使用正确的 SSL 证书(Websockets)连接不安全 [英] Connection not secure with correct SSL certificate(Websockets)
问题描述
已为 https://www.govtschemes.in
但是我有基于 Python 和 Nodejs 的 Websocket 服务器,它们使用相同的域(只是为了节省域 + SSL 成本)但在不同的端口 31333
因此在 WebSocket 服务器中它绑定为:wss://www.govtschemes.in:31333
在某些 Firefox 浏览器中,Websocket 客户端能够毫无问题地联系这些服务器.但是对于大多数 Firefox 浏览器,它们不是.对于他们,我在地址栏中输入 https://www.govtschemes.in:31333
并确认安全例外.然后它开始正常工作.
根据
这是服务器配置错误.它只发送叶证书而不发送链证书.
$ openssl s_client -connect www.govtschemes.in:31333...证书链0 s:CN = govtschemes.ini:C = GB,ST = 大曼彻斯特,L = 索尔福德,O = Sectigo Limited,CN = Sectigo RSA 域验证安全服务器 CA
与此相反,端口 443(即默认 https)中的服务器发送所有内容:
$ openssl s_client -connect www.govtschemes.in:443...证书链0 s:CN = govtschemes.ini:C = GB,ST = 大曼彻斯特,L = 索尔福德,O = Sectigo Limited,CN = Sectigo RSA 域验证安全服务器 CA1 s:C = GB,ST = 大曼彻斯特,L = 索尔福德,O = Sectigo Limited,CN = Sectigo RSA 域验证安全服务器 CAi:C = 美国,ST = 新泽西,L = 泽西市,O = USERTRUST 网络,CN = USERTrust RSA 证书颁发机构2 s:C = 美国,ST = 新泽西,L = 泽西市,O = USERTRUST 网络,CN = USERTrust RSA 证书颁发机构i:C = SE,O = AddTrust AB,OU = AddTrust 外部 TTP 网络,CN = AddTrust 外部 CA 根
请注意,仅仅因为您在不同的服务器上使用相同的证书并不意味着与服务器的 SSL 连接的行为相同.这些不同的服务器提供不同的证书链,也支持不同的 TLS 版本.
The SSL certificate has been correctly issued for https://www.govtschemes.in
However I've Websocket servers based on Python and Nodejs which use the same domain(just to save domain+SSL costs) but at different port 31333
So in WebSocket server it binds as : wss://www.govtschemes.in:31333
In some Firefox browsers, Websocket client is able to contact those servers without any problem. But with most Firefox browsers they are not. For them I type https://www.govtschemes.in:31333
in address bar and confirm security exception. Then it starts working properly.
As per Comodo site SSL certficate will work for multiple ports( 31333).
Then why do I( or my clients ) need to make this security exception for wss://www.govtschemes.in:31333
so that Javascript Browser clients code can contact the Websocket remote servers?
This is a misconfiguration of the server. It sends only the leaf certificate but not that chain certificates.
$ openssl s_client -connect www.govtschemes.in:31333
...
Certificate chain
0 s:CN = govtschemes.in
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
Contrary to this the server in port 443 (i.e. default https) sends everything:
$ openssl s_client -connect www.govtschemes.in:443
...
Certificate chain
0 s:CN = govtschemes.in
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
Note that just because you use the same certificate on different servers does not mean that the SSL connection to the servers will behave the same. These are different servers which serve different certificate chains and also support different TLS versions.
这篇关于使用正确的 SSL 证书(Websockets)连接不安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!