“验证错误:num=20"连接到 gateway.sandbox.push.apple.com 时 [英] "verify error:num=20" when connecting to gateway.sandbox.push.apple.com

问题描述

我正在尝试运行位于 iOS 6 教程中的 Apple 推送通知服务:第 1/2 部分.

I am attempting to run the Ray Wenderlich tutorial found at Apple Push Notification Services in iOS 6 Tutorial: Part 1/2.

我在本地目录中创建了 AppID 和 SSL 证书以及密钥和 PEM 文件.之后，我到了测试证书是否有效的步骤，我从这个本地目录调用了以下命令:

I created an AppID and SSL certificate and keys and PEM files in a local directory. Afterwards, I got to the step to test whether the certificate works, and I invoked the following command from this local directory:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 
-cert PushChatCert.pem -key PushChatKey.pem

这产生了很多输出.在输出的中间是以下内容:

This produced a lot of output. In the middle of the output was the following:

verify error:num=20:unable to get local issuer certificate
verify return:0

这是一个错误，还是一个错误的测试?如果是错误，原因是什么或您建议如何解决?

Is this an error, or is this a test for an error? If its an error, what would be the cause or what would you suggest to resolve it?

这是完整的输出(减去证书数据):

Here is the complete output (less the certificate data):

Enter pass phrase for PushChatKey.pem:    
CONNECTED(00000003)
depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----

<Long string of data removed>

-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2731 bytes and written 2215 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: <removed>
    Key-Arg   : None
    Start Time: 1398633302
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

教程继续说如果连接成功，您应该可以输入几个字符.当您按回车键时，服务器应该断开连接."我能够做到这一点，但服务器已断开连接.

The tutorial goes on to say that "If the connection is successful, you should be able to type a few characters. When you press enter, the server should disconnect." I was able to do this and the server disconnected.

但是教程继续说您可能需要查看输出才能找到错误.因此这个问题的原因.

But the tutorial goes on to say that you may have to look through the output to find an error. Hence the reason for this question.

推荐答案

This produced a lot of output. In the middle of the output was the following:

verify error:num=20:unable to get local issuer certificate
verify return:0

您缺少根证书，应使用 -CAfile 或 -CApath 指定.

You are missing a root certificate, and it should be specified either with -CAfile or with -CApath.

但是，您可能在修复根证书问题后遇到握手警报.我相信这是由于我没有客户端证书问题引起的(因此您可能不会遇到它).下面，0x14094410 是 OpenSSL 错误，而 SSL 错误(来自 TLS 协议)只是 SSL alert number 40.警报 40 是握手警报，没有附加信息.

However, you may encounter a handshake alert after you fix the root certificate issue. I believe its a client certificate issue caused by me not having one (hence you may not experience it). Below, 0x14094410 is the OpenSSL error, and the SSL error (from the TLS protocol) is simply SSL alert number 40. Alert 40 is the handshake alert, and there's no additional information.

第一

确定您需要的根:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195
CONNECTED(00000003)
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
140067272132264:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140067272132264:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)

因此您需要 Entrust.net Certification Authority (2048).您可以从委托根证书下载.它的名称为 entrust_2048_ca.cer，它似乎是 PEM 格式.

So you need Entrust.net Certification Authority (2048). You can download it from Entrust Root Certificates. Its named entrust_2048_ca.cer and it appears to be in PEM format.

第二

现在，再次运行 openssl s_client，但这次使用 -CAfile entrust_2048_ca.cer.注意它以 Verify return code: 0 (ok):

Now, run openssl s_client again, but this time with -CAfile entrust_2048_ca.cer. Notice it completes with a Verify return code: 0 (ok):

