我已经为此苦苦挣扎了好几天,也搜索了好几天。我正在尝试从我的 AWS EC2 实例连接到 api-3t.sandbox.paypal.com:443。实例是 Windows Server 2012 R2。我已经安装了 openssl 来尝试调试。在受信任的根证书颁发机构下,我可以在其中看到 VeriSign Class 3 Public Primary Certification Authority - G5 7/16/2036。我的开发机器上也安装了 openssl。
如果我在开发机器上运行 openssl s_client -connect api-3t.sandbox.paypal.com:443,它会返回一个 Verify return code: 0 (ok)。如果我在 EC2 实例中运行同一行,它会返回 Verify return code: 20 (unable to get local issuer certificate)
然后我下载了 G5 证书,上面写着:
-----BEGIN CERTIFICATE----- MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y 5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ 4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq -----END CERTIFICATE-----
在 EC2 实例上我运行了以下命令:openssl s_client -CAfile g5.cer -connect api-3t.sandbox.paypal.com:443 响应是 Verify return code : 0(正常)
所以当我将证书传递给 openssl 时,它工作正常。但是当它试图在 keystore 中找到它时失败了。
我按照这些说明安装了证书:http://www.sqlservermart.com/HowTo/Windows_Import_Certificate.aspx
任何人都可以提供帮助以引导我朝着正确的方向前进吗?我需要对 AWS 做些什么吗?
--- 编辑。这是尝试更改策略后的输出
C:\>openssl s_client -connect api-3t.sandbox.paypal.com:443
Loading 'screen' into random state - done
CONNECTED(0000013C)
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=api-3t.sandbox.paypal.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGiDCCBXCgAwIBAgIQSmPFPGKFy6vVcS32CMWsdDANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDExNDAwMDAwMFoX
DTE4MDExNDIzNTk1OVowgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y
bmlhMREwDwYDVQQHDAhTYW4gSm9zZTEVMBMGA1UECgwMUGF5UGFsLCBJbmMuMRow
GAYDVQQLDBFQYXlQYWwgUHJvZHVjdGlvbjEiMCAGA1UEAwwZYXBpLTN0LnNhbmRi
b3gucGF5cGFsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANXB
QRl1wRXByqGLGt64dqkOJ8srJSPcqYwjA+KL3JuSmWKgvHUKg581H5p6/aX5BD92
ZmMLMrE3gtQnQU9cfatkw7+sFNtDDXh4gJhNAWz1Mw7VuDTRzk4N0YcO55Wy2WQ4
/Z2fYHfL6IoohXfqtYdFY1JzOXkqunPfhsSOKTb03Lf2k4hniwoMVsn8rOSBklNZ
6knC4iiaEOpo/EGtYylbpnoRg1aQP+1Oyc+bwG1LPT64XZA/4frcm1gKnFYBYtRM
RKBmQsF88SjSNUP9DiriHiD8tXryy2xAoQml+bfkslb5FJYLP7xmncQaXQRk/YUo
ehdW8Git3BQpwNZS9f0CAwEAAaOCAvEwggLtMCQGA1UdEQQdMBuCGWFwaS0zdC5z
YW5kYm94LnBheXBhbC5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdIARaMFgwVgYGZ4EMAQIC
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQYMBaAFF9gz2GQ
Vd+EQxSKYCqy9Xr0QxjvMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zcy5zeW1j
Yi5jb20vc3MuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDov
L3NzLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NzLnN5bWNiLmNvbS9z
cy5jcnQwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2AN3rHSt6DU+mIIuBrYFo
cH4ujp0B1VyIjT0RxM227L7MAAABUkI8Bj4AAAQDAEcwRQIhAIHuCBevjKTfgyu3
p69luk4DBTOJjBozTsnJIs+dVS7NAiASjAaBPD/bGWGXC8bayAREXvuPSr0W+xU0
l0T6Kaje9wB3AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABUkI8
Bn8AAAQDAEgwRgIhAPIWGT/KdSkWSlR3SzPA6O+sP16mpF9Mc/8BBKhAck0WAiEA
u/ie0GvZ8wctdK8OhOnOUUQvQ8njBqd7l5s2GfRWymMAdgBo9pj4H2SCvjqM7rko
HUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVJCPAZmAAAEAwBHMEUCIHkB7wZfWQPm+ZCP
cUAOQwutIiMSXmKFUM9GiHzJ72VoAiEAh+44zz2mRc/NcwTvQsW1BQcjL12y8gji
UBJgtrlwZq4wDQYJKoZIhvcNAQELBQADggEBAEKkutMm4VqebHi49Zw35dFStnRb
RD9sUIpFvuvSCTnvM0uwFGHa01hoH6XCk0mQf7Hlv8eUjQCYEjq/yOy/qd1D/0FG
pG5QYXpiiB1rfJyGSTps6TMsSzhGJwZt6e7ZNJ29uGBvfaYi5S+qbxqUkEUIOoeE
+K77MUD5ouwN6mm3azvemVMoJEPwjbVUZZwfLlxBQbwX4C2Kdihrn/r+AkeYiLej
Q+1pdnXz9Hwj3SM+uZWpu8f7kbczSWsuQmSV4gparNkOTjk5TwJvyrS3z+DQW674
FdfkrYmxqiiaELhsMPhRyjKce5HA2ol1GsnJ0IJCPjJc2o40IiL1AL552eA=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=PayPal Production/CN=api-3t.sandbox.paypal.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
---
SSL handshake has read 3524 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 9E01CD86FA9CB07DAD505F17E34C099B2E4C8B85126C68DCF2946F8859FF6435
Session-ID-ctx:
Master-Key: 4BF94BD3EBEE701226ABD3B2344F6B325F21218761D755B02EA6B00FE90866396A9A317A59729D166A1B970AD8D3903B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1455312915
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
这是我的设置截图:
最佳答案
如果您打算使用 OpenSSL 库开发您的应用程序,而不是使用内置于 Win Server 操作系统中的信任库 (因为操作系统中的默认信任库可能并不总是最新的),有一个替代方案可以从 Curl 项目 HERE 构建信任库(Curl 提供了来自 Mozilla 的隐私增强邮件 (PEM) 格式的定期更新转换,您可以直接使用它,并且包含 G5-G4-G3 根证书的 Verisign Root 包也包含在这种情况下)
检查您的 OpenSSL 的几个步骤,
检查 OpenSSL 证书包的存储位置,运行
openssl version -a,它会报告使用的目录:OpenSSL 1.0.2e 3 Dec 2015 built on: reproducible build, date unspecified platform: Cygwin-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) ... OPENSSLDIR: "/usr/ssl"检查
OPENSSLDIR: "/usr/ssl"目录并在该目录下查找certs目录
您还可以在此处检查版本以确保安装了 1.0.1e 或更高版本以支持 TLSv1.2,这是 PayPal API 端点升级要求的另一部分
- 将
tls-ca-bundle.pem替换为您从 Curl 项目(Mozilla 证书包)下载的内容
关于amazon-web-services - 使用 VeriSign G5 连接到 SSL 的问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35367114/