如何修复 x509:无法验证 <ip> 的证书,因为它不包含任何 IP SAN
我正在使用 go http 客户端连接到具有自签名证书的物联网设备。我已经有了
TLSClientConfig: &tls.Config{
RootCAs: certPool,
Certificates: []tls.Certificate{tlsClientCert},
InsecureSkipVerify: true,
},
尽管如此,尽管InsecureSkipVerify=truego 仍然尝试验证证书:
x509: cannot validate certificate for <ip> because it doesn't contain any IP SANs
由于我无法更改设备上的证书 - 我可以修改 TLS 客户端配置的哪一部分来接受它?
更新
可以针对设备运行https://github.com/jbardin/gotlsscan/blob/master/main.go来重现 go 错误:
Testing TLS1.2
...
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [NOT SUPPORTED]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED] x509: cannot validate certificate for 192.168.1.145 because it doesn't contain any IP SANs
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [NOT SUPPORTED]
...
这是 openssl 运行时所说的内容openssl s_client -connect <ip:port>:
CONNECTED(00000003)
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, O = Bebro, OU = ULK High GEN 1, CN = ICCPD...
verify return:1
4460842604:error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40
4460842604:error:1401E0E5:SSL routines:CONNECT_CR_FINISHED:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:585:
---
Certificate chain
0 s:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
i:/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
Server certificate
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
subject=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
issuer=/C=DE/O=Bebro/OU=ULK High GEN 1/CN=ICCPD...
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 969 bytes and written 178 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-SHA256
Session-ID: 9C7D...
Session-ID-ctx:
Master-Key: AC9E...
Start Time: 1600892515
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
更新我正在运行最新的 go 1.15.2
小智 1
这可能有效,
证书中有一个名为“SAN”的字段,我们需要在此 SAN 列表中添加“主机名”。
添加后,应使用“ServerName”字段在 TLS 配置中添加相同的名称。配置完成后这个问题就解决了。在 SANS 属性中,我添加了“test.com”,因此我配置了 TLS,如下所示,
ServerName: "test.com",
RootCAs: pool,
Certificates: []tls.Certificate{clientCert},
MinVersion: tls.VersionTLS12,
由于您使用的证书可能不包含任何 SAN,因此会发生此错误。我还在探索中,如果大家对此有什么意见,请留言。