OpenSSL:无法验证 Experian URL 的第一个证书 [英] OpenSSL: unable to verify the first certificate for Experian URL

问题描述

我正在尝试使用 OpenSSL 客户端在 Ubuntu 10.10 中验证与 Experian 的 SSL 连接.

I am trying to verify an SSL connection to Experian in Ubuntu 10.10 with OpenSSL client.

openssl s_client -CApath /etc/ssl/certs/ -connect dm1.experian.com:443

问题是连接以验证返回码关闭:21(无法验证第一个证书).

The problem is that the connection closes with a Verify return code: 21 (unable to verify the first certificate).

我检查了证书列表，用于签署 Experian 的证书(VeriSign Class 3 Secure Server CA - G3)包含在列表中.

I've checked the certificate list, and the Certificate used to sign Experian (VeriSign Class 3 Secure Server CA - G3) is included in the list.

/etc/ssl/certs/ca-certificates.crt 

但我不知道为什么它无法验证第一个证书.提前致谢.

Yet I don't know why it is not able to verify the first certificate. Thanks in advance.

可以在这里看到整个响应:https://gist.github.com/1248790

The entire response could be seen here: https://gist.github.com/1248790

推荐答案

第一条错误信息告诉你更多关于问题的信息:

The first error message is telling you more about the problem:

验证错误:num=20:无法获得本地颁发者证书

verify error:num=20:unable to get local issuer certificate

端实体服务器证书的发证机构为

The issuing certificate authority of the end entity server certificate is

VeriSign 3 类安全服务器 CA - G3

VeriSign Class 3 Secure Server CA - G3

仔细查看您的 CA 文件 - 您将找不到该证书，因为它是一个中间 CA - 您发现的是一个类似名称的 G3 公共主要 CA威瑞信.

Look closely in your CA file - you will not find this certificate since it is an intermediary CA - what you found was a similar-named G3 Public Primary CA of VeriSign.

但是为什么另一个连接成功，而这个连接不成功?问题是服务器配置错误(使用 -debug 选项亲自查看).好"服务器在握手期间发送整个证书链，因此为您提供必要的中间证书.

But why does the other connection succeed, but this one doesn't? The problem is a misconfiguration of the servers (see for yourself using the -debug option). The "good" server sends the entire certificate chain during the handshake, therefore providing you with the necessary intermediate certificates.

但是发生故障的服务器仅向您发送最终实体证书，而 OpenSSL 无法即时"下载丢失的中间证书(这可以通过解释权威信息来实现)访问扩展).因此，您尝试使用 s_client 失败，但如果您使用例如浏览到相同的 URL，它仍然会成功FireFox(支持证书发现"功能).

But the server that is failing sends you only the end entity certificate, and OpenSSL is not capable of downloading the missing intermediate certificate "on the fly" (which would be possible by interpreting the Authority Information Access extension). Therefore your attempt fails using s_client but it would succeed nevertheless if you browse to the same URL using e.g. FireFox (which does support the "certificate discovery" feature).

您解决问题的选择是通过让服务器也发送整个链来在服务器端解决此问题，或者将缺少的中间证书作为客户端参数传递给 OpenSSL.

Your options to solve the problem are either fixing this on the server side by making the server send the entire chain, too, or by passing the missing intermediate certificate to OpenSSL as a client-side parameter.

这篇关于OpenSSL:无法验证 Experian URL 的第一个证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！