那些遇到过的问题

连接到gateway.sandbox.push.apple.com时,"验证错误:num = 20"

Jef*_*688 62 ssl openssl apple-push-notifications

我试图在iOS 6教程:第1/2部分中运行Apple推送通知服务中的Ray Wenderlich教程.

我在本地目录中创建了AppID和SSL证书以及密钥和PEM文件.之后,我到了测试证书是否有效的步骤,我从这个本地目录调用了以下命令:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 
-cert PushChatCert.pem -key PushChatKey.pem
Run Code Online (Sandbox Code Playgroud)

这产生了很多输出.在输出的中间是以下内容:

verify error:num=20:unable to get local issuer certificate
verify return:0
Run Code Online (Sandbox Code Playgroud)

这是一个错误,还是一个错误的测试?如果是错误,原因是什么或者您建议解决什么?

这是完整的输出(减去证书数据):

Enter pass phrase for PushChatKey.pem:    
CONNECTED(00000003)
depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----

<Long string of data removed>

-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2731 bytes and written 2215 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: <removed>
    Key-Arg   : None
    Start Time: 1398633302
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Run Code Online (Sandbox Code Playgroud)

本教程继续说"如果连接成功,您应该能够键入几个字符.当您按Enter键时,服务器应该断开连接." 我能够做到这一点,服务器断开连接.

但是教程继续说你可能需要查看输出才能找到错误.因此这个问题的原因.

jww*_*jww 91 

This produced a lot of output. In the middle of the output was the following:

verify error:num=20:unable to get local issuer certificate
verify return:0
Run Code Online (Sandbox Code Playgroud)

您缺少根证书,应使用-CAfile或指定-CApath.

但是,修复根证书问题后,您可能会遇到握手警报.我相信它是由我没有的一个客户证书问题(因此你可能没有经历过).下面,0x14094410是OpenSSL错误,SSL错误(来自TLS协议)很简单SSL alert number 40.警报40是握手警报,并且没有其他信息.

第一

确定您需要的根:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
CONNECTED(00000003)
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
140067272132264:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140067272132264:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
Run Code Online (Sandbox Code Playgroud)

所以你需要Entrust.net Certification Authority(2048).您可以从Entrust Root Certificates下载它.它的名字entrust_2048_ca.cer和它似乎是PEM格式.

第二

现在,openssl s_client再次运行,但这一次-CAfile entrust_2048_ca.cer.注意它完成了一个Verify return code: 0 (ok):

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer 
CONNECTED(00000003)
depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify return:1
depth=0 C = US, ST = California, L = Cupertino, O = Apple Inc., OU = iTMS Engineering, CN = gateway.sandbox.push.apple.com
verify return:1
140642906502824:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140642906502824:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgIETBz90jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MjUyMzM3NDZaFw0xNDA1MzEw
NTA4NDhaMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMScwJQYDVQQDEx5nYXRld2F5LnNhbmRib3gucHVzaC5h
cHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/r1z4BRFu
DIU9/vOboVmd7OwaPPLRtcZiZLWxSyG/6KeRPpaeaC6DScvSDRoJuIeTDBup0bg4
08K0Gzh+lfKRlJOC2sma5Wgvk7oP4sty83My3YCZQv4QvgDhx+seONNs6XiA8Cl4
ingDymWGlzb0sTdfBIE/nWiEOtXQZcg6GKePOWXKSYgWyi/08538UihKK4JZIOL2
eIeBwjEwlaXFFpMlStc36uS/8oy+KMjwvuu3HazNMidvbGK2Z68rBnqnOAaDBtuT
K7rwAa5+i8GYY+sJA0DywMViZxgG/xWWyr4DvhtpHfUjyQgg1ixM8q651LNgdRVf
4sB0PfANitq7AgMBAAGjggFZMIIBVTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwu
ZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZQYIKwYBBQUHAQEEWTBXMCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBggrBgEFBQcwAoYkaHR0cDov
L2FpYS5lbnRydXN0Lm5ldC9sMWMtY2hhaW4uY2VyMEAGA1UdIAQ5MDcwNQYJKoZI
hvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBh
MB8GA1UdIwQYMBaAFB7xq4kG+EkPATN37hR67hl8kyhNMB0GA1UdDgQWBBSgNiNR
qtTShi8PuJ7UNUEbeE71STAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAS
EDkUyBHVdRJnCLHY8w9ec92NWqBYqKiSGP0uVCvgpsJIWDBkCGIw1Olks6mQuS9+
R7VRJJFg7EhtufmoRIvjgntKpTe49sB/lrmiZVQGnhjd6YdyYm9+OBUWRvwketLM
v0S+nxZD0qLLJ9foVUB8zP8LtutqFJ5IZw1xb9eSNzhpKkQ9ylj8MCd4tpXZxICL
Gt327poTXwmjQ+31fz7HCQCowMHccP8kiKM5SeYC9q+nkmdaozHVvw4e1RsP+EWO
vPtcH1x1BCkTJajmrO7JuRPLuBEnZGSPUVFRKWP9jy0a28VnJek+oA7rRMRD8irU
fMGbLqkGn8YogdPqe5T1
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2683 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: A2F375CC440179ADF831179C32A35AF4...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1398721005
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
Run Code Online (Sandbox Code Playgroud)

