2. 运用 s_client 参数-showcerts获取服务器端的根证书,服务器端的证书链将会全部显示出来,在证书链的末端就是根证书,保存证书文件为serverCA.pem 。
清单 7. 获取服务器端的根证书
|
[root@wkswss openssl]# openssl s_client -connect www6.software.ibm.com:443 – showcerts
…
s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE----- |
3. 运用 s_client 参数-CAfile CA.pem再次连接服务器
清单 8. 设定服务器证书文件建立 SSL 连接
|
[root@wkswss openssl]# openssl s_client -CAfile serverCA.pem -connect
www6.software.ibm.com:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /C=US/O=IBM/CN=www6.software.ibm.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
……
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 00365044871540E334826923BF9C531CE659274858585858499C14380000000C
Session-ID-ctx:
Master-Key:
D065F1F2297560F1CD4CCC0D7A58E647CC9F596BCEC545CF90DD54659CB36C53CDAC977E5784C6
A273BA28B486E578B9
Key-Arg : None
Krb5 Principal: None
Start Time: 1234986898
Timeout : 300 (sec)
Verify return code: 0 (ok) |
- 客户端拥有认证服务器证书的根证书,但是服务器被防火墙隔离,防火墙在收到来自客户端的 SSL 连接请求时返回防火墙的证书。这种情况下的症状跟服务器证书被篡改非常相似,但是区别在于应用上述提及的方法仍然不能定位错误。
1. 客户端已经拥有服务器 build.rchland.ibm.com 的根证书rochCA.pem,当客户端试图连接服务器客户时,对服务器的证书认证却不能通过。
清单 9. 认证失败
|
[root@wks547385wss openssl]# openssl s_client -CAfile roch.pem -state -connect
build.rchland.ibm.com:443
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /serialNumber=93e352/CN=rch-fw-1a.rchland.ibm.com/unstructuredName=
rch-fw-1a.rchland.ibm.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /serialNumber=93e352/CN=rch-fw-1a.rchland.ibm.com/unstructuredName=
rch-fw-1a.rchland.ibm.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
… |
2. 使用x509工具,查看根证书的具体内容,特别是证书签发者和持有者的身份,如清单 10 所示。
清单 10. 解码根证书
[root@wks547385wss openssl]# openssl x509 -text -in roch.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 903804111 (0x35def4cf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Validity
Not Before: Aug 22 16:41:51 1998 GMT
Not After : Aug 22 16:41:51 2018 GMT
Subject: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit) |
有了上述的证书签发者信息后,我们的问题就迎刃而解了,客户端收到了来自防火墙的证书,该证书和防火墙后面的服务器的数字证书来自不同的签发者。
结束语
openssl 提供的 ssl 库被广泛的运用的同时,也增加了程序员在诊断通讯故障的难度。巧妙的运用 s_client 无疑给程序员带来了一把利刃,特别是缺乏调试工具的环境下,如嵌入式系统。
