如何解决自 38 版以来出现的 Firefox 中的“安全连接失败”？

Question

由于我将 Firefox 升级到版本 38，我在网站https://usercenter.checkpoint.com/上发送某个表单时遇到问题，大多数网站正常运行，但在打开支持票时发送表单（以下日志中的 URL） ) 导致 Firefox TLS 协商失败。Firefox 的错误页面几乎没有解释：

安全连接失败

加载页面时，与服务器的连接已重置。

• 由于无法验证接收到的数据的真实性，因此无法显示您尝试查看的页面。
• 请联系网站所有者以告知他们此问题。

报告这个错误

报告 usercenter.checkpoint.com 的地址和证书信息将有助于我们识别和阻止恶意站点。感谢您帮助创建更安全的网络！

将来自动报告错误 了解更多...

在Web 开发人员控制台中，我只看到以下内容：

19:58:44.470 This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.1 AjaxCall
19:58:44.589 POST https://usercenter.checkpoint.com/usercenter/portal/js_pane/supportId,CreateServiceRequestId [178ms]

第一行只是警告，将来将不支持 SHA-1。我是否必须打开某些东西才能查看 TLS 失败的原因？来自控制台的 TLS 和证书信息如下：

我看不出有什么问题。出于绝望，我尝试使用 TLS 参数about:config但没有成功：

security.tls.insecure_fallback_hosts
security.tls.unrestricted_rc4_fallback
security.tls.version.fallback-limit
security.tls.version.max
security.tls.version.min

Qualy SSL 测试没有显示任何完全错误：https ://www.ssllabs.com/ssltest/analyze.html?d=usercenter.checkpoint.com

Red Hat 知识库中有一篇很有前途的文章：Firefox 38 和 SSL/TLS 服务器，它们不支持 TLS 版本，但该解决方案仅适用于付费客户。

我还检查了 Firefox 38 的站点兼容性。

问题

• 如何排除 TLS 失败的原因？
• 在 Firefox 中，是否还有其他用户可配置的白名单，我可以在其中尝试添加失败网站的地址？
• 控制台显示POST请求usercenter.checkpoint.com与前一次成功通信发送到同一台主机时，仅在发送某种表单后才出现失败的原因可能是什么？

Answer 1

\n

如何解决Firefox 38版本以来出现的\xe2\x80\x9c安全连接失败\xe2\x80\x9d问题？

\n

\n\n

使用openssl s_client。这是一把瑞士军刀，适合做这样的事情。并用于openssl x509转储证书。

\n\n

您通常对{Issuer, Subject}链中的对感兴趣，如下所示：

\n\n

Certificate chain\n 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com\n   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\n 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\n   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority\n

\n\n

请注意服务器上的颁发者如何成为下一个更高级别证书的主题。古特曼在他的《工程安全》一书中提供了下图来描述它：

\n\n

\n\n

在顶部，CA根是自签名的，并且问题和主题是相同的。如果有3级的话，那就是：

\n\n

 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority\n   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority\n

\n\n

但你通常不会在链中看到它，因为你必须信任它。信任锚的部分要求是您已经拥有它以确保其不被篡改。

\n\n\n\n

使用主题和发行者名称就是利用所谓的可分辨名称。形成链的另一种方法是使用KEYIDs。有时您会通过主题密钥标识符(SKI) 和授权密钥标识符(AKI)看到它。密钥标识符只是摘要公钥的指纹。

\n\n

您可以在RFC 4514等标准中找到有关可分辨名称的内容；并在RFC 4518等标准中使用KEYID，该标准涉及路径构建。

\n\n\n\n

看来问题出在浏览器上（但见下文）。看起来好像缺少Class 3 Public Primary Certification Authority指纹a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b。

\n\n

当我访问Symantec Root Certifcates并下载Class 3 Public Primary Certification Authority时，我可以构建一条验证路径（请注意Verify return code: 0 (ok)下面的内容）。

\n\n

您应该下载并安装Class 3 Public Primary Certification Authority在浏览器的受信任根存储中。或者确定为什么浏览器不使用它来构建路径（参见下文）。

\n\n

Class 3 Public Primary Certification AuthorityMozilla 和 Firefox在博客文章中讨论：逐步淘汰带有 1024 位 RSA 密钥的证书。根据该帖子，他们自 Firefox 32 起就已弃用该 CA 证书。我并没有真正责怪他们，因为这些密钥长期用于 CA 签名操作，并且它们需要“更强”的参数，因为它们必须存活 10 到 30年（字面意思）。

\n\n

Checkpoint 需要获取在具有当代参数的证书（链）下颁发的新服务器证书，例如具有 4096 位 RSA 模数和 SHA-256 的 CA。或者具有 2048 位 RSA 模数和 SHA-256 的从属 CA...

