"校验错误:NUM = 20 QUOT;连接到gateway.sandbox.push.apple.com时 [英] "verify error:num=20" when connecting to gateway.sandbox.push.apple.com
问题描述
我试图运行在<一个发现了雷Wenderlich教程href=\"http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1\">Apple推送通知服务在iOS 6中教程:部分1/2 。
我创建了一个本地目录中一个AppID和SSL证书和密钥和PEM文件。后来,我到了步测试是否该证书的作品,我从这个本地目录调用以下命令:
$的OpenSSL的s_client.First -connect gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
这产生了大量的输出。在输出的中间是以下内容:
校验错误:NUM = 20:无法获取本地颁发者证书
验证回报:0
这是一个错误,或者这是一个错误的测试?如果它的错误,会是什么原因或者你会建议什么解决?
下面是完整的输出(更低的证明书数据):
输入密码短语PushChatKey.pem:
CONNECTED(00000003)
深度= 1 / C = US / O =委托,Inc./OU=www.entrust.net/rpa通过引用/ OU =(C)2009年委托,Inc./CN=Entrust认证机构成立 - L1C
验证错误:NUM = 20:无法获取本地颁发者证书
验证回报:0
---
证书链
0 S:/ C = US / ST =加州/ L =库比蒂诺/ O =苹果Inc./OU=iTMS工程/ CN = gateway.sandbox.push.apple.com
我:/ C = US / O =委托,Inc./OU=www.entrust.net/rpa通过引用/ OU =(C)2009年委托,Inc./CN=Entrust认证机构成立 - L1C
1秒:/ C = US / O =委托,Inc./OU=www.entrust.net/rpa通过引用/ OU =(C)2009年委托,Inc./CN=Entrust认证机构成立 - L1C
我:/O=Entrust.net/OU=www.entrust.net/CPS_2048 INCORP。由参。 (限制牌照上诉委员会)/ OU =(C)1999年Entrust.net有限公司/ CN = Entrust.net证书颁发机构(2048)
---
服务器证书
----- BEGIN CERTIFICATE -----&lt;数据的串长去除&GT;----- END CERTIFICATE -----
主题= / C = US / ST =加州/ L =库比蒂诺/ O =苹果Inc./OU=iTMS工程/ CN = gateway.sandbox.push.apple.com
发行人= / C = US / O =委托,Inc./OU=www.entrust.net/rpa通过引用/ OU =(C)2009年委托,Inc./CN=Entrust认证机构成立 - L1C
---
没有发送客户端证书的CA名称
---
SSL握手已经阅读2731字节,写字节2215
---
新的,使用TLSv1 / SSLv3的,密码是AES256-SHA
服务器的公钥是2048位
安全重协商的支持
COM pression:无
扩展:无
SSL会话:
协议:使用TLSv1
密码:AES256-SHA
会话ID:
会话ID-CTX:
主密钥:其中,除去&GT;
关键的精氨酸:无
开始时间:1398633302
超时:300(秒)
验证返回code:0(OK)
---
本教程接着说,如果连接成功,你应该可以键入几个字符。当你preSS输入,服务器应该断开连接。我能做到这一点,与服务器断开连接。
但教程接着说,你可能要看看通过输出找到一个错误。因此,原因问题
这产生了大量的输出。在输出的中间是以下内容:验证错误:NUM = 20:无法获取本地颁发者证书
验证回报:0
您缺少根证书,并应指定了与
-CAfile或-CApath。不过,你的可能的遭遇握手提醒您修复的根证书签发后。我相信它引起不具有1个(因此你可能不会遇到它)我一个客户端证书的问题。下面,0x14094410是OpenSSL错误,SSL错误(从TLS协议)只是
SSL警报40号。警报40握手警报,也没有更多的信息。首页的
确定需要根:
