmxvcmlkYTEQMA4GA1UEBwwHT3JsYW5kbzEYMBYGA1UECgwPTG9ja2hlZWQgTWFy
dGluMQwwCgYDVQQLDANOQ1IxHzAdBgNVBAMMFk5DUiBTQU4gTWFuYWdlciBTZXJ2
ZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDYCut4DlfOcEXXyN1F
jNwyhEqLcdfQEDNWZDoQ/R3PfN3uTJGhYGuAgAIJZccYHF4BTTjZ5BA2u9ASYMJV
dUcCFU+mvCf3K6SzTG1/v46jBZz+C9OsQVZqc6UA/EmQKYzlDecvtukpQ6cquHBa
02JxBD3W2oZzdNWYZW6dn82YfzQGcySQhpFJMyyjf0baPV9wFKNqot7ZNiyusQTJ
g/GL8c29UJXHBYw15UMHm0dlDl2FREWEdNfbGbZCU+QTpyS059itkgmNQRKgNdBh
JpmRBJLp+iIk29JoKFJTyADR/QtIFnv/gl3P7FFvy1AZ+dGLQTHcf/MIFsbpf+s8
J7FtT+i/dCnLVDsz5e29jaSP32D0wAs66+I7ik4hOA0Eicaykwau19zkXpt1qScI
cb9ynjiGmoKzN+0ESm+S0Mr8+CgzTpfrNqDkJEgW8CQQqv8gzIYXgued+86omFvy
Qiq5ISeY13XrzbwX8NmFsByvAzWQ+emfkTF7A2HbGSpaeXWVUUqnT+BKeLk1uuGV
L8oWIGYJdjQiUGapjcU0uMxef8PKtJp3O40bqDSb5d7wONtwgEURr8583fo9415N
EMCkPiddgRet0TRATmNGgBpMpkOR5lf1WI4lgBRvHUFObbbwI7ByPyxifYtMwSFG
HVEz2MWol2cgQGWGG77nBaxPYQIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQALpEtS
b2j1eKXPzdjqB9cN0TDc87j49+dPJiinQqHvCqLN3sPpXIXeh/mPGWL71s/4pQmS
rMZwe/0vmOI5tCvUCM84xtbCW07UvtiBcOpvFjdoW9KfCvPiPiIiPs0FNUcaYcdZ
y+bxgCHDLnk3FnNW4ECqHHIpio6bvKOJKEBB1DE0kBxzv4ayqHVeRTIBahVeIun2
5XftPiScRQE+b4//qozyU9v3gzbQ1UuEFvYgWAlmllneiRw2oLpazIOrLi3YJbie
wnPnbT1wM4b/JpVUSw41NAlVY5W2OujCcQWHNAWu3UW8GE0pLTFPj/DSAV+rkb0f
l1anvsmKly5oTcxEhi4lV6VhWabsJYag5uXZMViBoUK4hZRTXIgylVrvSZWpFTgO
vgeheOT2IJ1pXJRzuuB7/8pwvqliGDIeIccwvBzlIuY9mTehyX+uAfKKQwQ0IGDG
exPIVySi4HZi6rPNbO6Q17Tz6HYdlr1NMri82lLiOgjzNH8yPHXMSYjqtT3bG9a2
YWjYeNWjFtcyVOb60UXQRf+ghc2TDBii8pZ4u9dbsVoenzevFHc+k/8Ku6RAeMjo
+BqB7wzS39jAL+AmOa3XM0GI7h3Wrj0sZs2D32VejECzn6xat+NGKE+oZH0d2RKs
eVA5Vo+zKcEFskiWWBdPhG3Flqn8pfvMLpqoDA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp Manager Server
issuer=/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp CA
---
Acceptable client certificate CA names
/C=US/ST=Florida/L=Orlando/O=Company XYZ/OU=MyApp/CN=MyApp Client CA
---
SSL handshake has read 1615 bytes and written 3975 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 10AB798BBA57D06F61D0E970EF8919619942EC2A22131260C3718CA23ED75FD1
    Session-ID-ctx: 
    Master-Key: D9EC43146764BAEE7E32A591C5A933914B57DA2EC479A6419EE3E822B3022E80E093798D1E17947159B7080F8AA80C85
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1299706827
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

在服务器中,我有以下代码:

certificateFile = /opt/openssl-1.0.0a/ssl/certwork/server.crt
privatKeyFile = /opt/openssl-1.0.0a/ssl/certwork/server.key
ctx = Ctx::client_server(certificateFile, privateKeyFile);
ctx->context()->verify_mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE;
ctx->context()->client_CA = SSL_load_client_CA_file("/opt/openssl-1.0.0a/ssl/certwork_client/ca.crt");

context() 调用 OpenSSL 的 ssl.h 中的方法。

我使用以下命令创建了服务器 CA(证书颁发机构)和服务器证书:

cd /opt/openssl-1.0.0a/ssl
mkdir certwork
chmod 600 certwork
cd certwork
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

我使用以下命令创建了客户端 CA 和客户端证书:

cd /opt/openssl-1.0.0a/ssl
mkdir certwork_client
chmod 600 certwork_client
cd certwork_client
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

我可以通过证书获得服务器端身份验证,但是当我使用证书添加客户端身份验证时,我收到tlsv1 alert unknown ca:s3_pkt.c:1193:SSL alert number 48 错误。

我将客户端设置为使用服务器的 CA (/opt/openssl-1.0.0a/ssl/certwork/ca.crt),并将服务器设置为使用客户端的 CA 文件 (/opt/openssl-1.0.0a/ssl/certwork_client/ca.crt)。

我错过了什么?

【问题讨论】:

【参考方案1】:

在我看来,服务器拒绝了客户端证书。

TLS 服务器有 3 种不同的 CA 设置:

提供给客户端的服务器链(SSL_CTX_add_extra_chain_cert) 您宣布支持客户的 CA (SSL_CTX_set_client_CA_list) 您实际用于验证的 CA (SSL_CTX_load_verify_locations)

您可能在绑定中使用错误的等效项配置服务器。

你用openssl s_server测试过吗?

【讨论】:

【参考方案2】:

“我可以让服务器端身份验证工作”是什么意思?通常服务器端身份验证是最后一个;首先客户端验证您的服务器的身份,然后将其证书发送到服务器。

如果客户端识别了您的服务器,则意味着您的客户端具有签署您服务器证书的 CA 证书,或者您的服务器证书。

如果服务器无法识别您的客户端,请检查服务器的信任库(在 JAVA 中)或 apache2 配置中的 CACertificateFile ...

希望对你有帮助

【讨论】:

【参考方案3】:

我以前遇到过这个问题。原来我没有创建正确的证书、密钥和签名。这个quick start guide 就是我创建它们所需要的。

【讨论】:

以上是关于OpenSSL 客户端基于证书的身份验证失败的主要内容,如果未能解决你的问题,请参考以下文章

OpenSSL 的相互身份验证始终成功

相互证书身份验证失败并出现错误 403.16

在 APNs 的上下文中,p8 和 p12 是不是分别表示基于令牌和证书的身份验证?

Jmeter-如何在Jmeter中测试受客户端证书身份验证保护的api?

用openssl生成的ssl证书和付费的有啥区别

用openssl生成的ssl证书和付费的有啥区别