\n\n

（另请参阅下面对我不起作用的内容）。

\n\n\n\n

以下是使用 OpenSSL向 3 类公共主要证书颁发机构s_client验证服务器证书的示例：

\n\n

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \\\n    -servername usercenter.checkpoint.com -CAfile Class-3-Public-Primary-Certification-Authority.pem \nCONNECTED(00000003)\ndepth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority\nverify return:1\ndepth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5\nverify return:1\ndepth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3\nverify return:1\ndepth=0 C = US, ST = California, L = San Carlos, O = Check Point Software Technologies Inc., OU = MIS-US, CN = usercenter.checkpoint.com\nverify return:1\n---\nCertificate chain\n 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com\n   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\n 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\n   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority\n---\nServer certificate\n-----BEGIN CERTIFICATE-----\nMIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB\ntTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\nExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug\nYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm\nVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx\nMDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT\nCkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr\nIFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt\nVVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg\nqZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D\ngk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj\nvG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94\njtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc\nGIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ\nMIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud\nEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF\nBQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0\ncHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d\nIKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz\nLWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow\naDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF\nBzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj\ndXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0\nifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t\nhvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W\noa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF\nAq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo\nyt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO\n-----END CERTIFICATE-----\nsubject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com\nissuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n---\nNo client certificate CA names sent\n---\nSSL handshake has read 4310 bytes and written 600 bytes\n---\nNew, TLSv1/SSLv3, Cipher is AES128-SHA\nServer public key is 2048 bit\nSecure Renegotiation IS supported\nCompression: NONE\nExpansion: NONE\nNo ALPN negotiated\nSSL-Session:\n    Protocol  : TLSv1\n    Cipher    : AES128-SHA\n    Session-ID: 141BB5DD85FA61CC85E5C8368DED9EB9C7C6427D7F655F8DD778EEB003F9EBE7\n    Session-ID-ctx: \n    Master-Key: 84261799D242992FE44D48F39F1A10CFCE5BE60E1A900CC3E6BFFD368DAB68A439287C81DC9510871963EF8E3366FFE3\n    Key-Arg   : None\n    PSK identity: None\n    PSK identity hint: None\n    SRP username: None\n    Start Time: 1432323605\n    Timeout   : 7200 (sec)\n    Verify return code: 0 (ok)\n

\n\n\n\n

之前我说过“在顶部，CA 根是自签名的，问题和主题是相同的”。这是自签名 CA 根的转储，其中主题和颁发者相同。它还显示了 1024 位模数和 sha1WithRSAEncryption。

\n\n

$ openssl x509 -in Class-3-Public-Primary-Certification-Authority.pem -inform PEM -text -noout\nCertificate:\n    Data:\n        Version: 1 (0x0)\n        Serial Number:\n            3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be\n    Signature Algorithm: sha1WithRSAEncryption\n        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority\n        Validity\n            Not Before: Jan 29 00:00:00 1996 GMT\n            Not After : Aug  2 23:59:59 2028 GMT\n        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority\n        Subject Public Key Info:\n            Public Key Algorithm: rsaEncryption\n                Public-Key: (1024 bit)\n                Modulus:\n                    00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40:\n                    db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9:\n                    11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03:\n                    1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2:\n                    63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f:\n                    42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23:\n                    5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85:\n                    e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2:\n                    71:64:4c:65:2e:81:68:45:a7\n                Exponent: 65537 (0x10001)\n    Signature Algorithm: sha1WithRSAEncryption\n         10:72:52:a9:05:14:19:32:08:41:f0:c5:6b:0a:cc:7e:0f:21:\n         19:cd:e4:67:dc:5f:a9:1b:e6:ca:e8:73:9d:22:d8:98:6e:73:\n         03:61:91:c5:7c:b0:45:40:6e:44:9d:8d:b0:b1:96:74:61:2d:\n         0d:a9:45:d2:a4:92:2a:d6:9a:75:97:6e:3f:53:fd:45:99:60:\n         1d:a8:2b:4c:f9:5e:a7:09:d8:75:30:d7:d2:65:60:3d:67:d6:\n         48:55:75:69:3f:91:f5:48:0b:47:69:22:69:82:96:be:c9:c8:\n         38:86:4a:7a:2c:73:19:48:69:4e:6b:7c:65:bf:0f:fc:70:ce:\n         88:90\n

