Lor*_*ory 3 email certificate ssl smtp openssl
我正在尝试连接到安装了 RapidSSL 256 位证书的 Windows 2012 R2 服务器上的服务器 SMTP。我需要测试 SMTP 服务器是否可以向我们的一位似乎有证书问题的客户发送电子邮件。他们告诉我我的证书不支持新的 SHA256 加密,但这是错误的。这是我启动的命令:
openssl s_client -starttls smtp -connect www.omniservice2.it:25 -crlf
我明白了:
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=www.omniservice2.it
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=www.omniservice2.it
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
---
No client certificate CA names sent
---
SSL handshake has read 3697 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
Start Time: 1487243991
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 OK
然后我去:
HELO
AUTH LOGIN
然后我输入以 base64 编码的用户名/密码。凭据是正确的,它们是正常的 Windows 身份验证用户名/密码,我们所有的 .NET 应用程序都正确使用它们来访问 SMTP 服务器。因此,以 base64 编码的凭据肯定是正确的,但是在输入它们后,系统提示我完成并关闭连接并且 shell 返回。这是什么意思?
这是我的命令序列:
>HELO
250 www.omniservice2.it Hello [37.159.171.6]
>AUTH LOGIN
>334 VNXlcm5hbWU6
(my Windows username encoded in base64)
>334 UGFzc3dvcmQ6
(my Windows password encoded in base 64)
>DONE
>prompt returned here
如果在 HELO 之后,我发送一个STARTTLS命令,它会告诉我有一个已经启动的 TLS 会话。如前所述,我真的需要直接连接并测试该 SMTP 服务器,并发现它为什么无法向该唯一客户发送电子邮件。我的证书可能有什么问题?
更新
这是我尝试使用 PLAIN 身份验证模式的方法,使用 telnet 和 openssl:
telnet www.omniservice2.it 25
Trying 94.177.162.33...
Connected to www.omniservice2.it.
Escape character is '^]'.
220 www.omniservice2.it Microsoft ESMTP MAIL Service, Version: 8.5.9600.16384 ready at Thu, 16 Feb 2017 16:28:00 +0100
EHLO www.omniservice2.it
250-www.omniservice2.it Hello [37.159.171.6]
250-TURN
250-SIZE 4194304
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250 OK
STARTTLS
220 2.0.0 SMTP server ready
AUTH PLAIN
Connection closed by foreign host.
MacBook-Pro-di-lorenzo:~ lory$ openssl s_client -starttls smtp -connect www.omniservice2.it:25 -crlf
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=www.omniservice2.it
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=www.omniservice2.it
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
---
No client certificate CA names sent
---
SSL handshake has read 3697 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B61C00007D21763C94DBF1394AEC1B84768F4DAED89FC3BEC2E74A0321090A71
Session-ID-ctx:
Master-Key: 829BFD1853358B1471837EDEAD068905D9652E7A33121BF6186BBC971F20DB5FBEC0658464DAC6040DD5FD9ACB3BA4AA
Key-Arg : None
Start Time: 1487258920
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 OK
AUTH PLAIN
504 5.7.4 Unrecognized authentication type
小智 5
在发现openssl s_client 将密码开头的Q 字符解释为“退出”命令并关闭连接之前,我对这个问题苦苦思索了好几天。
如果您的密码在 base64 编码时以 Q 开头,则将其-quiet作为开关传递给 openssl s_client 命令,它将停止关闭连接。
| 归档时间: |
|
| 查看次数: |
1430 次 |
| 最近记录: |