除非使用CApath或CAfile，否则无法验证CA证书 [英] Can't verify CA certificate unless CApath or CAfile used

问题描述

由于信任问题，我无法将OpenSSL连接到服务器.我将CA证书放在/etc/ssl/certs/上，并已运行sudo c_rehash，可以看到已创建了正确的文件.我可以看到ca证书位于ca-certificates.crt中.但是，如果我运行:

Im having trouble with having OpenSSL connect to a server because of trust issues. I placed the CA certificate on /etc/ssl/certs/ and have run sudo c_rehash and can see that the correct file has been made. I can see that CA certificate is in the ca-certificates.crt. However if I run:

openssl s_client -connect servername.domain.com:636

该命令失败，并显示验证返回码:21(无法验证第一个证书)

The command fails with Verify return code: 21 (unable to verify the first certificate)

如果我这样做:

openssl s_client -connect servername.domain.com:636 -CApath /etc/ssl/certs/

我收到验证返回码:0(确定)

I get Verify return code: 0 (ok)

该怎么办，所以我不必指定CApath?

What can I do so I dont have to specify the CApath?

我正在使用Ubuntu 13.04.

I'm using Ubuntu 13.04.

推荐答案

由于信任问题，OpenSSL连接到服务器.

OpenSSL connect to a server because of trust issues.

与浏览器几乎信任任何人的所有浏览器不同，OpenSSL默认情况下不信任任何东西.

Unlike browsers, which trust nearly everything from anybody, OpenSSL trusts nothing by default.

由您决定应信任什么.使用OpenSSL和s_client时，您必须指定一些内容.

Its up to you to determine what should be trusted. You will have to specify something when using OpenSSL and s_client.

如果您以编程方式使用OpenSSL API，则有更多选择.但这似乎与使用OpenSSL命令有关.

If you are working programmatically with the OpenSSL API, you have more options. But this appears to be related to using the OpenSSL commands.

该怎么办，所以不必指定CApath?

您可以使用CAfile.它避免了重新哈希，并且为域的信任创建了1:1映射.也就是说，您仅信任该域的一个发行者.如果其他发行者声称自己是发行者，则您将不会信任发行者或服务器.

You can use the CAfile. It avoids the rehash, and it creates a 1:1 mapping for trust of the domain. That is, you only trust one issuer for the domain in question. If any other issuer claims to be the issuer, you won't trust the issuer or the server.

您可以在使用CAPath中存在的所有证书时，您可以信任任何颁发者，即使它不是真正的颁发者.这在过去已经发生过，而且很糟糕.

When using all the certificates present in CAPath, you trust any issuer, even if its not the real issuer. This has happened in the past and its bad.

一个极端的情况是，一个坏人会破坏您信任的CA，并为该域颁发伪造的证书.过去也发生过这种情况，这很糟糕.

The corner case is where a bad guy compromises the CA you trust and issues phony certifcates for the domain. This has happened in the past too, and its bad.

在上述两种否定情况下，您可以放弃向DNS和CA授予信任，并使用诸如证书或公钥固定之类的安全性多样化技术.如果您和站点之间存在预先存在的关系，则您知道服务器的预期公钥.在这种情况下，无需信任CA.

In the two negative cases above, you can forgo conferring trust to DNS and CAs and use a security diversification technique like certificate or public key pinning. If there's a pre-existing relationship between you and the site, then you know the expected public key of the server. In this case, there's no need to trust a CA.

这篇关于除非使用CApath或CAfile，否则无法验证CA证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！