SSLError:主机名"W.X.Y.Z"与服务器证书不匹配 [英] SSLError: hostname "W.X.Y.Z" does not match the server certificate

问题描述

我刚刚开始学习Ruby，并在掌握了一些基本知识之后，试图理解对Ruby中的服务进行REST调用.我可以毫无问题地向Foursquare API发出get请求.另一方面，对Cisco CMX API的调用会产生错误.我的红宝石版本是2.1.2.我在网上搜索了许多解决方案，但仍然遇到问题.这是我运行的shell命令.

I just started to learn Ruby and after some basic things, I'm trying to understand making REST calls to a service in ruby. I can make get requests to foursquare API without any trouble. On the other hand calls to Cisco CMX API give error. My ruby version is 2.1.2. I searched many solutions on the web but still got problem. This my shell command that I run.

一个人

$resclient
>> RestClient.get 'https://api.foursquare.com/v2/venues/search?ll=40.7,-74&oauth_token=0ZDO1JMJ0PW2QTCDK50OGZ21UENHZ0Y3KIDQZJLLURTQNRQ2&v=20150106'

这会导致错误

$restclient
>> RestClient.get 'https://learning:learning@64.103.26.61/api/contextaware/v1/maps/.json'

我的错误日志:

OpenSSL::SSL::SSLError: hostname "64.103.26.61" does not match the server certificate
from /Users/apple/.rbenv/versions/2.1.2/lib/ruby/2.1.0/openssl/ssl.rb:139:in `post_connection_check'
from /Users/apple/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:922:in `connect'
from /Users/apple/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
from /Users/apple/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:852:in `start'
from /Users/apple/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/rest-client-1.7.2/lib/restclient/request.rb:413:in `transmit'
from /Users/apple/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/rest-client-1.7.2/lib/restclient/request.rb:176:in `execute'
from /Users/apple/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/rest-client-1.7.2/lib/restclient/request.rb:41:in `execute'
from /Users/apple/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/rest-client-1.7.2/lib/restclient.rb:65:in `get'
from (irb):3
from /Users/apple/.rbenv/versions/2.1.2/lib/ruby/gems/2.1.0/gems/rest-client-1.7.2/bin/restclient:93:in `<top (required)>'
from /Users/apple/.rbenv/versions/2.1.2/bin/restclient:23:in `load'
from /Users/apple/.rbenv/versions/2.1.2/bin/restclient:23:in `<main>'

请给我一些建议吗?谢谢

Could you please give some advise? Thank you

推荐答案

请给我一些建议吗?

Could you please give some advise?

这是更详细的答案，以及如何使用可悲的OpenSSL::SSL::VERIFY_NONE以外的其他方法在Ruby中解决问题.

Here's a more detailed answer and how to fix the problem in Ruby with something other than the pathetic OpenSSL::SSL::VERIFY_NONE.

$ openssl s_client -connect 64.103.26.61:443 | openssl x509 -text -noout
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
...
        Subject: C=US, ST=CA, L=San Jose, O=Cisco Systems, Inc., CN=msesandbox.cisco.com
...
            X509v3 Subject Alternative Name: 
                DNS:msesandbox.cisco.com

因此，该设备的DNS名称为msesandbox.cisco.com. nslookup告诉您它的好主机名:

So the appliance has a DNS name of msesandbox.cisco.com. nslookup tells you its a good hostname:

$ nslookup msesandbox.cisco.com
Server:     192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
Name:   msesandbox.cisco.com
Address: 64.103.26.61

因此，您要做的第一件事是通过DNS名称而不是IP地址连接到它.

So the first thing you have to do is connect to it by its DNS name, and not an IP address.

如果您为cisco.com域颁发证书(或可以提出请求)，则可以要求将IP地址64.103.26.61添加为主题备用名称(SAN).因此，证书中将有两个SAN.

If you issue certificates for the cisco.com domain (or can make a request), then you can ask that the IP address 64.103.26.61 be added as a Subject Alternative Name (SAN). So there will be two SANs in the certificate.

现在，如果您返回openssl命令:

Now, if you go back to the openssl command:

$ openssl s_client -connect 64.103.26.61:443 | openssl x509 -text -noout
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
verify error:num=19:self signed certificate in certificate chain
...
    Issuer: C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2
...
    Subject: C=US, ST=CA, L=San Jose, O=Cisco Systems, Inc., CN=msesandbox.cisco.com

您将看到发行人和主题不同.这意味着这不是自签名证书.该证书由 HydrantID(雪崩云公司)颁发.

You will see the issuer and subject are different. That means this is not a self signed certificate. The certificate was issued by HydrantID (Avalanche Cloud Corporation).