$的OpenSSL的s_client.First -connect gateway.sandbox.push.apple.com:2195
CONNECTED(00000003)
深度= 1 C = US,O =委托公司,OU = www.entrust.net/rpa作为参考,OU =(C)2009年委托公司注册成立,CN =委托证书颁发机构 - L1C
验证错误:NUM = 20:无法获取本地颁发者证书
验证回报:0
140067272132264:错误:14094410:SSL例程:SSL3_READ_BYTES:SSLv3的警报握手失败:s3_pkt.c:1257:SSL警报号码40
140067272132264:错误:140790E5:SSL例程:SSL23_WRITE:SSL握手失败:s23_lib.c:177:
---
证书链
0 S:/ C = US / ST =加州/ L =库比蒂诺/ O =苹果Inc./OU=iTMS工程/ CN = gateway.sandbox.push.apple.com
我:/ C = US / O =委托,Inc./OU=www.entrust.net/rpa通过引用/ OU =(C)2009委托,Inc./CN=Entrust认证机构成立 - L1C
1秒:/ C = US / O =委托,Inc./OU=www.entrust.net/rpa通过引用/ OU =(C)2009年委托,Inc./CN=Entrust认证机构成立 - L1C
我:/O=Entrust.net/OU=www.entrust.net/CPS_2048 INCORP。由参。 (限制牌照上诉委员会)/ OU =(C)1999年Entrust.net有限公司/ CN = Entrust.net证书颁发机构(2048)所以,你需要的 Entrust.net证书颁发机构(2048)的。您可以从这里下载<一个href=\"https://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/\">Entrust根证书的。其名为
entrust_2048_ca.cer,它似乎是PEM格式。二的
现在,运行
的OpenSSL的s_client.First一遍,但这次-CAfile entrust_2048_ca.cer。注意它与确认收益code完成:0(OK):$的OpenSSL的s_client.First -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer
CONNECTED(00000003)
深度= 2 O = Entrust.net,OU = www.entrust.net/CPS_2048 INCORP。由参。 (限制牌照上诉委员会),OU =(C)1999年Entrust.net有限公司,CN = Entrust.net证书颁发机构(2048)
验证回报:1
深度= 1 C = US,O =委托公司,OU = www.entrust.net/rpa作为参考,OU =(C)2009年委托公司注册成立,CN =委托证书颁发机构 - L1C
验证回报:1
深度= 0 C = US,ST =加州,L =库比蒂诺,O =苹果公司,OU = ITMS工程,CN = gateway.sandbox.push.apple.com
验证回报:1
140642906502824:错误:14094410:SSL例程:SSL3_READ_BYTES:SSLv3的警报握手失败:s3_pkt.c:1257:SSL警报号码40
140642906502824:错误:140790E5:SSL例程:SSL23_WRITE:SSL握手失败:s23_lib.c:177:
---
证书链
0 S:/ C = US / ST =加州/ L =库比蒂诺/ O =苹果Inc./OU=iTMS工程/ CN = gateway.sandbox.push.apple.com
我:/ C = US / O =委托,Inc./OU=www.entrust.net/rpa通过引用/ OU =(C)2009年委托,Inc./CN=Entrust认证机构成立 - L1C
1秒:/ C = US / O =委托,Inc./OU=www.entrust.net/rpa通过引用/ OU =(C)2009年委托,Inc./CN=Entrust认证机构成立 - L1C
我:/O=Entrust.net/OU=www.entrust.net/CPS_2048 INCORP。由参。 (限制牌照上诉委员会)/ OU =(C)1999年Entrust.net有限公司/ CN = Entrust.net证书颁发机构(2048)
