当浏览器正确显示时,Openssl显示不同的服务器证书

Question

当浏览器正确显示时,Openssl显示不同的服务器证书

dmn*_*dmn 6 linux openssl nginx ssl-certificate

我正在使用openssl s_client -showcerts -connect test.abc.com:443 -state -debug来检查服务器证书.服务器正在使用nginx.但是当我请求上面的openssl时,服务器证书显示为*.xyz.com.我想知道openssl在哪里获得这个作为服务器证书.操作系统是Linux.签入/ etc/pki/tls但openssl读取的证书不是那里的服务器证书.并且nginx配置指向abc.com的正确证书.此外,如果我使用浏览器访问,则会显示正确的证书.这只发生在openssl上.:(

Answer 1

Dsy*_*yko 5

openssl 存在 SNI 问题，请尝试使用以下命令：

openssl s_client -showcerts -connect www.example.com:443 -servername www.example.com </dev/null

根据本文添加 -servername应该会清除它。

Answer 2

jww*_*jww 4

服务器正在发出永久重定向到ethornetworks.com。要查看它，首先发出s_client命令：

$ openssl s_client -CAfile AddTrustExternalCARoot.crt -connect apitest.ethormapp.com:443
CONNECTED(00000003)
depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=3 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN - DATACorp SGC
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = EssentialSSL CA
verify return:1
depth=0 OU = Domain Control Validated, OU = EssentialSSL Wildcard, CN = *.ethornetworks.com
verify return:1
...

Run Code Online (Sandbox Code Playgroud)

在最底部，得到验证结果后，输入命令GET / HTTP/1.0并按两次 RETURN：

    ...
    Start Time: 1390985154
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
GET / HTTP/1.0

HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.4
Date: Wed, 29 Jan 2014 08:46:01 GMT
Content-Type: text/html
Content-Length: 184
Connection: close
Location: https://www.ethornetworks.com/

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.4.4</center>
</body>
</html>
closed
$

Run Code Online (Sandbox Code Playgroud)

如果您遵循重定向，那么您将得到预期的结果：

$ openssl s_client -CAfile AddTrustExternalCARoot.crt -connect www.ethornetworks.com:443
CONNECTED(00000003)
depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL Wildcard/CN=*.ethornetworks.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
...

Run Code Online (Sandbox Code Playgroud)

最后，您可以使用AddTrust 外部 CA 根来确保链按预期进行验证。没有它和-CAfile选项，s_client将报告19 (self signed certificate in certificate chain)。

归档时间：	11 年，11 月前
查看次数：	4053 次
最近记录：	11 年，2 月前