第三

这是一种旧的做事方式,当SSLv3仍然流行时.也就是说,POODLE攻击未知:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer
Run Code Online (Sandbox Code Playgroud)

您应该切换到TLS 1.0或更高版本并使用服务器名称指示(SNI).SNI是SSL中不存在的TLS功能.您可能需要在2016年强制使用TLS 1.2; 你可以这样做-tls1_2.

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \
  -tls1 -servername gateway.sandbox.push.apple.com -CAfile entrust_2048_ca.cer
Run Code Online (Sandbox Code Playgroud)

以下是其他评论和答案的信息.为方便起见,我正在收集它们.您应该适当地对评论或答案进行投票.

客户证书

Korbbit在下面提供了更多信息.它解决了我所做的声明,"警报握手失败......我认为它是由我没有的客户证书问题".您应该为Korbbit提供反馈,如果它对您有帮助:

如果再看一下教程,你打算输入...
-cert PushChatCert.pem -key PushChatKey.pem

通过Korbbit的反馈,答案变为:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \
  -tls1 -servername gateway.sandbox.push.apple.com \
  -cert PushChatCert.pem -key PushChatKey.pem -CAfile entrust_2048_ca.cer
Run Code Online (Sandbox Code Playgroud)

ca-certificates包和-CApath

来自Timur Bakeyev,Entrust.net是一个着名的根证书颁发机构,因此它的证书来自通用的CA证书包(ca-certificates在Debian中).它通常安装在/etc/ssl/certs目录中,或者可以通过-CApath /etc/ssl/certs/选项引用.

您可以使用以下-CApath代替-CAfile.

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CApath /etc/ssl/certs/
Run Code Online (Sandbox Code Playgroud)

  • 如果根证书在OS的信任库中,`-CApath/etc/ssl/certs`也可以工作. (3认同)

归档时间:

查看次数:

81112 次

最近记录:

9 年,4 月 前
相关归档
使用OpenSSL测试SSL/TLS客户端身份验证 16
在Windows上安装Ruby gem时出现"certificate verify failed"错误 15
关于openssl中的TLS 1.2支持 7
是否有支持 TLS 的 Perl IMAP 模块? 5
PHP致命错误:未捕获的CurlException:Facebook应用程序上的28和35 5
Cloud SQL 上的证书验证 5
Android 中的 SSL 客户端身份验证 4
使用Scala Dispatch Library禁用SSL 4
如何为AWS负载均衡器生成证书链? 4
是否可以使用pyOpenSSL设置subjectAltName? 3
难疑归档
如何在C#中枚举枚举? 3620
如何克隆或复制列表? 2289
如何在jQuery中选择具有多个类的元素? 1985
使用jQuery获取当前URL? 1761
JavaScript中==和===之间的区别 1592
如何让ASP.NET Web API使用Chrome返回JSON而不是XML? 1220
在React JSX中循环 1131
同步检查Node.js中是否存在文件/目录 1113
什么是在Vim中评论/取消注释行的快速方法? 1081
如何在Ruby中将字符串转换为小写或大写 1081