---
服务器证书
----- BEGIN CERTIFICATE -----
MIIFGzCCBAOgAwIBAgIETBz90jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MjUyMzM3NDZaFw0xNDA1MzEw
NTA4NDhaMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMScwJQYDVQQDEx5nYXRld2F5LnNhbmRib3gucHVzaC5h
cHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC / r1z4BRFu
DIU9 / vOboVmd7OwaPPLRtcZiZLWxSyG / 6KeRPpaeaC6DScvSDRoJuIeTDBup0bg4
08K0Gzh + lfKRlJOC2sma5Wgvk7oP4sty83My3YCZQv4QvgDhx + seONNs6XiA8Cl4
ingDymWGlzb0sTdfBIE / nWiEOtXQZcg6GKePOWXKSYgWyi / 08538UihKK4JZIOL2
eIeBwjEwlaXFFpMlStc36uS / 8oy + KMjwvuu3HazNMidvbGK2Z68rBnqnOAaDBtuT
K7rwAa5 + i8GYY + sJA0DywMViZxgG / xWWyr4DvhtpHfUjyQgg1ixM8q651LNgdRVf
4sB0PfANitq7AgMBAAGjggFZMIIBVTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwu
ZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZQYIKwYBBQUHAQEEWTBXMCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBggrBgEFBQcwAoYkaHR0cDov
L2FpYS5lbnRydXN0Lm5ldC9sMWMtY2hhaW4uY2VyMEAGA1UdIAQ5MDcwNQYJKoZI
hvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBh
MB8GA1UdIwQYMBaAFB7xq4kG + EkPATN37hR67hl8kyhNMB0GA1UdDgQWBBSgNiNR
qtTShi8PuJ7UNUEbeE71STAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAS
EDkUyBHVdRJnCLHY8w9ec92NWqBYqKiSGP0uVCvgpsJIWDBkCGIw1Olks6mQuS9 +
R7VRJJFg7EhtufmoRIvjgntKpTe49sB / lrmiZVQGnhjd6YdyYm9 + OBUWRvwketLM
v0S + nxZD0qLLJ9foVUB8zP8LtutqFJ5IZw1xb9eSNzhpKkQ9ylj8MCd4tpXZxICL
Gt327poTXwmjQ + 31fz7HCQCowMHccP8kiKM5SeYC9q + nkmdaozHVvw4e1RsP + EWO
vPtcH1x1BCkTJajmrO7JuRPLuBEnZGSPUVFRKWP9jy0a28VnJek + oA7rRMRD8irU
fMGbLqkGn8YogdPqe5T1
----- END CERTIFICATE -----
主题= / C = US / ST =加州/ L =库比蒂诺/ O =苹果Inc./OU=iTMS工程/ CN = gateway.sandbox.push.apple.com
发行人= / C = US / O =委托,Inc./OU=www.entrust.net/rpa通过引用/ OU =(C)2009年委托,Inc./CN=Entrust认证机构成立 - L1C
---
没有发送客户端证书的CA名称
---
SSL握手已经阅读2683字节,写字节338
---
新的,使用TLSv1 / SSLv3的,密码是AES256-SHA
服务器的公钥是2048位
安全重协商的支持
COM pression:无
扩展:无
SSL会话:
协议:使用TLSv1
密码:AES256-SHA
会话ID:
会话ID-CTX:
主密钥:A2F375CC440179ADF831179C32A35AF4 ...
