“未知的ca"与自行生成的CA,证书和客户端/服务器 [英] "unknown ca" with self-generated CA, certificates and client/server
问题描述
我正在编写自定义客户端&我想在公共Internet上安全通信的服务器,因此我想使用OpenSSL并让两端进行对等验证,以确保MITM不会误导我的客户端,同样,未经授权的客户端也无法连接到服务器.
I'm writing a custom client & server that I want to communicate securely over the public Internet, therefore I want to use OpenSSL and have both ends do peer verification to ensure that my client isn't mis-directed by a MITM, and likewise that an unauthorized client isn't able to connect to the server.
这是在SSL_connect/SSL_accept阶段从服务器收到的错误:
This is the error received from the server during the SSL_connect / SSL_accept phase:
15620:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl\record\rec_layer_s3.c:1528:SSL alert number 48
我正在Windows 10下使用OpenSSL 1.1.1运行.我正在使用以下批处理文件来创建它们.出于明显的原因,我手动输入了ca私钥密码.
I'm running under Windows 10, using OpenSSL 1.1.1. I'm using the following batch file to create them. I enter the ca private key passphrase by hand for obvious reasons.
openssl genrsa -out -des3 ca.key.pem 2048
openssl genrsa -out server.key.pem 2048
openssl genrsa -out client.key.pem 2048
openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar
openssl req -new -sha256 -key server.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr
openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256
openssl req -new -sha256 -key client.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr
openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256
这里的目的是创建一个自签名的CA,然后直接对客户端和服务器密钥进行签名.
The intent here is to create a self-signed CA, and then have that directly sign both the client and server keys.
ca.key.pem将存储在安全的位置:加密的Veracrypt卷上.
ca.key.pem will be stored in a secure place: on an encrypted veracrypt volume.
客户端和服务器都使用以下调用来启用对等验证:
Both client and server use the following call to enable peer verification:
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
我可以肯定这是一个证书问题,因为如果删除该行,错误就会消失.
I'm fairly certain this is a certificate issue because the errors go away if I remove that line.
推荐答案
我自己回答此问题,以便它可以帮助可能会来到这里的任何其他人寻求该问题的解决方案.答案是在另一个SO问题中找到的,但在这里值得重复:CA的公用名不能与客户端和服务器证书的公用名相同.
Answering this myself so that it can help anyone else that might arrive here looking for solutions to this problem. The answer was found in another SO question, but is worth repeating here: The Common Name for the CA cannot be the same as the Common Name for the client and server certificates.
因此将批处理文件的第四行更改为:
So changing the fourth line of the batch file to this:
openssl req -x509-新-nodes -key ca.key.pem -sha256 -days 365 -out ca.cert.pem -subj/C = US/ST = CA/L = Somewhere/O = Someone/CN = FoobarCA
openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA
解决了这个问题.
这篇关于“未知的ca"与自行生成的CA,证书和客户端/服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