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer 
CONNECTED(00000003)
depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify return:1
depth=0 C = US, ST = California, L = Cupertino, O = Apple Inc., OU = iTMS Engineering, CN = gateway.sandbox.push.apple.com
verify return:1
140642906502824:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140642906502824:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
   i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
   i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgIETBz90jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MjUyMzM3NDZaFw0xNDA1MzEw
NTA4NDhaMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMScwJQYDVQQDEx5nYXRld2F5LnNhbmRib3gucHVzaC5h
cHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/r1z4BRFu
DIU9/vOboVmd7OwaPPLRtcZiZLWxSyG/6KeRPpaeaC6DScvSDRoJuIeTDBup0bg4
08K0Gzh+lfKRlJOC2sma5Wgvk7oP4sty83My3YCZQv4QvgDhx+seONNs6XiA8Cl4
ingDymWGlzb0sTdfBIE/nWiEOtXQZcg6GKePOWXKSYgWyi/08538UihKK4JZIOL2
eIeBwjEwlaXFFpMlStc36uS/8oy+KMjwvuu3HazNMidvbGK2Z68rBnqnOAaDBtuT
K7rwAa5+i8GYY+sJA0DywMViZxgG/xWWyr4DvhtpHfUjyQgg1ixM8q651LNgdRVf
4sB0PfANitq7AgMBAAGjggFZMIIBVTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwu
ZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZQYIKwYBBQUHAQEEWTBXMCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBggrBgEFBQcwAoYkaHR0cDov
L2FpYS5lbnRydXN0Lm5ldC9sMWMtY2hhaW4uY2VyMEAGA1UdIAQ5MDcwNQYJKoZI
hvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBh
MB8GA1UdIwQYMBaAFB7xq4kG+EkPATN37hR67hl8kyhNMB0GA1UdDgQWBBSgNiNR
qtTShi8PuJ7UNUEbeE71STAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAS
EDkUyBHVdRJnCLHY8w9ec92NWqBYqKiSGP0uVCvgpsJIWDBkCGIw1Olks6mQuS9+
R7VRJJFg7EhtufmoRIvjgntKpTe49sB/lrmiZVQGnhjd6YdyYm9+OBUWRvwketLM
v0S+nxZD0qLLJ9foVUB8zP8LtutqFJ5IZw1xb9eSNzhpKkQ9ylj8MCd4tpXZxICL
Gt327poTXwmjQ+31fz7HCQCowMHccP8kiKM5SeYC9q+nkmdaozHVvw4e1RsP+EWO
vPtcH1x1BCkTJajmrO7JuRPLuBEnZGSPUVFRKWP9jy0a28VnJek+oA7rRMRD8irU
fMGbLqkGn8YogdPqe5T1
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2683 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: A2F375CC440179ADF831179C32A35AF4...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1398721005
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

第三

这是一种旧的做事方式，在 SSLv3 还很流行的时候.也就是说，POODLE 攻击是未知的:

This is kind of the old way of doing things, back when SSLv3 was still popular. That is, the POODLE attack was unknown:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CAfile entrust_2048_ca.cer 

您可能应该切换到 TLS 1.0 或更高版本并使用 服务器名称指示 (SNI).SNI 是 SSL 中不存在的 TLS 功能.您可能需要在 2016 年强制使用 TLS 1.2；你可以用 -tls1_2 来做到这一点.

You should probably switch to TLS 1.0 or above and use Server Name Indication (SNI). SNI is a TLS feature not present in SSL. You might need to force TLS 1.2 in 2016; and you can do so with -tls1_2.

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \
  -tls1 -servername gateway.sandbox.push.apple.com -CAfile entrust_2048_ca.cer

<小时>

以下是来自其他评论和答案的信息.为了方便，我把它们收集起来.您应该适当地为评论或回答点赞.

---

Below is information from other comments and answers. I'm gathering them up for convenience. You should upvote the comment or answer as appropriate.

客户证书

Korbbit 在下面提供了更多信息.它解决了我所做的声明，警报握手失败......我相信这是由于我没有一个客户端证书问题导致的".如果 Korbbit 对您有帮助，您应该向其提供反馈:

Korbbit provides additional information below. It addresses the statement I made, "alert handshake failure ... I believe its a client certificate issue caused by me not having one". You should provide feedback for Korbbit if its helpful to you:

如果你再看一遍教程，你应该输入...
-cert PushChatCert.pem -key PushChatKey.pem

if you look at the tutorial again you are meant to type...
-cert PushChatCert.pem -key PushChatKey.pem

根据 Korbbit 的反馈，答案变成:

With Korbbit's feedback, the answer becomes:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 \
  -tls1 -servername gateway.sandbox.push.apple.com \
  -cert PushChatCert.pem -key PushChatKey.pem -CAfile entrust_2048_ca.cer

ca-certificates bundle 和 -CApath

来自 Timur Bakeyev，Entrust.net 是著名的根证书颁发机构，因此它的证书来自通用 CA 证书包(Debian 中的 ca-certificates).它通常安装在 /etc/ssl/certs 目录中，或者，可以使用 -CApath/etc/ssl/certs/ 选项引用.

From Timur Bakeyev, Entrust.net is a well-known Root Certificate Authority, so it's certificate comes in the common CA certificates bundle (ca-certificates in Debian). It is usually installed, among others, into the /etc/ssl/certs directory and, alternatively, can be referred with the -CApath /etc/ssl/certs/ option.

您可以使用 -CApath 代替 -CAfile，如下所示.

You can use -CApath in place of -CAfile as follows.

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -CApath /etc/ssl/certs/

这篇关于“验证错误:num=20"连接到 gateway.sandbox.push.apple.com 时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！