关键的精氨酸:无
PSK身份:无
PSK身份提示:无
SRP用户名:无
开始时间:1398721005
超时:300(秒)
验证返回code:0(OK)在这种特殊情况下的 Entrust.net 的是一个众所周知的根证书颁发机构,所以它的证书带有-在公共CA证书捆绑(
CA证书Debian系统)。它通常安装,amoung别人,到的/ etc / SSL /证书目录,alternativelly,可以用被下文称-CApath的/ etc / SSL /证书/选项。$的OpenSSL的s_client.First -connect gateway.sandbox.push.apple.com:2195 -CApath的/ etc / SSL /证书/第三的
这是一种做事情,回来的SSLv3时仍然流行的老办法。也就是说,狮子狗攻击未知:
$的OpenSSL的s_client.First -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer您或许应该切换到TLS 1.0或以上,并使用服务器名称指示(SNI)。 SNI是一个TLS功能未present的SSL。您可能需要强制TLS 1.2于2016年;你可以用
-tls1_2这样做。$的OpenSSL的s_client.First -connect gateway.sandbox.push.apple.com:2195 \\
-tls1 -servername gateway.sandbox.push.apple.com -CAfile entrust_2048_ca.cer四的
Korbbit下面提供了附加的信息。我在这里补充,以确保它得到应有的重视。它解决了我的发言,警报握手失败......我相信它引起不有一个我一个客户端证书问题的。如果您应该Korbbit提供反馈其对您有所帮助:
如果您在本教程再看看你是为了输入...结果
-cert PushChatCert.pem - 键PushChatKey.pem使用Korbbit的反馈,答案就变成了:
$的OpenSSL的s_client.First -connect gateway.sandbox.push.apple.com:2195 \\
-tls1 -servername gateway.sandbox.push.apple.com \\
-cert PushChatCert.pem -key PushChatKey.pem -CAfile entrust_2048_ca.cerI am attempting to run the Ray Wenderlich tutorial found at Apple Push Notification Services in iOS 6 Tutorial: Part 1/2.
I created an AppID and SSL certificate and keys and PEM files in a local directory. Afterwards, I got to the step to test whether the certificate works, and I invoked the following command from this local directory:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushChatCert.pem -key PushChatKey.pemThis produced a lot of output. In the middle of the output was the following:
verify error:num=20:unable to get local issuer certificate verify return:0Is this an error, or is this a test for an error? If its an error, what would be the cause or what would you suggest to resolve it?
Here is the complete output (less the certificate data):
Enter pass phrase for PushChatKey.pem: CONNECTED(00000003) depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) --- Server certificate -----BEGIN CERTIFICATE----- <Long string of data removed> -----END CERTIFICATE----- subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C --- No client certificate CA names sent --- SSL handshake has read 2731 bytes and written 2215 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: <removed> Key-Arg : None Start Time: 1398633302 Timeout : 300 (sec) Verify return code: 0 (ok) ---The tutorial goes on to say that "If the connection is successful, you should be able to type a few characters. When you press enter, the server should disconnect." I was able to do this and the server disconnected.
But the tutorial goes on to say that you may have to look through the output to find an error. Hence the reason for this question.
解决方案This produced a lot of output. In the middle of the output was the following: verify error:num=20:unable to get local issuer certificate verify return:0
You are missing a root certificate, and it should be specified either with
-CAfileor with-CApath.However, you may encounter a handshake alert after you fix the root certificate issue. I believe its a client certificate issue caused by me not having one (hence you may not experience it). Below, 0x14094410 is the OpenSSL error, and the SSL error (from the TLS protocol) is simply
SSL alert number 40. Alert 40 is the handshake alert, and there's no additional information.First
Determine the root you need:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 CONNECTED(00000003) depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C verify error:num=20:unable to get local issuer certificate verify return:0 140067272132264:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40 140067272132264:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)So you need Entrust.net Certification Authority (2048). You can download it from Entrust Root Certificates. Its named
entrust_2048_ca.cerand it appears to be in PEM format.Second
Now, run
