除非使用 CApath 或 CAfile，否则无法验证 CA 证书 [英] Can't verify CA certificate unless CApath or CAfile used

问题描述

由于信任问题，我无法将 OpenSSL 连接到服务器.我将 CA 证书放在 /etc/ssl/certs/ 上并运行 sudo c_rehash 并且可以看到正确的文件已经生成.我可以看到 CA 证书在 ca-certificates.crt 中.但是，如果我运行:

Im having trouble with having OpenSSL connect to a server because of trust issues. I placed the CA certificate on /etc/ssl/certs/ and have run sudo c_rehash and can see that the correct file has been made. I can see that CA certificate is in the ca-certificates.crt. However if I run:

openssl s_client -connect servername.domain.com:636

命令失败并返回验证码:21(无法验证第一个证书)

The command fails with Verify return code: 21 (unable to verify the first certificate)

如果我这样做:

openssl s_client -connect servername.domain.com:636 -CApath /etc/ssl/certs/

我得到验证返回码:0 (ok)

I get Verify return code: 0 (ok)

我该怎么做才能不必指定 CApath?

What can I do so I dont have to specify the CApath?

我使用的是 Ubuntu 13.04.

I'm using Ubuntu 13.04.

推荐答案

由于信任问题，OpenSSL 连接到服务器.

OpenSSL connect to a server because of trust issues.

与浏览器几乎信任任何人的所有内容不同，OpenSSL 默认不信任任何内容.

Unlike browsers, which trust nearly everything from anybody, OpenSSL trusts nothing by default.

由您决定应该信任什么.使用 OpenSSL 和 s_client 时，您必须指定一些内容.

Its up to you to determine what should be trusted. You will have to specify something when using OpenSSL and s_client.

如果您以编程方式使用 OpenSSL API，您有更多选择.但这似乎与使用 OpenSSL 命令有关.

If you are working programmatically with the OpenSSL API, you have more options. But this appears to be related to using the OpenSSL commands.

我该怎么做才能不必指定CApath?

What can I do so I don't have to specify the CApath?

您可以使用CAfile.它避免了重新哈希，并为域的信任创建了 1:1 映射.也就是说，您只信任相关域的一个发行者.如果任何其他发行人声称自己是发行人，您将不会信任发行人或服务器.

You can use the CAfile. It avoids the rehash, and it creates a 1:1 mapping for trust of the domain. That is, you only trust one issuer for the domain in question. If any other issuer claims to be the issuer, you won't trust the issuer or the server.

您可以在 如何在 OpenSSL 中获取 SSL 证书.

You can see how to extract the needed info from OpenSSL's s_client and use CAfile at How to Grab SSL Certificate in OpenSSL.

当使用 CAPath 中存在的所有证书时，您信任任何颁发者，即使它不是真正的颁发者.这在过去发生过，而且很糟糕.

When using all the certificates present in CAPath, you trust any issuer, even if its not the real issuer. This has happened in the past and its bad.

极端情况是坏人破坏您信任的 CA 并为域颁发虚假证书.这在过去也发生过，而且很糟糕.

The corner case is where a bad guy compromises the CA you trust and issues phony certifcates for the domain. This has happened in the past too, and its bad.

在上述两种负面情况下，您可以放弃对 DNS 和 CA 的信任，而使用安全多样化技术，例如证书或公钥固定.如果您和站点之间存在预先存在的关系，那么您就知道服务器的预期公钥.在这种情况下，无需信任 CA.

In the two negative cases above, you can forgo conferring trust to DNS and CAs and use a security diversification technique like certificate or public key pinning. If there's a pre-existing relationship between you and the site, then you know the expected public key of the server. In this case, there's no need to trust a CA.

这篇关于除非使用 CApath 或 CAfile，否则无法验证 CA 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！