如果进一步看，您会发现颁发者的公钥(Authority Key Identifier)与主题的公钥(Subject Key Identifier)不同:

If you look further, you will see the Issuer's public key (Authority Key Identifier) is different than the Subject's public key (Subject Key Identifier):

X509v3 Authority Key Identifier: 
    keyid:98:6A:B6:2D:2E:BF:A7:AA:9F:F6:F7:D6:09:AF:D5:8B:57:F9:8A:B7
...
X509v3 Subject Key Identifier: 
    B5:3D:50:53:0A:A2:06:9E:9A:29:89:7A:AB:96:90:FE:9D:6B:57:A0

再次，它不是自签名的.

Again, its not self signed.

如果再次返回OpenSSL命令，您将看到颁发者为HydrantID SSL ICA G2，其颁发者为QuoVadis Root CA2 G3:

If you go back to the OpenSSL command again, you will see the issuer is HydrantID SSL ICA G2, and its issuer is QuoVadis Root CA2 G3:

depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
verify return:1
depth=1 C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
verify return:1
depth=0 C = US, ST = CA, L = San Jose, O = "Cisco Systems, Inc.", CN = msesandbox.cisco.com
verify return:1

这表示QuoVadis Root CA2 G3已发布HydrantID SSL ICA G2；和HydrantID SSL ICA G2发布msesandbox.cisco.com. QuoVadis Root CA2 G3是食物链的顶端.

That means QuoVadis Root CA2 G3 issued HydrantID SSL ICA G2; and HydrantID SSL ICA G2 issued msesandbox.cisco.com. QuoVadis Root CA2 G3 is the top of the food chain.

您可以从 QuoVadis CA证书下载中获取QuoVadis Root CA2 G3 :

$ curl -O -J -L https://www.quovadisglobal.bm/Repository/~/media/Files/Roots/quovadis_rca2g3_der.ashx
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1380  100  1380    0     0   1808      0 --:--:-- --:--:-- --:--:--  5726
curl: Saved to filename 'quovadis_rca2g3_der.cer'

$ openssl x509 -in quovadis_rca2g3_der.cer -inform DER -out quovadis-ca.pem -outform PEM
$ cat quovadis-ca.pem 
-----BEGIN CERTIFICATE-----
MIIFYDCCA0igAwIBAgIURFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQEL
BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc
BgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBHMzAeFw0xMjAxMTIxODU5MzJaFw00
...
-----END CERTIFICATE-----

IF ，您信任QuoVadis来认证设备，然后:

IF you trust QuoVadis to certify the appliance, then:

$ openssl s_client -connect msesandbox.cisco.com:443 -CAfile quovadis-ca.pem 
CONNECTED(00000003)
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
verify return:1
depth=1 C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
verify return:1
depth=0 C = US, ST = CA, L = San Jose, O = "Cisco Systems, Inc.", CN = msesandbox.cisco.com
verify return:1
...

    Start Time: 1420616960
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

注意OpenSSL以Verify return code: 0 (ok)完成.这说明您拥有良好的连锁店. OpenSSL不会不执行主机名匹配，但是我们已经知道证书中的主机名是好的.

Notice OpenSSL finished with Verify return code: 0 (ok). That tells you you got a good chain. OpenSSL does not perform hostname matching, but we already know that the hostname in the certificate is good.

现在，用于Ruby代码.您需要做的就是将CA插入Ruby:

Now, for Ruby code. All you need to do is plug the CA into Ruby:

#!/usr/bin/ruby

require 'net/http'
require 'net/https'
require 'openssl'

uri = URI('https://msesandbox.cisco.com:443')

options_mask = OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 | OpenSSL::SSL::OP_NO_COMPRESSION

http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Get.new(uri.request_uri)

if uri.scheme == "https"
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  http.ca_file = File.join(File.dirname(__FILE__), "quovadis-ca.pem")
  # http.ssl_options = options_mask
end

response = http.request request

这是运行:

$ ./Connect-Test.rb 
$ 

没有例外，也没有OpenSSL::SSL::VERIFY_NONE.

您应该尝试使用options_mask，因为它可以消除弱/受伤/断的协议.但是Ruby有时是如此破烂且没有文档，我从来没有能够使其正常工作.

You should try to use options_mask since it removes weak/wounded/broken protocols. But Ruby's so broken and undocumented at times, I have never been able to get it to work.

我能够使用OpenSSL来建立对HydrantID SSL ICA G2和QuoVadis Root CA2 G3的信任(这意味着我从OpenSSL获得了Verify Result 0 (OK)).但是Ruby只能处理QuoVadis Root CA2 G3(它无法建立HydrantID SSL ICA G2的链). Ruby更加残破.

I was able to root trust in both HydrantID SSL ICA G2 and QuoVadis Root CA2 G3 with OpenSSL (meaning I got a Verify Result 0 (OK) from OpenSSL). But Ruby could only handle QuoVadis Root CA2 G3 (it could not build a chain to HydrantID SSL ICA G2). More Ruby broken-ness.

这篇关于SSLError:主机名"W.X.Y.Z"与服务器证书不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！