openssl -connect返回错误的证书 [英] openssl -connect returns wrong certificate

问题描述

这是我的问题. 我在一台apache网络服务器上托管了多个域. (虚拟主机) 其中两个(a.com和b.com)使用ssl证书. 我用以下命令配置了这两个命令:

Here is my problem. I have multiple domains hosted on one apache webserver. (Virtual Hosts) Two of them (a.com and b.com) use ssl certificates. I configured both with these commands:

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/ABC.crt
    SSLCertificateKeyFile /etc/apache2/ssl/ABC.key
    SSLCertificateChainFile /etc/apache2/ssl/ABC.chain.crt
    SSLProtocol             all -SSLv2

当我尝试通过浏览器(Chrome，Firefox，IE)连接时，它可以正常工作，并且我获得了正确的证书. 但是在android上，我遇到了一个例外:没有对等证书

When i try to connect via browser (chrome, Firefox, IE) it works fine and i get the right certificate. But on android i got an exception: No peer certificate

然后我尝试使用以下命令对其进行测试:

Then i tried to test it with this command:

    openssl s_client -connect b.com:443

它向我返回a.com的证书. 有什么建议我做错了我使用openssl和android获得了错误的证书吗?

It returns me the certificate of the a.com. Any suggestions what I've done wrong that i get the wrong certificate with openssl and android?

推荐答案

同一IP地址上可能有多个主机，您需要使用服务器名称指示(SNI)来访问此站点.对于具有openssl s_client的SNI，请使用-servername选项，例如openssl s_client -connect b.com:443 -servername a.com.对于android:根据 https://developer.android.com/training/articles/security-ssl. html 从2.3开始，HttpsURLConnection支持SNI，但Apache HTTP Client不支持.

There are probably multiple hosts on the same IP address and you need to use Server Name Indication (SNI) to access this site. To you SNI with openssl s_client use the -servername option, e.g. openssl s_client -connect b.com:443 -servername a.com. As for android: according to https://developer.android.com/training/articles/security-ssl.html SNI is supported since 2.3 for HttpsURLConnection but not for Apache HTTP Client.

这篇关于openssl -connect返回错误的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！