当进行 wireshark 跟踪以检查我们的服务器是否正确提供了我的 Let's Encrypt 证书时,我看到在“Server Hello Done”时同一证书在 TLS 握手中发送了两次。
这怎么会发生?如何纠正?
证书详情2次完全一样:
要求的额外信息: 我通过在 Fedora 25 客户端上使用我的 Chrome 浏览器访问我的 Apache 网络服务器(CentOS Linux 版本 7.4.1708(核心版))的 https 页面来使用 wireshark 跟踪这一点。
虚拟主机配置:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
不知道这是否重要,但我还有第二个带有不同 Let's Encrypt 证书的 VirtualHost:
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/letsencrypt/live/my2.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my2.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my2.domain.tld/fullchain.pem
最佳答案
问题
这是由 SSLCertificateFile 和 SSLCertificateChainFile 同时配置引起的。
来自 the mod_ssl documentation (强调我的):
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.
但是如果您检查您的 fullchain.pem,您会看到它在顶部包含 server 证书,后面是 Let's Encrypt 颁发 CA。 Apache 正在传送 SSLCertificateFile 的内容,并在其后连接 SSLCertificateChainFile。由于您的服务器证书出现在两者中,因此它在 SSL 握手中看到的最终链中被复制,就像您在 Wireshark 中观察到的那样:
vhost.conf Sent To Client
+---------------+ +------------------+
| cert.pem |----------> |Server Certificate|
| | | + |
| + | +---> |Server Certificate|
| | | | + |
| fullchain.pem |----------> | CA Certificate |
+---------------+ +------------------+
修复
在现代 Apache 中,不再使用 SSLCertificateChainFile 指令,而是将 fullchain.pem 直接提供给 SSLCertificateFile。
同样,来自 the mod_ssl documentation :
SSLCertificateChainFile is deprecated
SSLCertificateChainFilebecame obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.
所以你需要做的就是改变你的虚拟主机配置:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
对此:
SSLCertificateFile /etc/letsencrypt/live/my.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.tld/privkey.pem
关于ssl - 让我们加密 ssl 证书在 TLS 握手中发送两次,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50857898/