在 Windows 上使用 SSL 支持构建我自己的 eventmachine/thin 后 ( Install OpenSSL with Ruby for eventmachine on Windows 7 x86 ) 我遇到了另一个 SSL 证书问题:当我使用内置自签名的 thin 时工作正常但它不响应任何请求使用企业证书
这里是我获取证书的路径:
- 我用 puttygen (ssl-private.key) 生成了私钥
- 我使用以下命令生成了 CSR:
openssl req -out ssl.csr -key ssl-private.key -new
- 我向 CA 发送了 CSR 并收到了 P7B 文件
- 我使用以下命令转换了 P7B:
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt
这里会出什么问题?
我检查了什么:
openssl rsa -in ssl-private.key -check
说“RSA key 确定”
openssl x509 -in cert.crt -text -noout
说
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
***
Signature Algorithm: sha1WithRSAEncryption
Issuer: ***
Validity
Not Before: Feb 16 08:47:25 2004 GMT
Not After : Feb 16 08:55:36 2024 GMT
Subject: ***
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
***
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
***
同时对使用创建的自签名证书进行相同的检查
openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
说
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
***
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Validity
Not Before: Jun 24 14:42:07 2015 GMT
Not After : Jun 23 14:42:07 2016 GMT
Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
***
确定一些更改:我更改了 crt 文件中的证书顺序,因此最终证书不是最后一个而是第一个,结果不同:chrome 删除了 NET::ERR_CERT_INVALID 错误,IE 类似并且两者都没有进一步导航
openssl s_client 输出(看起来不错,*** Root CA 1 在 Windows 中受信任):
Loading 'screen' into random state - done
CONNECTED(000001E8)
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=***/ST=***/O=***/CN=***.com
i:/DC=com/DC=***/CN=*** Enterprise CA 1
1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
i:/DC=com/DC=***/CN=*** Root CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=***/ST=***/O=***/CN=***.com
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 665 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket: ***
Start Time: 1435319943
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
我做了一个简单的 https 服务器(lib/emtestssl):
require 'rubygems'
require 'bundler/setup'
Bundler.require
class ServerHandler < EM::Connection
def post_init
puts "post_init"
start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false
end
def receive_data(data)
puts "Received data in server: #{data}"
send_data("HTTP/1.1 200 OK\n\nHello world!")
close_connection_after_writing
end
end
EventMachine.run do
puts 'Starting server...'
EventMachine.start_server('145.245.202.233', 443, ServerHandler)
end
它在没有 tls 的情况下工作正常,使用 tls 浏览器将不允许连接 :(
根据 http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify私钥和证书确实匹配
最佳答案
看起来(修补的)eventmachine 完全没问题:我已经从现有服务器获取 key /证书对并且(在浏览器发出 url 不匹配警告后)它工作正常
比较证书后,我的 CA 似乎失败了,并给我带来了一个属性错误的证书:工作的一个被描述为服务器身份验证 (1.3.6.1.5.5.7.3.1),而失败的一个是客户端身份验证 (1.3. 6.1.5.5.7.3.2)
我将发布另一个 csr 并向他们收取损失的一天...:/
也许一个重要的发现是证书文件中的证书顺序:必须从最终证书到链末端的根证书
关于ruby-on-rails - Windows 上的 thin rails server/eventmachine 不适用于自定义证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/31059658/