\n\n\n\n

之前我说过“Checkpoint 需要获得在具有当代参数的证书（链）下颁发的新服务器证书，例如具有 4096 位 RSA 模数和 SHA-256 的 CA。或者具有 2048 位 RSA 模数和 SHA-256 的从属 CA SHA-256...”。

\n\n

以下是对我不起作用的方法VeriSign Class 3 Public Primary Certification Authority - G5：在更强的从属 CA 中建立或锚定信任，而不是在较弱的 1024 位根 CA 中。

\n\n

编辑：这是由于 OpenSSL 1.0.2a 及更低版本中的错误造成的。它已在 OpenSSL 1.0.2b 中修复。请参阅当链中的从属提升为自签名根时验证的预期行为？

\n\n

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \\\n    -servername usercenter.checkpoint.com -CAfile VeriSign-Class-3-Public-Primary-Certification-Authority-G5.pem \nCONNECTED(00000003)\ndepth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5\nverify error:num=20:unable to get local issuer certificate\n---\nCertificate chain\n 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com\n   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\n 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\n   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority\n---\nServer certificate\n-----BEGIN CERTIFICATE-----\nMIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB\ntTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\nExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug\nYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm\nVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx\nMDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT\nCkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr\nIFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt\nVVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg\nqZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D\ngk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj\nvG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94\njtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc\nGIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ\nMIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud\nEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF\nBQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0\ncHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d\nIKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz\nLWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow\naDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF\nBzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj\ndXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0\nifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t\nhvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W\noa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF\nAq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo\nyt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO\n-----END CERTIFICATE-----\nsubject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com\nissuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n---\nNo client certificate CA names sent\n---\nSSL handshake has read 4310 bytes and written 600 bytes\n---\nNew, TLSv1/SSLv3, Cipher is AES128-SHA\nServer public key is 2048 bit\nSecure Renegotiation IS supported\nCompression: NONE\nExpansion: NONE\nNo ALPN negotiated\nSSL-Session:\n    Protocol  : TLSv1\n    Cipher    : AES128-SHA\n    Session-ID: 736B3105DB22F2AB0F5D42C8161A8A132BF1E7C37464BB2F0D00058B867332EB\n    Session-ID-ctx: \n    Master-Key: BDD5D4951E3FD01C3C456D475EAE6D0D5CE53FBF75B4F6F3D4D186A27B566D75056057D5395F35AE3BA8D20A669212C2\n    Key-Arg   : None\n    PSK identity: None\n    PSK identity hint: None\n    SRP username: None\n    Start Time: 1432324811\n    Timeout   : 7200 (sec)\n    Verify return code: 20 (unable to get local issuer certificate)\n---\n

\n\n

实际问题是赛门铁克重新颁发了具有相同名称和相同公钥的证书，因此可分辨名称、主题密钥标识符和授权密钥标识符 没有改变；但仅更改序列号。

\n\n

由于链中发送的证书与从赛门铁克网站下载的证书之间的序列号不同，我能够在下面发现它。然后很明显，重新颁发的证书已从从属 CA 更改为根 CA。

\n\n\n\n

您可以-showcerts与 OpenSSL 一起使用s_client来查看链中的证书：

\n\n

$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \\\n    -servername usercenter.checkpoint.com -showcerts\nCONNECTED(00000003)\n...\n---\nCertificate chain\n 0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com\n   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n-----BEGIN CERTIFICATE-----\nMIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB\ntTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\nExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug\nYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm\nVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx\nMDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT\nCkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr\nIFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt\nVVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg\nqZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D\ngk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj\nvG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94\njtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc\nGIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ\nMIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud\nEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF\nBQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0\ncHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d\nIKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz\nLWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow\naDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF\nBzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj\ndXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0\nifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t\nhvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W\noa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF\nAq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo\nyt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO\n-----END CERTIFICATE-----\n 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3\n   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5\n-----BEGIN CERTIFICATE-----\nMIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB\nyjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\nExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp\nU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW\nZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0\naG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL\nMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW\nZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg\naHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy\naVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3\nDQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG\n5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8\nf0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK\ntpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo\nGLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV\nM5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB\n2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz\naWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4\nRQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw\nczAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG\nA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu\nY3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp\nbWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo\