Windows 上的细轨服务器/事件机器不适用于自定义证书 [英] thin rails server/eventmachine on windows does not work with custom certificate
问题描述
在 Windows 上使用 SSL 支持构建我自己的 eventmachine/thin 之后 (在 Windows 7 x86 上为 eventmachine 安装 OpenSSL with Ruby) 我遇到了 SSL 证书的另一个问题:当我使用内置的自签名一个薄的工作正常但它没有响应使用企业证书时的任何请求
这里是我获取证书的路径:
- 我用 puttygen (ssl-private.key) 生成了私钥
- 我使用以下命令生成了 CSR:
<块引用>
openssl req -out ssl.csr -key ssl-private.key -new
- 我向 CA 发送了 CSR 并收到了 P7B 文件
- 我使用以下命令转换了 P7B:
<块引用>
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt
这里会出现什么问题?
<小时>我检查了什么:
<块引用>openssl rsa -in ssl-private.key -check
说RSA 密钥正常"
<块引用>openssl x509 -in cert.crt -text -noout
说
证书:数据:版本:3 (0x2)序列号:***签名算法:sha1WithRSAEncryption发行人:***有效性不是之前:2004 年 2 月 16 日 08:47:25 格林威治标准时间之后:2024 年 2 月 16 日 08:55:36 GMT主题: ***主题公钥信息:公钥算法:rsaEncryption公钥:(2048 位)模数:***指数:3 (0x3)X509v3 扩展:X509v3 密钥用法:数字签名、证书签名、CRL 签名X509v3 基本约束:关键CA:TRUEX509v3 主题密钥标识符:***1.3.6.1.4.1.311.21.1:...签名算法:sha1WithRSAEncryption***
同时对自签名证书进行相同的检查,创建使用
openssl genrsa -des3 -out server.orig.key 2048openssl rsa -in server.orig.key -out server.keyopenssl req -new -key server.key -out server.csropenssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
说
证书:数据:版本:1 (0x0)序列号:***签名算法:sha256WithRSAEncryption发行人:C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org有效性不是之前:格林威治标准时间 2015 年 6 月 24 日 14:42:07之后:2016 年 6 月 23 日 14:42:07 格林威治标准时间主题:C=PL、ST=-、O=Internet Widgits Pty Ltd、CN=test.org主题公钥信息:公钥算法:rsaEncryption公钥:(2048 位)模数:***指数:65537 (0x10001)签名算法:sha256WithRSAEncryption***
<小时>
好的一些更改:我已经更改了 crt 文件中的证书顺序,因此最终证书不是最后一个而是第一个,结果不同:chrome 丢弃了 NET::ERR_CERT_INVALID 错误,IE 类似,两者都没有进一步导航
>openssl s_client 输出(看起来不错,*** Root CA 1 在 windows 中是可信的):
将屏幕"加载到随机状态 - 完成已连接(000001E8)深度 = 1 DC = com,DC = ***,CN = *** 企业 CA 1验证错误:num=20:无法获得本地颁发者证书---证书链0秒:/C=***/ST=***/O=***/CN=***.comi:/DC=com/DC=***/CN=*** 企业 CA 11 s:/DC=com/DC=***/CN=*** 企业 CA 1i:/DC=com/DC=***/CN=*** 根 CA 1---服务器证书-----开始认证-----***-----结束证书-----主题=/C=***/ST=***/O=***/CN=***.comissuer=/DC=com/DC=***/CN=*** Enterprise CA 1---未发送客户端证书 CA 名称---SSL 握手已读取 3404 个字节并写入 665 个字节---新,TLSv1/SSLv3,密码是 AES256-GCM-SHA384服务器公钥为 2048 位支持安全重新协商压缩:无扩展:无没有协商 ALPNSSL-会话:协议:TLSv1.2密码:AES256-GCM-SHA384会话 ID:***会话 ID-ctx:主密钥: ***键参数:无PSK 身份:无PSK 身份提示:无SRP 用户名:无TLS 会话票证生命周期提示:300(秒)TLS 会话票证:***开始时间:1435319943超时:300(秒)验证返回码:20(无法获取本地颁发者证书)---读:错误= 0
我做了一个简单的 https 服务器(lib/emtestssl):
需要'rubygems'需要捆绑程序/设置"Bundler.require类 ServerHandler <电磁::连接def post_init放置post_init"start_tls :private_key_file =>'private.key', :cert_chain_file =>'comb.crt', :verify_peer =>错误的结尾定义接收数据(数据)将在服务器中接收到的数据:#{data}"send_data("HTTP/1.1 200 OK\n\nHello world!")close_connection_after_writing结尾结尾EventMachine.run 做puts '启动服务器...'EventMachine.start_server('145.245.202.233', 443, ServerHandler)结尾
它在没有 tls 的情况下工作正常,使用 tls 浏览器将不允许连接:(
<小时>根据 http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify 私钥和证书匹配
看起来(打补丁的)事件机器完全没问题:我已经从现有服务器中获取了密钥/证书对,并且(在浏览器发出 url 不匹配警告之后)它工作正常
在比较证书后,我的 CA 似乎失败了,并给我带来了一个属性错误的证书:工作的一个被描述为服务器身份验证(1.3.6.1.5.5.7.3.1),而失败的一个是客户端身份验证(1.3.1).6.1.5.5.7.3.2)
我将发布另一个 csr 并向他们收取损失的一天...:/
也许一个重要的发现是证书文件中的证书顺序:必须从最终证书到链末端的根目录
After building my own eventmachine/thin with SSL support on windows (Install OpenSSL with Ruby for eventmachine on Windows 7 x86) I got another problem with SSL certificate: when I use build-in self-signed one thin works fine but it does not respond to any request while using corporate certificate
Here is my path for obtaining the certificate:
- I generated private key with puttygen (ssl-private.key)
- I generated CSR using following command:
openssl req -out ssl.csr -key ssl-private.key -new
- I sent CSR to CA and received P7B file
- I converted P7B using following command:
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt
What could go wrong here?
What have I checked:
openssl rsa -in ssl-private.key -check
says "RSA key ok"
openssl x509 -in cert.crt -text -noout
says
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
***
Signature Algorithm: sha1WithRSAEncryption
Issuer: ***
Validity
Not Before: Feb 16 08:47:25 2004 GMT
Not After : Feb 16 08:55:36 2024 GMT
Subject: ***
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
***
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
***
while the same check made on self-signed cert, created using
openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
says
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
***
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Validity
Not Before: Jun 24 14:42:07 2015 GMT
Not After : Jun 23 14:42:07 2016 GMT
Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
***
ok some change: I have changed certs order in crt file so that final cert is not last but first and the result is different: chrome drops an error of NET::ERR_CERT_INVALID, IE similar and both does not navigate further
openssl s_client output (looks ok, *** Root CA 1 is trusted in windows):
Loading 'screen' into random state - done
CONNECTED(000001E8)
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=***/ST=***/O=***/CN=***.com
i:/DC=com/DC=***/CN=*** Enterprise CA 1
1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
i:/DC=com/DC=***/CN=*** Root CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=***/ST=***/O=***/CN=***.com
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 665 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket: ***
Start Time: 1435319943
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
I have made a simple https server (lib/emtestssl):
require 'rubygems'
require 'bundler/setup'
Bundler.require
class ServerHandler < EM::Connection
def post_init
puts "post_init"
start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false
end
def receive_data(data)
puts "Received data in server: #{data}"
send_data("HTTP/1.1 200 OK\n\nHello world!")
close_connection_after_writing
end
end
EventMachine.run do
puts 'Starting server...'
EventMachine.start_server('145.245.202.233', 443, ServerHandler)
end
it works fine without tls, with tls browser won't allow to connect :(
as per http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify private key and certificate do match
it looks like (patched) eventmachine is completely fine: i have taken key/cert pair from existing server and (after a url mismatch warning from the browser) it works fine
after comparing the certificates it looks like my CA has failed and brought me a cert with wrong properties: working one is described as Server Authentication (1.3.6.1.5.5.7.3.1) while failing one is Client Authentication (1.3.6.1.5.5.7.3.2)
i will issue another csr and charge them for lost day... :/
maybe one important discovery is an order of certificates within cert file: one must go from the final cert to the root being at the end of the chain
这篇关于Windows 上的细轨服务器/事件机器不适用于自定义证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!