对于login.live.com，Windows中的s_client证书验证失败 [英] s_client certificate validation fails in Windows for login.live.com

问题描述

我从 Shining Light Productions 并将其安装到默认位置 C：\ OpenLSL-Win32 。我将文件 ca-bundle.crt 复制到 C：\ OpenPSL-Win32 \ bin 并运行：

I downloaded Win32OpenSSL_Light-1_0_2.exe from Shining Light Productions and installed it to the default location C:\OpenSSL-Win32. I copied the file ca-bundle.crt to C:\OpenSSL-Win32\bin and ran:

C:\OpenSSL-Win32\bin>openssl s_client -connect login.live.com:443 -CAfile ca-bundle.crt

证书链的验证失败，并显示以下消息：

The verification of the certificate chain fails with the message:

Verify return code: 20 (unable to get local issuer certificate)

使用相同的命令 ca-bundle.crt 文件，OpenSSL版本1.0.1e返回：

Using the same command with the same ca-bundle.crt file on Debian Wheezy with OpenSSL version 1.0.1e returns:

Verify return code: 0 (ok)

如果我将主机名更改为 api.onedrive.com （相同的命令）我得到验证返回码：两个都是0（ok），Windows a和Linux。

If I change the hostname to api.onedrive.com (same command) I get Verify return code: 0 (ok) on both, Windows and Linux.

我做错了什么或者是否有已知错误？如何让它在Windows上运行 login.live.com ？

Am I doing something wrong or is there a known bug? How can i get it to work on Windows for login.live.com?

（最初我偶然发现了这个尝试的问题使用Windows XAMPP下的PHP的cURL扩展连接到login.live.com ，但现在它看起来更像是一个OpenSSL问题。）

(Initially I stumbled upon this problem when trying to connect to login.live.com with PHP's cURL extension under Windows XAMPP, but now it looks more like an OpenSSL issue.)

推荐答案

s_client 有未记录的属性（或者可能是一个长期存在的bug），如果你给 -CAfile 选项它不仅会检查给定的CA文件，还会检查系统默认值（Debian上的 / usr / lib / ssl / certs ）。如果您使用 strace 运行 openssl s_client 以查看验证期间使用的文件，您将看到以下内容：

s_client has the undocumented property (or probably more a long standing bug), that if you give a -CAfile option it will not only check against the given CA file but also against the systems default (/usr/lib/ssl/certs on Debian). If you run openssl s_client with strace to check out which files are used during the verification you will see the following:

$ strace -e open openssl s_client -connect login.live.com:443 -CAfile ca-bundle.crt
...
open("ca-bundle.crt", O_RDONLY)         = 3
open("/usr/lib/ssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
...
open("/usr/lib/ssl/certs/415660c1.0", O_RDONLY) = 4
open("/usr/lib/ssl/certs/415660c1.1", O_RDONLY) = 4

从这个输出你可以看到它不仅使用用于验证的给定CA文件，但也尝试使用 /usr/lib/ssl/cert.pem （不存在），然后查看 / usr / lib / ssl / certs 通过主题哈希 415660c1 查找所需的CA.在那里，它终于找到它在 415660c1.1 中寻找的根CA：

From this output you can see that it not only uses the given CA file for verification but also tries to use /usr/lib/ssl/cert.pem (does not exist) and then looks into /usr/lib/ssl/certs to find the required CA by the subject hash 415660c1. There it finally finds the root CA it is looking for in 415660c1.1:

 $ openssl x509 -in /usr/lib/ssl/certs/415660c1.1 -text
 ...
 Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
 ...
 Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority

由于OpenSSL上没有可用的Windows系统默认值（它不能使用Windows CA存储），验证将在那里失败。

Since there are no system defaults on Windows usable by OpenSSL (it can not use the Windows CA store) the verification will fail there.

至于 api.onedrive.com ：这有另一个信任链，可以使用给定的CA完全验证束。 strace 的输出显示它不会尝试访问 / usr / lib / ssl / certs 中的任何文件。

As for api.onedrive.com: this has another trust chain and can fully be verified with the given CA bundle. The output from strace shows that it does not try to access any files inside /usr/lib/ssl/certs.

这篇关于对于login.live.com，Windows中的s_client证书验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！