openssl s_clientagain, but this time with-CAfile entrust_2048_ca.cer. Notice it completes with aVerify return code: 0 (ok):$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer CONNECTED(00000003) depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048) verify return:1 depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C verify return:1 depth=0 C = US, ST = California, L = Cupertino, O = Apple Inc., OU = iTMS Engineering, CN = gateway.sandbox.push.apple.com verify return:1 140642906502824:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40 140642906502824:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) --- Server certificate -----BEGIN CERTIFICATE----- MIIFGzCCBAOgAwIBAgIETBz90jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0 Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MjUyMzM3NDZaFw0xNDA1MzEw NTA4NDhaMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp VE1TIEVuZ2luZWVyaW5nMScwJQYDVQQDEx5nYXRld2F5LnNhbmRib3gucHVzaC5h cHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/r1z4BRFu DIU9/vOboVmd7OwaPPLRtcZiZLWxSyG/6KeRPpaeaC6DScvSDRoJuIeTDBup0bg4 08K0Gzh+lfKRlJOC2sma5Wgvk7oP4sty83My3YCZQv4QvgDhx+seONNs6XiA8Cl4 ingDymWGlzb0sTdfBIE/nWiEOtXQZcg6GKePOWXKSYgWyi/08538UihKK4JZIOL2 eIeBwjEwlaXFFpMlStc36uS/8oy+KMjwvuu3HazNMidvbGK2Z68rBnqnOAaDBtuT K7rwAa5+i8GYY+sJA0DywMViZxgG/xWWyr4DvhtpHfUjyQgg1ixM8q651LNgdRVf 4sB0PfANitq7AgMBAAGjggFZMIIBVTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwu ZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZQYIKwYBBQUHAQEEWTBXMCMGCCsGAQUF BzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBggrBgEFBQcwAoYkaHR0cDov L2FpYS5lbnRydXN0Lm5ldC9sMWMtY2hhaW4uY2VyMEAGA1UdIAQ5MDcwNQYJKoZI hvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBh MB8GA1UdIwQYMBaAFB7xq4kG+EkPATN37hR67hl8kyhNMB0GA1UdDgQWBBSgNiNR qtTShi8PuJ7UNUEbeE71STAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAS EDkUyBHVdRJnCLHY8w9ec92NWqBYqKiSGP0uVCvgpsJIWDBkCGIw1Olks6mQuS9+ R7VRJJFg7EhtufmoRIvjgntKpTe49sB/lrmiZVQGnhjd6YdyYm9+OBUWRvwketLM v0S+nxZD0qLLJ9foVUB8zP8LtutqFJ5IZw1xb9eSNzhpKkQ9ylj8MCd4tpXZxICL Gt327poTXwmjQ+31fz7HCQCowMHccP8kiKM5SeYC9q+nkmdaozHVvw4e1RsP+EWO vPtcH1x1BCkTJajmrO7JuRPLuBEnZGSPUVFRKWP9jy0a28VnJek+oA7rRMRD8irU fMGbLqkGn8YogdPqe5T1 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C --- No client certificate CA names sent --- SSL handshake has read 2683 bytes and written 338 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: A2F375CC440179ADF831179C32A35AF4... Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1398721005 Timeout : 300 (sec) Verify return code: 0 (ok)In this particular case Entrust.net is a well-known Root Certificate Authority, so it's certificate comes with-in the common CA certificates bundle(
ca-certificatesin Debian). It is usually installed, amoung others, into the/etc/ssl/certsdirectory and, alternativelly, can be reffered with the-CApath /etc/ssl/certs/option.$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CApath /etc/ssl/certs/Third
This is kind of the old way of doing things, back when SSLv3 was still popular. That is, the POODLE attack was unknown:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cerYou should probably switch to TLS 1.0 or above and use Server Name Indication (SNI). SNI is a TLS feature not present in SSL. You might need to force TLS 1.2 in 2016; and you can do so with
-tls1_2.$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \ -tls1 -servername gateway.sandbox.push.apple.com -CAfile entrust_2048_ca.cerFourth
Korbbit provides additional information below. I'm adding it here to ensure it gets the attention it deserves. It addresses the statement I made, "alert handshake failure ... I believe its a client certificate issue caused by me not having one". You should provide feedback for Korbbit if its helpful to you:
if you look at the tutorial again you are meant to type...
-cert PushChatCert.pem -key PushChatKey.pemWith Korbbit's feedback, the answer becomes:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \ -tls1 -servername gateway.sandbox.push.apple.com \ -cert PushChatCert.pem -key PushChatKey.pem -CAfile entrust_2048_ca.cer
这篇关于&QUOT;校验错误:NUM = 20 QUOT;连接到gateway.sandbox.push.apple.com时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
