使用https连接到具有由我创建的CA签名的证书的服务器 [英] Connecting using https to a server with a certificate signed by a CA I created

问题描述

我有一个使用Ruby通过https连接驱动服务器的测试环境。由于最新版本的Ruby拒绝连接到具有无效证书的https服务器（请参阅我之前的这个问题）我想开始使用更新版本的Ruby，我正在尝试设置一个有效的证书。

I have a test environment that uses Ruby to drive a server over an https connection. Since the latest versions of Ruby refuse to connect to an https server with an invalid certificate (see this earlier question of mine) and I would like to start using a newer version of Ruby, I am trying to set up a valid certificate.

我已经创建了一个要使用的CA证书（有多个服务器正在测试，所以这似乎更容易），并已成功使用它来签署一个新证书已安装在服务器上并正在使用中。我已将CA证书添加到浏览器商店，它（浏览器）现在将连接到服务器而无需投诉。所以我相信我的证书是有效的并且设置正确。

I have created a CA certificate to use (there are multiple servers being tested so this seems the easier way), and have successfully used it to sign a new certificate which has been installed on a server and is being used. I have added the CA certificate to the browser store and it (the browser) will now connect to the server without complaint. So I am confident my certificates are valid and set up correctly.

我知道Ruby不使用与浏览器相同的商店。我使用了此处提供的CA文件来测试与其他（公共）服务器的连接（使用 Net :: HTTP #ca_file = 方法设置，这也有效。

I know that Ruby does not use the same store as the browser. I have used the CA file available here to test connecting to other (public) servers (set using the Net::HTTP#ca_file= method) and this also works.

我无法达到的目的工作是Ruby使用我的证书连接到我的服务器。我已经尝试了各种方法将它指向我的证书（包括将我的证书添加到上面链接的文件）并且它总是给出相同的错误：

What I cannot get to work is Ruby connecting to my server using my certificate. I have tried various ways of pointing it at my certificate (including adding my certificate to the file linked above) and it always gives the same error:

SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (OpenSSL::SSL::SSLError)

我需要做些什么才能说服Ruby接受我的证书并连接到我的服务器？

What do I have to do to convince Ruby to accept my certificate and connect to my server?

我使用的代码是：

require 'net/https'

uri = URI.parse("https://hostname/index.html")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = "My CA cert file"
request = Net::HTTP::Get.new(uri.path)
response = http.request(request)

我认为这是错误的。我想知道的是，我该怎么做才能使用我的CA证书？

I'm assuming this is wrong somehow. What I want to know is, what should I do to use my CA certificate?

推荐答案

我认为你的Tomcat没有就像Ruby试图协商的协议版本一样。 Ruby默认使用 SSLv23 ，但我听说过其他情况基于Java的Web服务器的问题。您收到的错误消息表示在设置连接并尝试读取服务器响应时握手失败。尝试添加

I assume that your Tomcat doesn't like the protocol version that Ruby tries to negotiate. Ruby uses SSLv23 by default, but I've heard other cases where this was a problem for Java-based web servers. The error message you are getting indicates that the handshake fails while setting up the connection and trying to read the server's response. Try adding either

http.ssl_version = :TLSv1

或

http.ssl_version = :SSLv3

并查看是否已经有所帮助。

and see if that already helps.

如果这还没有解决问题，那么了解服务器拒绝连接尝试的原因会非常有趣。尝试使用 -Djavax.net.debug = ssl 运行Tomcat，并发布相关部分（连接信息，异常堆栈跟踪）以了解尝试失败的原因。

If this does not fix the problem yet, it would be very interesting to see why your server rejects the connection attempt. Try running your Tomcat with -Djavax.net.debug=ssl and please post the relevant parts (connection information, exception stacktrace) as to why the attempt fails.

这篇关于使用https连接到具有由我创建的CA签名的证书的服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！