为什么在使用中间CA时SSL连接失败? [英] Why does SSL connection fails when using intermediate CA?

问题描述

给出stackoverflow.com证书链，如下所示:

Given stackoverflow.com cert chain as follows:

Builtin DST Root CA -> Let's encrypt intermediate CA -> *.stackexchange.com

是否可以使用中间CA作为受信任的CA建立TLS连接?

Is it possible to make a TLS connection using intermediate CA as trusted CA?

curl https://stackoverflow.com -v --cacert stack_intermediate_ca.pem --capath /dev/null -o /dev/null

curl: (60) SSL certificate problem: unable to get issuer certificate

是因为在TLS握手期间在服务器链中出现了中间CA?还是必须由受信任的机构直接或以传递方式对链中的所有证书进行签名?

Is it because the intermediate CA is presented in the server chain during TLS handshake? Or do all certs in chain have to be signed either directly or transitively by a trusted authority?

我验证了中间CA在Basic Constraints属性中设置了Is a Certification Authority.

I verified that the intermediate CA has Is a Certification Authority set in Basic Constraints attribute.

受信任的CA可能必须是自签名的，而中间CA则不是这种情况.

Maybe trusted CA has to be self signed, which is not the case with intermediate CA.

推荐答案

此处的行为取决于openssl和curl的版本.

This behavior here depends on the version of openssl and curl.

传统上，openssl要求对整个链进行验证，即直到自签名和本地受信任的根证书为止.在openssl 1.0.2中，添加了 X509_V_FLAG_PARTIAL_CHAIN 标记允许链验证以任意可信证书结尾，无论它是否是自签名根.但是默认情况下，此行为是关闭的.

Traditionally openssl required the verification of the full chain, i.e. up to the self-signed and locally trusted root certificate. With openssl 1.0.2 the flag X509_V_FLAG_PARTIAL_CHAIN was added, which allowed the chain verification to end in an arbitrary trusted certificate, no matter if it is the self-signed root or not. But this behavior is off by default.

使用curl 7.68.0时，curl默认情况下启用此标志，因此，使用较新版本的curl和openssl，应该可以在--cacert中拥有链证书而不是自签名根证书.服务器是否将发送更多的链证书而不是验证链所需的证书，这并不重要，因为curl/openssl只会使用实际需要的证书.在Ubuntu 20.04上使用openssl 1.1.1在curl 7.68.0中进行了验证.

With curl 7.68.0 curl has this flag enabled by default, so that with newer versions of curl and openssl it should be possible to have a chain certificate in --cacert instead of the self-signed root certificate. It does not matter if the server will send more chain certificates then needed to verify the chain since curl/openssl will just use the certificates which are actually needed. Verified with curl 7.68.0 with openssl 1.1.1 on Ubuntu 20.04.

这篇关于为什么在使用中间CA时SSL连接失败?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！