OpenSSL：无法验证Experian URL的第一个证书 [英] OpenSSL: unable to verify the first certificate for Experian URL

问题描述

我尝试在Ubuntu 10.10中使用OpenSSL客户端验证到Experian的SSL连接。

I am trying to verify an SSL connection to Experian in Ubuntu 10.10 with OpenSSL client.

openssl s_client -CApath /etc/ssl/certs/ -connect dm1.experian.com:443

问题是连接以验证返回码关闭：21（无法验证第一个证书）。

The problem is that the connection closes with a Verify return code: 21 (unable to verify the first certificate).

我已检查证书列表，并且用于签署Experian（VeriSign 3级安全服务器CA-G3）的证书包含在列表中。

I've checked the certificate list, and the Certificate used to sign Experian (VeriSign Class 3 Secure Server CA - G3) is included in the list.

/etc/ssl/certs/ca-certificates.crt 

但我不知道为什么它不能验证第一个证书。
提前感谢。

Yet I don't know why it is not able to verify the first certificate. Thanks in advance.

整个回复可以在这里看到：
https://gist.github.com/1248790

The entire response could be seen here: https://gist.github.com/1248790

推荐答案

第一个错误讯息告诉您更多关于问题：

The first error message is telling you more about the problem:

验证错误：num = 20：无法获取本地颁发者证书

verify error:num=20:unable to get local issuer certificate

结束实体服务器证书的颁发证书颁发机构是

The issuing certificate authority of the end entity server certificate is

VeriSign Class 3 Secure服务器CA - G3

VeriSign Class 3 Secure Server CA - G3

仔细检查您的CA文件 - 您将不会找到此证书，因为一个中介CA - 您发现的是一个类似命名的 G3 Public VeriSign的主要CA。

Look closely in your CA file - you will not find this certificate since it is an intermediary CA - what you found was a similar-named G3 Public Primary CA of VeriSign.

但是为什么其他连接成功，这一个不？问题是服务器配置不正确（请参见 -debug 选项）。 好服务器在握手期间发送整个证书链，因此为您提供必要的中间证书。

But why does the other connection succeed, but this one doesn't? The problem is a misconfiguration of the servers (see for yourself using the -debug option). The "good" server sends the entire certificate chain during the handshake, therefore providing you with the necessary intermediate certificates.

但是失败的服务器只会向您发送 结束实体证书，而OpenSSL无法下载缺少的中间证书飞（这可能通过解释授权信息访问扩展）。因此，您的尝试将失败使用 s_client ，但它会成功，但如果你浏览到相同的URL使用例如。 FireFox（它支持证书发现功能）。

But the server that is failing sends you only the end entity certificate, and OpenSSL is not capable of downloading the missing intermediate certificate "on the fly" (which would be possible by interpreting the Authority Information Access extension). Therefore your attempt fails using s_client but it would succeed nevertheless if you browse to the same URL using e.g. FireFox (which does support the "certificate discovery" feature).

您的选择是解决这个问题是通过使服务器发送整个链，也可以将缺少的中间证书作为客户端参数传递给OpenSSL。

Your options to solve the problem are either fixing this on the server side by making the server send the entire chain, too, or by passing the missing intermediate certificate to OpenSSL as a client-side parameter.

这篇关于OpenSSL：无法验证Experian URL的第一个证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！